VARIoT IoT vulnerabilities database

Multiple buffer overflows in the InduSoft ISSymbol ActiveX control in ISSymbol.ocx 301.1104.601.0 in InduSoft Web Studio 7.0B2 hotfix 7.0.01.04 allow remote attackers to execute arbitrary code via a long parameter to the (1) Open, (2) Close, or (3) SetCurrentLanguage method. InduSoft ISSymbol ActiveX Control has a buffer overflow vulnerability. Due to boundary condition errors when processing 'Open()', 'Close()' and 'SetCurrentLanguage()' methods, it can be exploited by an attacker to cause a buffer overflow. Failed exploit attempts will likely result in denial-of-service conditions. ====================================================================== 2) Severity Rating: Highly critical Impact: System access Where: Remote ====================================================================== 3) Vendor's Description of Software "InduSoft Web Studio is a powerful collection of automation tools that provide all the automation building blocks to develop HMIs, SCADA systems and embedded instrumentation solutions. Utilize InduSoft integrated Web technologies to take advantage of Internet/intranet connectivity." Link: http://www.indusoft.com/indusoftart.php?catid=1&name=IWS/webstudio ====================================================================== 4) Description of Vulnerability Secunia Research has discovered multiple vulnerabilities in InduSoft ISSymbol ActiveX control, which can be exploited by malicious people to compromise a user's system. Successful exploitation of the vulnerabilities allows execution of arbitrary code. ====================================================================== 5) Solution Install Service Pack 1. ====================================================================== 6) Time Table 09/06/2011 - Vendor notified 15/06/2011 - Vendor response. 30/08/2011 - Vendor releases a hotfix. 01/09/2011 - Public disclosure. ====================================================================== 7) Credits Discovered by Dmitriy Pletnev, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2011-0342 for the vulnerabilities. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2011-61/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== . ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: InduSoft ISSymbol ActiveX Control Multiple Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA44875 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44875/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44875 RELEASE DATE: 2011-09-02 DISCUSS ADVISORY: http://secunia.com/advisories/44875/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44875/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44875 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Secunia Research has discovered multiple vulnerabilities in InduSoft ISSymbol ActiveX control, which can be exploited by malicious people to compromise a user's system. The vulnerabilities are confirmed in ISSymbol.ocx version 301.1104.601.0 included in InduSoft Web Studio version 7.0B2 hotfix 7.0.01.04. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2011-61/ InduSoft: http://www.indusoft.com/hotfixes/hotfixes.php OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs, when using software versions before TC 4.0.0 or F9.1, allows remote attackers to cause a denial of service (crash) via a crafted SIP packet to port 5060 or 5061, aka Bug ID CSCtq46500. The problem is Bug ID CSCtq46500 It is a problem.By a third party 5060 and 5061 Crafted against the port SIP Service disruption via packets ( crash ) There is a possibility of being put into a state. Cisco TelePresence Codecs are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause the device to crash, denying service to legitimate users. This issue is documented by Cisco Bug ID CSCtq46500. Cisco has released free software updates that address this vulnerability. Users can determine the software version of a Cisco TelePresence unit by entering the IP address of the codec in a web browser, authenticating (if the device is configured for authentication), and then selecting the system info menu option. The version number will follow the Software Version text in the System Info window. Alternatively, users can determine the software version by issuing the "xStatus SystemUnit" command from a device's application programmer interface. The software version that is running on the codec is displayed following the SystemUnit Software Version text. The following example displays "xStatus SystemUnit" output from a system that is running software version TC4.0: xStatus SystemUnit *s SystemUnit ProductType: "Cisco TelePresence Codec" *s SystemUnit ProductId: "Cisco TelePresence Codec C90" *s SystemUnit ProductPlatform: "C90" *s SystemUnit Uptime: 597095 *s SystemUnit Software Application: "Endpoint" *s SystemUnit Software Version: "TC4.0" *s SystemUnit Software Name: "s52000" *s SystemUnit Software ReleaseDate: "2010-11-01" *s SystemUnit Software MaxVideoCalls: 3 *s SystemUnit Software MaxAudioCalls: 4 *s SystemUnit Software ReleaseKey: "true" *s SystemUnit Software OptionKeys NaturalPresenter: "true" *s SystemUnit Software OptionKeys MultiSite: "true" *s SystemUnit Software OptionKeys PremiumResolution: "true" *s SystemUnit Hardware Module SerialNumber: "B1AD25A00003" *s SystemUnit Hardware Module Identifier: "0" *s SystemUnit Hardware MainBoard SerialNumber: "PH0497201" *s SystemUnit Hardware MainBoard Identifier: "101401-3 [04]" *s SystemUnit Hardware VideoBoard SerialNumber: "PH0497874" *s SystemUnit Hardware VideoBoard Identifier: "101560-1 [02]" *s SystemUnit Hardware AudioBoard SerialNumber: "N/A" *s SystemUnit Hardware AudioBoard Identifier: "" *s SystemUnit Hardware BootSoftware: "U-Boot 2009.03-65" *s SystemUnit State System: Initialized *s SystemUnit State MaxNumberOfCalls: 3 *s SystemUnit State MaxNumberOfActiveCalls: 3 *s SystemUnit State NumberOfActiveCalls: 1 *s SystemUnit State NumberOfSuspendedCalls: 0 *s SystemUnit State NumberOfInProgressCalls: 0 *s SystemUnit State Subsystem Application: Initialized *s SystemUnit ContactInfo: "helpdesk@company.com" ** end Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Details ======= Affected devices are part systems that provide Cisco TelePresence Endpoints for immersive environments, conference rooms, individual desktops, and home offices. This vulnerability is triggered by a crafted Session Initiation Protocol (SIP) packet that is sent to an affected device on port 5060 or 5061. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtq46500 ("Specifically crafted SIP packet may crash the device") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability could result in a system crash that may lead to a denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== There are no workarounds available that mitigate this vulnerability. However, there is an Applied Mitigations Bulletin available at http://www.cisco.com/warp/public/707/cisco-amb-20110831-tandberg.shtml that describes how to filter SIP packets sent to the device. Obtaining Fixed Software ======================== Cisco has released free software updates that addresses this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by David Klein of Sense of Security. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-tandberg.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-Aug-31 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Aug 11, 2011 Document ID: 113098 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk5eWDwACgkQQXnnBKKRMNAFAQD7Bf8+G0VKbE37nc95p1vOhAvh DKCbu0g+YxMlo6+Iua8A/0qgCKk47eCVVO97ejvRkbAHxjOzVu9GBG4uTuQLoqK8 =WGqM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . 19-Sep-2011 Last Update. - Vendor Notification Date. 21-Feb-2011 Product. Cisco TelePresence Series Platform. C <= TC4.1.2, MXP <= F9.1 Severity Rating. Low - Medium Impact. Cookie/credential theft, impersonation, loss of confidentiality, client-side code execution, denial of service. Solution Status. Vendor patch References. 1. CVE-2011-2544 (CSCtq46488) 2. CVE-2011-2543 (CSCtq46496) 3. CVE-2011-2577 (CSCtq46500) Details. The C & MXP Series are the Endpoints used on desks or in boardrooms to provide users with a termination point for Video Conferencing. 1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488): Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for managing, configuring and reporting. It is possible to set the Call ID (with H.323 or SIP) to a HTML value. If a call is made to another endpoint and an authenticated user browses to the web interface on the endpoint receiving the call (e.g. to view call statistics), the HTML will render locally within the context of the logged in user. From this point it is possible to make changes to the system as the authenticated user. The flaw is due to the flexibility of the H.323 ID or SIP Display Name fields and failure to correctly validate user input. Examples (MXP): Rebooting the system: <IMG SRC="/reboot&Yes=please"> The attacker may also choose to change passwords in the system, disable encryption or enable telnet: <IMG SRC=/html_select_status?reload=other.ssi&telnet=On> <IMG SRC=/html_select_status?reload=security.ssi&/Configuration/ Conference/Encryption/Mode=Off&/Configuration/SystemUnit/Password=test> 2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496): Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for setting and getting configuration. Example syntax is: http://ip/getxml?location=/Configuration/Video The request is sent to a locally listening shell (tshell). This is the case for all requests relating to performing an action on the system (e.g. config get or set). The shell then sends the input to the "main" application (/app/main, id=0), and the data is passed as a parameter. It was discovered that the getXML handle does not properly perform length checking on the user supplied input before passing it to the tshell. Furthermore, there is no length checking performed in the tshell and no bounds checking performed in the main application where the parameter is consumed. As such, it is possible to send input that exceeds the size of the receiving buffer, subsequently causing an invalid address to be read. This causes a reboot on the Endpoints. The VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but it will restart the process itself which drops all calls. Proof of Concept: GET /wsgi/getxml?location="+("A"*5200)+("\x60"*4)+("X"*4)+"HTTP/1.1\r\n Host: 192.168.6.99\r\n\r\n" Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670 Illegal memory access at: 0x5858585c Registers: GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037 0f315580 GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896 0000000b GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005 00000002 GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac 129e5960 GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac 129e5960 NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002 As you can see, the crash string is passed as a parameter in GPR 8. The severity of this issue is compounded by the fact that the main application runs as root, this could potentially lead to arbitrary code execution. 3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500): Cisco TelePresence Endpoints utilise SIP for the call setup protocol. Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the receive field causes the system to reboot. Proof of Concept: MXP: Exception 0x1100 : Data TLB load miss Active task FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr. accessed) Solution. Upgrade to TC4.2 for the C series to fix validation issues. Discovered by. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations. Sense of Security Pty Ltd Level 8, 66 King St Sydney NSW 2000 AUSTRALIA T: +61 (0)2 9290 4444 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au E: info@senseofsecurity.com.au Twitter: @ITsecurityAU The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php

Ingres Database is prone to an unspecified vulnerability that can be exploited to overflow data. The impact is currently unknown; however, this class of vulnerability may allow attackers to gain access to sensitive information, corrupt memory or cause a denial-of-service condition. Ingres Database versions 2.6, 9.1, 9.2, 9.3, and 10.0 for Windows are vulnerable.

SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The \"EPS_DELETE_FILE\" function has an input validation error, and an attacker submits a directory traversal sequence request to delete any file. To successfully exploit the vulnerability you need access to the default SAP account TMSADM or SAPCPIC. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: SAP NetWeaver "EPS_DELETE_FILE" Arbitrary File Deletion Vulnerability SECUNIA ADVISORY ID: SA45715 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45715/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45715 RELEASE DATE: 2011-08-27 DISCUSS ADVISORY: http://secunia.com/advisories/45715/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45715/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45715 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Alexey Sintsov has reported a vulnerability in SAP NetWeaver, which can be exploited by malicious users to manipulate certain data. TMSADM or SAPCPIC. SOLUTION: Apply fixes. Please see the vendor's advisory for details. PROVIDED AND/OR DISCOVERED BY: Alexey Sintsov, Digital Security Research Group (DSecRG). ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1554030 Digital Security Research Group: http://dsecrg.com/pages/vul/show.php?id=331 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php. LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability. LifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable. Discovered: 07-13-11 By: Spencer McIntyre (zeroSteiner) SecureState R&D Team www.securestate.com Background: ----------- Multiple vulnerabilities within the LifeSize Room appliance. Vulnerability Summaries: ------------------------ Login page can be bypassed, granting administrative access to the web interface. Unauthenticated OS command injection is possible through the web interface. The easiest way to perform these attacks is using a web proxy. Authentication By Pass: ----------------------- Following the request to /gateway.php that references the LSRoom_Remoting.authenticate function, modify the AMF data in the response from the server to change "false" to "true" Example: Original False AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\x00\x00\x00\x02\x01\x00" Modified True AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\xff\xff\xff\xff\x01\x01" Command Injection: ------------------ The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand within the encoded AMF data. The original parameter for the vulnerable function is "pref -l /var/system/upgrade/status" Replace this part with the command to be executed. Authentication to the web application is not necessary however a valid PHP session ID must be passed within the request. References: ----------- CVE-2011-2762 - authentication bypass CVE-2011-2763 - OS command injection

The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) allows remote attackers to bypass authentication via unspecified data associated with a "true" authentication status, related to AMF data and the LSRoom_Remoting.authenticate function in gateway.php. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability. Exploiting these issues could allow an attacker to bypass authentication or execute arbitrary commands in the context of the application. LifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable. Unauthenticated OS command injection is possible through the web interface. The easiest way to perform these attacks is using a web proxy. Authentication By Pass: ----------------------- Following the request to /gateway.php that references the LSRoom_Remoting.authenticate function, modify the AMF data in the response from the server to change "false" to "true" Example: Original False AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\x00\x00\x00\x02\x01\x00" Modified True AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\xff\xff\xff\xff\x01\x01" Command Injection: ------------------ The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand within the encoded AMF data. The original parameter for the vulnerable function is "pref -l /var/system/upgrade/status" Replace this part with the command to be executed. Authentication to the web application is not necessary however a valid PHP session ID must be passed within the request. References: ----------- CVE-2011-2762 - authentication bypass CVE-2011-2763 - OS command injection

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. Both the 'Range' header and the 'Range-Request' header are vulnerable. The attack tool causes a significant increase in CPU and memory usage on the server. Apache HTTPD The server has a service disruption (DoS) Vulnerabilities exist. Apache HTTPD The server Range Header and Request-Range There is a problem with header processing, and service operation is interrupted. (DoS) Vulnerabilities exist. Attacks using this vulnerability have been observed. Also, "Apache Killer" The attack tool called is released. Apache The advisory states that: "Background and the 2007 report There are two aspects to this vulnerability. One is new, is Apache specific; and resolved with this server side fix. The other issue is fundamentally a protocol design issue dating back to 2007: http://seclists.org/bugtraq/2007/Jan/83 The contemporary interpretation of the HTTP protocol (currently) requires a server to return multiple (overlapping) ranges; in the order requested. This means that one can request a very large range (e.g. from byte 0- to the end) 100's of times in a single request. Being able to do so is an issue for (probably all) webservers and currently subject of an IETF discussion to change the protocol: http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311 This advisory details a problem with how Apache httpd and its so called internal 'bucket brigades' deal with serving such "valid" request. The problem is that currently such requests internally explode into 100's of large fetches, all of which are kept in memory in an inefficient way. This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy."Service disruption by a remote third party (DoS) There is a possibility of being attacked. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: httpd security update Advisory ID: RHSA-2011:1245-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1245.html Issue date: 2011-08-31 CVE Names: CVE-2011-3192 ===================================================================== 1. Summary: Updated httpd packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 3. (CVE-2011-3192) All httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 732928 - CVE-2011-3192 httpd: multiple ranges DoS 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-48.ent.src.rpm i386: httpd-2.0.52-48.ent.i386.rpm httpd-debuginfo-2.0.52-48.ent.i386.rpm httpd-devel-2.0.52-48.ent.i386.rpm httpd-manual-2.0.52-48.ent.i386.rpm httpd-suexec-2.0.52-48.ent.i386.rpm mod_ssl-2.0.52-48.ent.i386.rpm ia64: httpd-2.0.52-48.ent.ia64.rpm httpd-debuginfo-2.0.52-48.ent.ia64.rpm httpd-devel-2.0.52-48.ent.ia64.rpm httpd-manual-2.0.52-48.ent.ia64.rpm httpd-suexec-2.0.52-48.ent.ia64.rpm mod_ssl-2.0.52-48.ent.ia64.rpm ppc: httpd-2.0.52-48.ent.ppc.rpm httpd-debuginfo-2.0.52-48.ent.ppc.rpm httpd-devel-2.0.52-48.ent.ppc.rpm httpd-manual-2.0.52-48.ent.ppc.rpm httpd-suexec-2.0.52-48.ent.ppc.rpm mod_ssl-2.0.52-48.ent.ppc.rpm s390: httpd-2.0.52-48.ent.s390.rpm httpd-debuginfo-2.0.52-48.ent.s390.rpm httpd-devel-2.0.52-48.ent.s390.rpm httpd-manual-2.0.52-48.ent.s390.rpm httpd-suexec-2.0.52-48.ent.s390.rpm mod_ssl-2.0.52-48.ent.s390.rpm s390x: httpd-2.0.52-48.ent.s390x.rpm httpd-debuginfo-2.0.52-48.ent.s390x.rpm httpd-devel-2.0.52-48.ent.s390x.rpm httpd-manual-2.0.52-48.ent.s390x.rpm httpd-suexec-2.0.52-48.ent.s390x.rpm mod_ssl-2.0.52-48.ent.s390x.rpm x86_64: httpd-2.0.52-48.ent.x86_64.rpm httpd-debuginfo-2.0.52-48.ent.x86_64.rpm httpd-devel-2.0.52-48.ent.x86_64.rpm httpd-manual-2.0.52-48.ent.x86_64.rpm httpd-suexec-2.0.52-48.ent.x86_64.rpm mod_ssl-2.0.52-48.ent.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-48.ent.src.rpm i386: httpd-2.0.52-48.ent.i386.rpm httpd-debuginfo-2.0.52-48.ent.i386.rpm httpd-devel-2.0.52-48.ent.i386.rpm httpd-manual-2.0.52-48.ent.i386.rpm httpd-suexec-2.0.52-48.ent.i386.rpm mod_ssl-2.0.52-48.ent.i386.rpm x86_64: httpd-2.0.52-48.ent.x86_64.rpm httpd-debuginfo-2.0.52-48.ent.x86_64.rpm httpd-devel-2.0.52-48.ent.x86_64.rpm httpd-manual-2.0.52-48.ent.x86_64.rpm httpd-suexec-2.0.52-48.ent.x86_64.rpm mod_ssl-2.0.52-48.ent.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-48.ent.src.rpm i386: httpd-2.0.52-48.ent.i386.rpm httpd-debuginfo-2.0.52-48.ent.i386.rpm httpd-devel-2.0.52-48.ent.i386.rpm httpd-manual-2.0.52-48.ent.i386.rpm httpd-suexec-2.0.52-48.ent.i386.rpm mod_ssl-2.0.52-48.ent.i386.rpm ia64: httpd-2.0.52-48.ent.ia64.rpm httpd-debuginfo-2.0.52-48.ent.ia64.rpm httpd-devel-2.0.52-48.ent.ia64.rpm httpd-manual-2.0.52-48.ent.ia64.rpm httpd-suexec-2.0.52-48.ent.ia64.rpm mod_ssl-2.0.52-48.ent.ia64.rpm x86_64: httpd-2.0.52-48.ent.x86_64.rpm httpd-debuginfo-2.0.52-48.ent.x86_64.rpm httpd-devel-2.0.52-48.ent.x86_64.rpm httpd-manual-2.0.52-48.ent.x86_64.rpm httpd-suexec-2.0.52-48.ent.x86_64.rpm mod_ssl-2.0.52-48.ent.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-48.ent.src.rpm i386: httpd-2.0.52-48.ent.i386.rpm httpd-debuginfo-2.0.52-48.ent.i386.rpm httpd-devel-2.0.52-48.ent.i386.rpm httpd-manual-2.0.52-48.ent.i386.rpm httpd-suexec-2.0.52-48.ent.i386.rpm mod_ssl-2.0.52-48.ent.i386.rpm ia64: httpd-2.0.52-48.ent.ia64.rpm httpd-debuginfo-2.0.52-48.ent.ia64.rpm httpd-devel-2.0.52-48.ent.ia64.rpm httpd-manual-2.0.52-48.ent.ia64.rpm httpd-suexec-2.0.52-48.ent.ia64.rpm mod_ssl-2.0.52-48.ent.ia64.rpm x86_64: httpd-2.0.52-48.ent.x86_64.rpm httpd-debuginfo-2.0.52-48.ent.x86_64.rpm httpd-devel-2.0.52-48.ent.x86_64.rpm httpd-manual-2.0.52-48.ent.x86_64.rpm httpd-suexec-2.0.52-48.ent.x86_64.rpm mod_ssl-2.0.52-48.ent.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-53.el5_7.1.src.rpm i386: httpd-2.2.3-53.el5_7.1.i386.rpm httpd-debuginfo-2.2.3-53.el5_7.1.i386.rpm mod_ssl-2.2.3-53.el5_7.1.i386.rpm x86_64: httpd-2.2.3-53.el5_7.1.x86_64.rpm httpd-debuginfo-2.2.3-53.el5_7.1.x86_64.rpm mod_ssl-2.2.3-53.el5_7.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-53.el5_7.1.src.rpm i386: httpd-debuginfo-2.2.3-53.el5_7.1.i386.rpm httpd-devel-2.2.3-53.el5_7.1.i386.rpm httpd-manual-2.2.3-53.el5_7.1.i386.rpm x86_64: httpd-debuginfo-2.2.3-53.el5_7.1.i386.rpm httpd-debuginfo-2.2.3-53.el5_7.1.x86_64.rpm httpd-devel-2.2.3-53.el5_7.1.i386.rpm httpd-devel-2.2.3-53.el5_7.1.x86_64.rpm httpd-manual-2.2.3-53.el5_7.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-53.el5_7.1.src.rpm i386: httpd-2.2.3-53.el5_7.1.i386.rpm httpd-debuginfo-2.2.3-53.el5_7.1.i386.rpm httpd-devel-2.2.3-53.el5_7.1.i386.rpm httpd-manual-2.2.3-53.el5_7.1.i386.rpm mod_ssl-2.2.3-53.el5_7.1.i386.rpm ia64: httpd-2.2.3-53.el5_7.1.ia64.rpm httpd-debuginfo-2.2.3-53.el5_7.1.ia64.rpm httpd-devel-2.2.3-53.el5_7.1.ia64.rpm httpd-manual-2.2.3-53.el5_7.1.ia64.rpm mod_ssl-2.2.3-53.el5_7.1.ia64.rpm ppc: httpd-2.2.3-53.el5_7.1.ppc.rpm httpd-debuginfo-2.2.3-53.el5_7.1.ppc.rpm httpd-debuginfo-2.2.3-53.el5_7.1.ppc64.rpm httpd-devel-2.2.3-53.el5_7.1.ppc.rpm httpd-devel-2.2.3-53.el5_7.1.ppc64.rpm httpd-manual-2.2.3-53.el5_7.1.ppc.rpm mod_ssl-2.2.3-53.el5_7.1.ppc.rpm s390x: httpd-2.2.3-53.el5_7.1.s390x.rpm httpd-debuginfo-2.2.3-53.el5_7.1.s390.rpm httpd-debuginfo-2.2.3-53.el5_7.1.s390x.rpm httpd-devel-2.2.3-53.el5_7.1.s390.rpm httpd-devel-2.2.3-53.el5_7.1.s390x.rpm httpd-manual-2.2.3-53.el5_7.1.s390x.rpm mod_ssl-2.2.3-53.el5_7.1.s390x.rpm x86_64: httpd-2.2.3-53.el5_7.1.x86_64.rpm httpd-debuginfo-2.2.3-53.el5_7.1.i386.rpm httpd-debuginfo-2.2.3-53.el5_7.1.x86_64.rpm httpd-devel-2.2.3-53.el5_7.1.i386.rpm httpd-devel-2.2.3-53.el5_7.1.x86_64.rpm httpd-manual-2.2.3-53.el5_7.1.x86_64.rpm mod_ssl-2.2.3-53.el5_7.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/httpd-2.2.15-9.el6_1.2.src.rpm i386: httpd-2.2.15-9.el6_1.2.i686.rpm httpd-debuginfo-2.2.15-9.el6_1.2.i686.rpm httpd-tools-2.2.15-9.el6_1.2.i686.rpm x86_64: httpd-2.2.15-9.el6_1.2.x86_64.rpm httpd-debuginfo-2.2.15-9.el6_1.2.x86_64.rpm httpd-tools-2.2.15-9.el6_1.2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/httpd-2.2.15-9.el6_1.2.src.rpm i386: httpd-debuginfo-2.2.15-9.el6_1.2.i686.rpm httpd-devel-2.2.15-9.el6_1.2.i686.rpm mod_ssl-2.2.15-9.el6_1.2.i686.rpm noarch: httpd-manual-2.2.15-9.el6_1.2.noarch.rpm x86_64: httpd-debuginfo-2.2.15-9.el6_1.2.i686.rpm httpd-debuginfo-2.2.15-9.el6_1.2.x86_64.rpm httpd-devel-2.2.15-9.el6_1.2.i686.rpm httpd-devel-2.2.15-9.el6_1.2.x86_64.rpm mod_ssl-2.2.15-9.el6_1.2.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/httpd-2.2.15-9.el6_1.2.src.rpm x86_64: httpd-2.2.15-9.el6_1.2.x86_64.rpm httpd-debuginfo-2.2.15-9.el6_1.2.x86_64.rpm httpd-tools-2.2.15-9.el6_1.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/httpd-2.2.15-9.el6_1.2.src.rpm noarch: httpd-manual-2.2.15-9.el6_1.2.noarch.rpm x86_64: httpd-debuginfo-2.2.15-9.el6_1.2.i686.rpm httpd-debuginfo-2.2.15-9.el6_1.2.x86_64.rpm httpd-devel-2.2.15-9.el6_1.2.i686.rpm httpd-devel-2.2.15-9.el6_1.2.x86_64.rpm mod_ssl-2.2.15-9.el6_1.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/httpd-2.2.15-9.el6_1.2.src.rpm i386: httpd-2.2.15-9.el6_1.2.i686.rpm httpd-debuginfo-2.2.15-9.el6_1.2.i686.rpm httpd-devel-2.2.15-9.el6_1.2.i686.rpm httpd-tools-2.2.15-9.el6_1.2.i686.rpm mod_ssl-2.2.15-9.el6_1.2.i686.rpm noarch: httpd-manual-2.2.15-9.el6_1.2.noarch.rpm ppc64: httpd-2.2.15-9.el6_1.2.ppc64.rpm httpd-debuginfo-2.2.15-9.el6_1.2.ppc.rpm httpd-debuginfo-2.2.15-9.el6_1.2.ppc64.rpm httpd-devel-2.2.15-9.el6_1.2.ppc.rpm httpd-devel-2.2.15-9.el6_1.2.ppc64.rpm httpd-tools-2.2.15-9.el6_1.2.ppc64.rpm mod_ssl-2.2.15-9.el6_1.2.ppc64.rpm s390x: httpd-2.2.15-9.el6_1.2.s390x.rpm httpd-debuginfo-2.2.15-9.el6_1.2.s390.rpm httpd-debuginfo-2.2.15-9.el6_1.2.s390x.rpm httpd-devel-2.2.15-9.el6_1.2.s390.rpm httpd-devel-2.2.15-9.el6_1.2.s390x.rpm httpd-tools-2.2.15-9.el6_1.2.s390x.rpm mod_ssl-2.2.15-9.el6_1.2.s390x.rpm x86_64: httpd-2.2.15-9.el6_1.2.x86_64.rpm httpd-debuginfo-2.2.15-9.el6_1.2.i686.rpm httpd-debuginfo-2.2.15-9.el6_1.2.x86_64.rpm httpd-devel-2.2.15-9.el6_1.2.i686.rpm httpd-devel-2.2.15-9.el6_1.2.x86_64.rpm httpd-tools-2.2.15-9.el6_1.2.x86_64.rpm mod_ssl-2.2.15-9.el6_1.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/httpd-2.2.15-9.el6_1.2.src.rpm i386: httpd-2.2.15-9.el6_1.2.i686.rpm httpd-debuginfo-2.2.15-9.el6_1.2.i686.rpm httpd-devel-2.2.15-9.el6_1.2.i686.rpm httpd-tools-2.2.15-9.el6_1.2.i686.rpm mod_ssl-2.2.15-9.el6_1.2.i686.rpm noarch: httpd-manual-2.2.15-9.el6_1.2.noarch.rpm x86_64: httpd-2.2.15-9.el6_1.2.x86_64.rpm httpd-debuginfo-2.2.15-9.el6_1.2.i686.rpm httpd-debuginfo-2.2.15-9.el6_1.2.x86_64.rpm httpd-devel-2.2.15-9.el6_1.2.i686.rpm httpd-devel-2.2.15-9.el6_1.2.x86_64.rpm httpd-tools-2.2.15-9.el6_1.2.x86_64.rpm mod_ssl-2.2.15-9.el6_1.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3192.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFOXrquXlSAg2UNWIIRAhCLAKCItpMGXPG+Qj9sCBaugV7zW/0QngCgmlIN ofB71UVqXan/YvWLkNO+XYw= =DqLG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Release Date: 2011-09-08 Last Updated: 2011-10-26 ------------------------------------------------------------------------------ Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX Apache Web Server. References: CVE-2011-3192, CVE-2011-0419 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.18 containing Apache v2.2.15.08 or earlier HP-UX B.11.11 running HP-UX Apache Web Server Suite v2.33 containing Apache v2.0.64.01 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-3192 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2011-0419 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve these vulnerabilities. HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09 The WSS v3.19 update is available for download from the following location https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW319 HP-UX 11i Releases / Apache Depot name B.11.23 & B.11.31 (32-bit) / HPUXWS22ATW-B319-32.depot B.11.23 & B.11.31 (64-bit) / HPUXWS22ATW-B319-64.depot HP-UX Web Server Suite (WSS) v2.34 containing Apache v2.0.64.02 The WSS v2.34 update is available for download from the following location https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW234 HP-UX 11i Release / Apache Depot name B.11.11 / HPUXWSATW-B234-1111.depot B.11.23 (32 & 64-bit) / No longer supported. Upgrade to WSS v3.19 B.11.31 (32 & 64-bit) / No longer supported. Upgrade to WSS v3.19 MANUAL ACTIONS: Yes - Update For B.11.23 and B.11.31 install HP-UX Web Server Suite v3.19 or subsequent. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX Web Server Suite v3.19 HP-UX B.11.23 HP-UX B.11.31 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 action: install revision B.2.2.15.09 or subsequent HP-UX Web Server Suite v2.34 HP-UX B.11.11 ================== hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY action: install revision B.2.0.64.02 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 8 September 2011 Initial release Version:2 (rev.2) - 8 September 2011 Updated affectivity, recommendations, typos Version:3 (rev.3) - 22 September 2011 New source for depots Version:4 (rev.4) - 23 September 2011 Apache WSS 2.33 depot for B.11.11 available Version:5 (rev.5) - 26 October 2011 Final depots available Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Enjoy! * apache has been upgraded to the latest version (2.2.21) for 2011 _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192 _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: 5c4825e4c63b4a06c68a5fd81517de71 2011/i586/apache-base-2.2.21-0.1-mdv2011.0.i586.rpm b5a00191b27804f9735643cdcd704b19 2011/i586/apache-conf-2.2.21-0.1-mdv2011.0.i586.rpm 49defd7efbb4a37ec49c01c7ef9c64aa 2011/i586/apache-devel-2.2.21-0.1-mdv2011.0.i586.rpm a023e40689777630df036eae1a84a475 2011/i586/apache-doc-2.2.21-0.1-mdv2011.0.noarch.rpm f03744bb74a3e0872cb08465799c3ee1 2011/i586/apache-htcacheclean-2.2.21-0.1-mdv2011.0.i586.rpm bb9efa66089deef66f9434b813d41a95 2011/i586/apache-mod_authn_dbd-2.2.21-0.1-mdv2011.0.i586.rpm bb334eb7fe43927ba7c6c9196b4e1fd1 2011/i586/apache-mod_cache-2.2.21-0.1-mdv2011.0.i586.rpm 086b5ed82c064b16964fff70bf9c841e 2011/i586/apache-mod_dav-2.2.21-0.1-mdv2011.0.i586.rpm 115008b2471e10ea01689dafe5c46bcd 2011/i586/apache-mod_dbd-2.2.21-0.1-mdv2011.0.i586.rpm 6b686ec6612ff8740d1e482faa06c544 2011/i586/apache-mod_deflate-2.2.21-0.1-mdv2011.0.i586.rpm 8c8f14074bc0dbbeb2b3890611f95c6b 2011/i586/apache-mod_disk_cache-2.2.21-0.1-mdv2011.0.i586.rpm b03569edc20c9393e0b5eea09f590368 2011/i586/apache-mod_file_cache-2.2.21-0.1-mdv2011.0.i586.rpm 343703d3822a6757e000edeebe7e0a06 2011/i586/apache-mod_ldap-2.2.21-0.1-mdv2011.0.i586.rpm 3457011403525d40e525716c4da8e477 2011/i586/apache-mod_mem_cache-2.2.21-0.1-mdv2011.0.i586.rpm 3d060145b3665ca4c0b309f812af9370 2011/i586/apache-mod_proxy-2.2.21-0.1-mdv2011.0.i586.rpm a0e00b0610eb5a8c5c57afabeafc07f8 2011/i586/apache-mod_proxy_ajp-2.2.21-0.1-mdv2011.0.i586.rpm dd4bb38bbc2997ca398fb37225eca371 2011/i586/apache-mod_proxy_scgi-2.2.21-0.1-mdv2011.0.i586.rpm 2966cdfddf02fa32447711af6a3046dd 2011/i586/apache-mod_reqtimeout-2.2.21-0.1-mdv2011.0.i586.rpm 48774d9c282dc476f35a0c8b2e821a7f 2011/i586/apache-mod_ssl-2.2.21-0.1-mdv2011.0.i586.rpm 7b832f85bd258abf0c7abb161f4028b4 2011/i586/apache-mod_suexec-2.2.21-0.1-mdv2011.0.i586.rpm 1c6b93eaa5b27477989bf82ea9a63685 2011/i586/apache-modules-2.2.21-0.1-mdv2011.0.i586.rpm 1e7dc0ee3fafae8a786be0cc164ebe4a 2011/i586/apache-mod_userdir-2.2.21-0.1-mdv2011.0.i586.rpm ab2d074f2dfe57a64b022d4e6b8254ab 2011/i586/apache-mpm-event-2.2.21-0.1-mdv2011.0.i586.rpm a22debf09366b64e236965a4091009e9 2011/i586/apache-mpm-itk-2.2.21-0.1-mdv2011.0.i586.rpm 174aed4327491b83f147f3b4e76bcd1f 2011/i586/apache-mpm-peruser-2.2.21-0.1-mdv2011.0.i586.rpm e141881c27496e7e74ad7f3f566a1bd2 2011/i586/apache-mpm-prefork-2.2.21-0.1-mdv2011.0.i586.rpm 97893069a3d6eb73e3773bc0ee78c9a4 2011/i586/apache-mpm-worker-2.2.21-0.1-mdv2011.0.i586.rpm fe530e2da15b3e0bf14c617824ff82c9 2011/i586/apache-source-2.2.21-0.1-mdv2011.0.i586.rpm 4376094cd799523a1a7666f4e768707d 2011/SRPMS/apache-2.2.21-0.1.src.rpm b37e2a1dafb6883a10cefb4140e9635e 2011/SRPMS/apache-conf-2.2.21-0.1.src.rpm d83c587ad4d56a31362f67334bbf9455 2011/SRPMS/apache-doc-2.2.21-0.1.src.rpm 0b4a145fd5ff8c11a53956f750cdbd42 2011/SRPMS/apache-mod_suexec-2.2.21-0.1.src.rpm Mandriva Linux 2011/X86_64: 8837c56966896e10d3403956e7cf86ac 2011/x86_64/apache-base-2.2.21-0.1-mdv2011.0.x86_64.rpm aec6da25319585e53623471734f99c57 2011/x86_64/apache-conf-2.2.21-0.1-mdv2011.0.x86_64.rpm e8600455214ad4f2303d9f36576e4952 2011/x86_64/apache-devel-2.2.21-0.1-mdv2011.0.x86_64.rpm 90694f3211fca3d436ec4130b8bb43e2 2011/x86_64/apache-doc-2.2.21-0.1-mdv2011.0.noarch.rpm fd3f6a51c8abf8b1ff8356489ba6d6e1 2011/x86_64/apache-htcacheclean-2.2.21-0.1-mdv2011.0.x86_64.rpm 796c8129bbc160455587bc54c58c2220 2011/x86_64/apache-mod_authn_dbd-2.2.21-0.1-mdv2011.0.x86_64.rpm 61add54b6e0c8306dff065a150b262e2 2011/x86_64/apache-mod_cache-2.2.21-0.1-mdv2011.0.x86_64.rpm cb98169c29008c256662f3a08141bf95 2011/x86_64/apache-mod_dav-2.2.21-0.1-mdv2011.0.x86_64.rpm 5aa03ee54a7e40d41fd746fd1a223c72 2011/x86_64/apache-mod_dbd-2.2.21-0.1-mdv2011.0.x86_64.rpm 386a956f014fe2d64dfe38fc261abd39 2011/x86_64/apache-mod_deflate-2.2.21-0.1-mdv2011.0.x86_64.rpm 5a473bc45fa59323c4d526dd4f5a30d3 2011/x86_64/apache-mod_disk_cache-2.2.21-0.1-mdv2011.0.x86_64.rpm aaa544f7a4912c161a2c73e222ae87d6 2011/x86_64/apache-mod_file_cache-2.2.21-0.1-mdv2011.0.x86_64.rpm f04054edc62a24ea9042c5b41074bd1d 2011/x86_64/apache-mod_ldap-2.2.21-0.1-mdv2011.0.x86_64.rpm 1c97f63c1169f483d086a94b97f5c421 2011/x86_64/apache-mod_mem_cache-2.2.21-0.1-mdv2011.0.x86_64.rpm ca912c34fec5cf470947a7f87e9705a4 2011/x86_64/apache-mod_proxy-2.2.21-0.1-mdv2011.0.x86_64.rpm b5ae70a8ed412e40275b4de7b639caa0 2011/x86_64/apache-mod_proxy_ajp-2.2.21-0.1-mdv2011.0.x86_64.rpm 6b11b032c13277712c336405ea23a8b0 2011/x86_64/apache-mod_proxy_scgi-2.2.21-0.1-mdv2011.0.x86_64.rpm 874a420342f1ea9278e014b79fe5a337 2011/x86_64/apache-mod_reqtimeout-2.2.21-0.1-mdv2011.0.x86_64.rpm 2757b3d7c8261563e22c41d3f94aaa29 2011/x86_64/apache-mod_ssl-2.2.21-0.1-mdv2011.0.x86_64.rpm 6edbc6963aab9beee507f9a3c8be38a2 2011/x86_64/apache-mod_suexec-2.2.21-0.1-mdv2011.0.x86_64.rpm fe6143eaa1acc0de751198ea19129279 2011/x86_64/apache-modules-2.2.21-0.1-mdv2011.0.x86_64.rpm 3e66fa1e1e2cf243c1c6472243cb86fe 2011/x86_64/apache-mod_userdir-2.2.21-0.1-mdv2011.0.x86_64.rpm 7d45bfd7d3aa87d45d2287fdd9507847 2011/x86_64/apache-mpm-event-2.2.21-0.1-mdv2011.0.x86_64.rpm bce9e2cdffe45cbc4baf72f0d0c4000e 2011/x86_64/apache-mpm-itk-2.2.21-0.1-mdv2011.0.x86_64.rpm 217bd96dfa802f7d049b6fd12600b154 2011/x86_64/apache-mpm-peruser-2.2.21-0.1-mdv2011.0.x86_64.rpm cc304b9011d16d7f3cf5c8250e4d9f18 2011/x86_64/apache-mpm-prefork-2.2.21-0.1-mdv2011.0.x86_64.rpm a8bb9b62c39f98a6df728d51a4fff39a 2011/x86_64/apache-mpm-worker-2.2.21-0.1-mdv2011.0.x86_64.rpm 7d41c857be2574ac5f3ea7090a1f3c78 2011/x86_64/apache-source-2.2.21-0.1-mdv2011.0.x86_64.rpm 4376094cd799523a1a7666f4e768707d 2011/SRPMS/apache-2.2.21-0.1.src.rpm b37e2a1dafb6883a10cefb4140e9635e 2011/SRPMS/apache-conf-2.2.21-0.1.src.rpm d83c587ad4d56a31362f67334bbf9455 2011/SRPMS/apache-doc-2.2.21-0.1.src.rpm 0b4a145fd5ff8c11a53956f750cdbd42 2011/SRPMS/apache-mod_suexec-2.2.21-0.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOdErbmqjQ0CJFipgRArO0AJ9MeU1I/ItvY699awHPqXD7TZZ46gCeP/Lc OVJD0GobLzQ3q1XZS8WiqdY= =O8Ag -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Oracle Fusion Middleware / Application Server ByteRange Filter Denial of Service SECUNIA ADVISORY ID: SA46000 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46000/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46000 RELEASE DATE: 2011-09-16 DISCUSS ADVISORY: http://secunia.com/advisories/46000/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46000/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46000 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Oracle has acknowledged a vulnerability in Oracle Fusion Middleware and Oracle Application Server, which can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA45606 The vulnerability is reported in the following products: * Oracle Fusion Middleware 11g versions 11.1.1.3.0, 11.1.1.4.0, and 11.1.1.5.0. * Oracle Application Server 10g versions 10.1.2.3.0 and 10.1.3.5.0. SOLUTION: Apply patches. Please see the vendor's advisory for details. ORIGINAL ADVISORY: http://blogs.oracle.com/security/entry/security_alert_for_cve_2011 http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . HP OpenView Network Node Manager (OV NNM) v7.53 running on HP-UX, Linux, and Solaris. Apache-2.2.21.tar.gz is available using ftp. Host Account Password ftp.usa.hp.com sb02704 Secure12 After downloading Apache-2.2.21.tar.gz optionally verify the SHA1 check sum: SHA1(Apache-2.2.21.tar)= 642721cac9a7c4d1e8e6033a5198071bbdd54840 SHA1(Apache-2.2.21.tar.gz)= 87d0c04be6dd06b52f1b9c7c645ce39fad117a08 The Apache-2.2.21.tar archive contains a README.txt file with installation instructions

Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted image description associated with an mp4v tag in a movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the way Quicktime handles 'mp4v' codec information. When parsing the video description table it will read the size field preceding the 'mp4v' tag and use that size to create an allocation to hold the data. It will then copy the correct amount of data into that buffer, but then does some endian changes on a fixed portion of the buffer without checking its size. The resulting memory corruption could result in remote code execution under the context of the current user. Apple QuickTime is prone to a buffer-overflow vulnerability because of a failure to properly bounds check user-supplied data. Successful exploits will allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions. Versions prior to QuickTime 7.7 are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4826 -- Disclosure Timeline: 2011-06-03 - Vulnerability reported to vendor 2011-08-31 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The SIP process in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 7.x before 7.1(5b)su4 and 8.x before 8.0(1) does not properly handle SDP data within a SIP call in certain situations related to use of the g729ar8 codec for a Media Termination Point (MTP), which allows remote attackers to cause a denial of service (service outage) via a crafted call, aka Bug ID CSCtc61990. The problem is Bug ID CSCtc61990 It is a problem.Denial of service via a crafted call by a third party ( Service stop ) There is a possibility of being put into a state. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. Single channel audio may occur when configuring MTP with g729ar8 codec. Under certain conditions, service interruptions may occur. The SIP process generates a stack trace when processing the session description protocol SDP portion of a SIP call. An attacker can exploit these issues to cause denial-of-service conditions in the affected application. These issues are documented by these Cisco bug IDs: CSCtf97162 CSCtc61990 CSCth43256. A workaround exists for the SIP and Packet Capture Service DoS vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml Two of the vulnerabilities described in this advisory also affect the Cisco Intercompany Media Engine. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco Intercompany Media Engine. The first DoS vulnerability involves the Packet Capture Service which is enabled by default. The Packet Capture Service fails to timeout or close idle TCP connections. The Packet Capture Service should be disabled in the Cisco Unified Communications Manager Administration Interface by setting the service parameter to False. This vulnerability is documented in Cisco Bug ID CSCtf97162 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560. The second DoS vulnerability involves certain configurations of Media Termination Points (MTP). This vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered customers only) and has been assigned CVE identifier CVE-2011-2561. The third DoS vulnerability involves a coredump when processing certain SIP INVITE messages. This vulnerability is documented in Cisco Bug ID CSCth43256 ( registered customers only) and has been assigned CVE identifier CVE-2011-2562. The remaining two DoS vulnerabilities involve the Service Advertisement Framework (SAF). Successful exploitation could cause the device to reload. These vulnerabilities are documented in Cisco Bug IDs CSCth26669 ( registered customers only) and CSCth19417 ( registered customers only) and have been assigned CVE identifiers CVE-2011-2563 and CVE-2011-2564, respectively. Cisco Intercompany Media Engine Release 8.x is also affected by these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco Intercompany Media Engine. That advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml Note: An established TCP connection with a three-way handshake is required to trigger the SAF vulnerabilities. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCtf97162 - CCM Application Restarts During TCP Flood CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc61990 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth43256 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth26669 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth19417 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. In certain instances, the affected Cisco Unified Communications Manager processes will restart, but repeated attacks may result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Releases column of the table. +---------------------------------------+ | Cisco Unified | Recommended | | Communications Manager | Releases | | Version | | |-------------------------+-------------| | 6.x | 6.1(5)SU3 | |-------------------------+-------------| | 7.x | 7.1(5b)SU4 | |-------------------------+-------------| | 8.0 | 8.0(3a)SU2 | |-------------------------+-------------| | 8.5 | 8.5(1)SU2, | | | 8.6(1) | +---------------------------------------+ Workarounds =========== A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by default. * Step 3: Change the SIP Interoperability Enabled parameter to False, and click Save. Note: For a SIP processing change to take effect, the Cisco CallManager service must be restarted. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124 It is possible to mitigate these vulnerabilities by implementing filtering on screening devices and only permitting access to TCP ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that require SIP access to Cisco Unified Communications Manager servers. A workaround exists for the DoS vulnerabilities involving the Packet Capture Service in Cisco Communications Manager version 4.x. Customers who do not require the Packet Capture Service for troubleshooting can use the following instructions to disable this process: * Step 1: Log into the Cisco Unified Communications Manager Administration web interface. * Step 3: Change the Packet Capture Enabled parameter to False, and click Save. Note: For the Packet Capture Service change to take effect, the Cisco CallManager service must be restarted. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124 Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Multiple Vulnerabilities in Cisco Unified Communications Manager" which is available at the following location: http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-August-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl 6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY= =kz9x -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA45738 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45738/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45738 RELEASE DATE: 2011-08-25 DISCUSS ADVISORY: http://secunia.com/advisories/45738/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45738/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45738 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco Unified Communications Manager, which can be exploited by malicious people to cause a DoS (Denial of Service). Note: This vulnerability only affects version 7.0.x and later. The vulnerabilities are reported in versions 6.x, 7.x, and 8.x. SOLUTION: Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or 8.6(1). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5)su2, 7.x before 7.1(5b)su3, 8.x before 8.0(3a)su1, and 8.5 before 8.5(1) allows remote attackers to cause a denial of service (service outage) via a SIP INVITE message, aka Bug ID CSCth43256. Cisco Unified Communications Manager There is a service disruption ( Service stop ) There is a vulnerability that becomes a condition. The problem is Bug ID CSCth43256 It is a problem.By a third party SIP INVITE Service disruption via message ( Service stop ) There is a possibility of being put into a state. An attacker can exploit these issues to cause denial-of-service conditions in the affected application. These issues are documented by these Cisco bug IDs: CSCtf97162 CSCtc61990 CSCth43256. A workaround exists for the SIP and Packet Capture Service DoS vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml Two of the vulnerabilities described in this advisory also affect the Cisco Intercompany Media Engine. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco Intercompany Media Engine. The first DoS vulnerability involves the Packet Capture Service which is enabled by default. The Packet Capture Service fails to timeout or close idle TCP connections. This vulnerability is documented in Cisco Bug ID CSCtf97162 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560. The second DoS vulnerability involves certain configurations of Media Termination Points (MTP). One-way audio may be observed when an MTP is configured with the g729ar8 codec only. In certain situations, an interruption in service may occur and a stack trace will be generated by the Session Initiation Protocol (SIP) process when processing the Session Description Protocol SDP portion of a SIP call. This vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered customers only) and has been assigned CVE identifier CVE-2011-2561. This vulnerability is documented in Cisco Bug ID CSCth43256 ( registered customers only) and has been assigned CVE identifier CVE-2011-2562. The remaining two DoS vulnerabilities involve the Service Advertisement Framework (SAF). Successful exploitation could cause the device to reload. These vulnerabilities are documented in Cisco Bug IDs CSCth26669 ( registered customers only) and CSCth19417 ( registered customers only) and have been assigned CVE identifiers CVE-2011-2563 and CVE-2011-2564, respectively. Cisco Intercompany Media Engine Release 8.x is also affected by these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco Intercompany Media Engine. That advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml Note: An established TCP connection with a three-way handshake is required to trigger the SAF vulnerabilities. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCtf97162 - CCM Application Restarts During TCP Flood CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc61990 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth43256 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth26669 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth19417 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Releases column of the table. SIP processing is enabled by default. * Step 3: Change the SIP Interoperability Enabled parameter to False, and click Save. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124 It is possible to mitigate these vulnerabilities by implementing filtering on screening devices and only permitting access to TCP ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that require SIP access to Cisco Unified Communications Manager servers. Customers who do not require the Packet Capture Service for troubleshooting can use the following instructions to disable this process: * Step 1: Log into the Cisco Unified Communications Manager Administration web interface. * Step 3: Change the Packet Capture Enabled parameter to False, and click Save. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124 Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Multiple Vulnerabilities in Cisco Unified Communications Manager" which is available at the following location: http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-August-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl 6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY= =kz9x -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA45738 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45738/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45738 RELEASE DATE: 2011-08-25 DISCUSS ADVISORY: http://secunia.com/advisories/45738/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45738/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45738 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco Unified Communications Manager, which can be exploited by malicious people to cause a DoS (Denial of Service). Note: This vulnerability only affects version 7.0.x and later. The vulnerabilities are reported in versions 6.x, 7.x, and 8.x. SOLUTION: Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or 8.6(1). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Packet Capture Service in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x does not properly handle idle TCP connections, which allows remote attackers to cause a denial of service (memory consumption and restart) by making many connections, aka Bug ID CSCtf97162. The problem is Bug ID CSCtf97162 It is a problem.Service operation disruption by establishing many connections by a third party ( Memory corruption and restart ) There is a possibility of being put into a state. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. An attacker can exploit these issues to cause denial-of-service conditions in the affected application. These issues are documented by these Cisco bug IDs: CSCtf97162 CSCtc61990 CSCth43256. A workaround exists for the SIP and Packet Capture Service DoS vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml Two of the vulnerabilities described in this advisory also affect the Cisco Intercompany Media Engine. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco Intercompany Media Engine. This vulnerability is documented in Cisco Bug ID CSCtf97162 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560. The second DoS vulnerability involves certain configurations of Media Termination Points (MTP). One-way audio may be observed when an MTP is configured with the g729ar8 codec only. In certain situations, an interruption in service may occur and a stack trace will be generated by the Session Initiation Protocol (SIP) process when processing the Session Description Protocol SDP portion of a SIP call. This vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered customers only) and has been assigned CVE identifier CVE-2011-2561. The third DoS vulnerability involves a coredump when processing certain SIP INVITE messages. This vulnerability is documented in Cisco Bug ID CSCth43256 ( registered customers only) and has been assigned CVE identifier CVE-2011-2562. The remaining two DoS vulnerabilities involve the Service Advertisement Framework (SAF). Successful exploitation could cause the device to reload. These vulnerabilities are documented in Cisco Bug IDs CSCth26669 ( registered customers only) and CSCth19417 ( registered customers only) and have been assigned CVE identifiers CVE-2011-2563 and CVE-2011-2564, respectively. Cisco Intercompany Media Engine Release 8.x is also affected by these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco Intercompany Media Engine. That advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml Note: An established TCP connection with a three-way handshake is required to trigger the SAF vulnerabilities. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCtf97162 - CCM Application Restarts During TCP Flood CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc61990 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth43256 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth26669 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth19417 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Releases column of the table. +---------------------------------------+ | Cisco Unified | Recommended | | Communications Manager | Releases | | Version | | |-------------------------+-------------| | 6.x | 6.1(5)SU3 | |-------------------------+-------------| | 7.x | 7.1(5b)SU4 | |-------------------------+-------------| | 8.0 | 8.0(3a)SU2 | |-------------------------+-------------| | 8.5 | 8.5(1)SU2, | | | 8.6(1) | +---------------------------------------+ Workarounds =========== A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by default. * Step 3: Change the SIP Interoperability Enabled parameter to False, and click Save. Note: For a SIP processing change to take effect, the Cisco CallManager service must be restarted. * Step 3: Change the Packet Capture Enabled parameter to False, and click Save. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124 Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Multiple Vulnerabilities in Cisco Unified Communications Manager" which is available at the following location: http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-August-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl 6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY= =kz9x -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Cisco Unified Communications Manager Packet Capture Service Denial of Service SECUNIA ADVISORY ID: SA45741 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45741/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45741 RELEASE DATE: 2011-08-25 DISCUSS ADVISORY: http://secunia.com/advisories/45741/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45741/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45741 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Unified Communications Manager, which can be exploited by malicious people to cause a DoS (Denial of Service). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth26669. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. The Service Advertisement Framework (SAF) has a denial of service attack. An unauthenticated attacker can use these vulnerabilities to send specially crafted SAF packets to the affected device. The attacker exploits the vulnerability to overload the device. An attacker can exploit these issues to cause an affected device to reload, denying service to legitimate users. These issues are being tracked by Cisco Bug IDs CSCth26669 and CSCth19417. Intercompany Media Engine versions 8.0.x are affected. A workaround exists for the SIP and Packet Capture Service DoS vulnerabilities. Products Confirmed Not Vulnerable +-------------------------------- All supported versions of Cisco Unified Communications Manager are affected by one or more of the vulnerabilities described in this advisory. The first DoS vulnerability involves the Packet Capture Service which is enabled by default. The Packet Capture Service fails to timeout or close idle TCP connections. This vulnerability is documented in Cisco Bug ID CSCtf97162 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560. The second DoS vulnerability involves certain configurations of Media Termination Points (MTP). One-way audio may be observed when an MTP is configured with the g729ar8 codec only. In certain situations, an interruption in service may occur and a stack trace will be generated by the Session Initiation Protocol (SIP) process when processing the Session Description Protocol SDP portion of a SIP call. This vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered customers only) and has been assigned CVE identifier CVE-2011-2561. The third DoS vulnerability involves a coredump when processing certain SIP INVITE messages. This vulnerability is documented in Cisco Bug ID CSCth43256 ( registered customers only) and has been assigned CVE identifier CVE-2011-2562. These vulnerabilities are documented in Cisco Bug IDs CSCth26669 ( registered customers only) and CSCth19417 ( registered customers only) and have been assigned CVE identifiers CVE-2011-2563 and CVE-2011-2564, respectively. That advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml Note: An established TCP connection with a three-way handshake is required to trigger the SAF vulnerabilities. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCtf97162 - CCM Application Restarts During TCP Flood CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc61990 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth43256 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth26669 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth19417 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. In certain instances, the affected Cisco Unified Communications Manager processes will restart, but repeated attacks may result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Releases column of the table. +---------------------------------------+ | Cisco Unified | Recommended | | Communications Manager | Releases | | Version | | |-------------------------+-------------| | 6.x | 6.1(5)SU3 | |-------------------------+-------------| | 7.x | 7.1(5b)SU4 | |-------------------------+-------------| | 8.0 | 8.0(3a)SU2 | |-------------------------+-------------| | 8.5 | 8.5(1)SU2, | | | 8.6(1) | +---------------------------------------+ Workarounds =========== A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by default. Customers who do not require SIP processing can use the following instructions to disable SIP processing: * Step 1: Log into the Cisco Unified Communications Manager Administration Interface. * Step 3: Change the SIP Interoperability Enabled parameter to False, and click Save. Note: For a SIP processing change to take effect, the Cisco CallManager service must be restarted. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124 It is possible to mitigate these vulnerabilities by implementing filtering on screening devices and only permitting access to TCP ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that require SIP access to Cisco Unified Communications Manager servers. A workaround exists for the DoS vulnerabilities involving the Packet Capture Service in Cisco Communications Manager version 4.x. Customers who do not require the Packet Capture Service for troubleshooting can use the following instructions to disable this process: * Step 1: Log into the Cisco Unified Communications Manager Administration web interface. * Step 3: Change the Packet Capture Enabled parameter to False, and click Save. Note: For the Packet Capture Service change to take effect, the Cisco CallManager service must be restarted. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124 Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Multiple Vulnerabilities in Cisco Unified Communications Manager" which is available at the following location: http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-August-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl 6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY= =kz9x -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . There are no available workarounds to mitigate these vulnerabilities. Details ======= Cisco Intercompany Media Engine provides a technique for establishing direct IP connectivity between enterprises by combining peer-to-peer technologies with the existing public switched telephone network (PSTN) infrastructure. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA45738 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45738/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45738 RELEASE DATE: 2011-08-25 DISCUSS ADVISORY: http://secunia.com/advisories/45738/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45738/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45738 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco Unified Communications Manager, which can be exploited by malicious people to cause a DoS (Denial of Service). Note: This vulnerability only affects version 7.0.x and later. The vulnerabilities are reported in versions 6.x, 7.x, and 8.x. SOLUTION: Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or 8.6(1). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth19417. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. An unauthenticated attacker can send a specially crafted SAF packet to the affected device. The attacker can exploit the vulnerability to reload the device. These issues are being tracked by Cisco Bug IDs CSCth26669 and CSCth19417. Intercompany Media Engine versions 8.0.x are affected. A workaround exists for the SIP and Packet Capture Service DoS vulnerabilities. Products Confirmed Not Vulnerable +-------------------------------- All supported versions of Cisco Unified Communications Manager are affected by one or more of the vulnerabilities described in this advisory. The first DoS vulnerability involves the Packet Capture Service which is enabled by default. The Packet Capture Service fails to timeout or close idle TCP connections. This vulnerability is documented in Cisco Bug ID CSCtf97162 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560. The second DoS vulnerability involves certain configurations of Media Termination Points (MTP). One-way audio may be observed when an MTP is configured with the g729ar8 codec only. In certain situations, an interruption in service may occur and a stack trace will be generated by the Session Initiation Protocol (SIP) process when processing the Session Description Protocol SDP portion of a SIP call. This vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered customers only) and has been assigned CVE identifier CVE-2011-2561. The third DoS vulnerability involves a coredump when processing certain SIP INVITE messages. This vulnerability is documented in Cisco Bug ID CSCth43256 ( registered customers only) and has been assigned CVE identifier CVE-2011-2562. These vulnerabilities are documented in Cisco Bug IDs CSCth26669 ( registered customers only) and CSCth19417 ( registered customers only) and have been assigned CVE identifiers CVE-2011-2563 and CVE-2011-2564, respectively. That advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml Note: An established TCP connection with a three-way handshake is required to trigger the SAF vulnerabilities. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCtf97162 - CCM Application Restarts During TCP Flood CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc61990 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth43256 - Coredump may be experienced when processing certain SIP packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth26669 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth19417 - CUCM may experience a reload when receiving certain UCM client msgs CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. In certain instances, the affected Cisco Unified Communications Manager processes will restart, but repeated attacks may result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Releases column of the table. +---------------------------------------+ | Cisco Unified | Recommended | | Communications Manager | Releases | | Version | | |-------------------------+-------------| | 6.x | 6.1(5)SU3 | |-------------------------+-------------| | 7.x | 7.1(5b)SU4 | |-------------------------+-------------| | 8.0 | 8.0(3a)SU2 | |-------------------------+-------------| | 8.5 | 8.5(1)SU2, | | | 8.6(1) | +---------------------------------------+ Workarounds =========== A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by default. Customers who do not require SIP processing can use the following instructions to disable SIP processing: * Step 1: Log into the Cisco Unified Communications Manager Administration Interface. * Step 3: Change the SIP Interoperability Enabled parameter to False, and click Save. Note: For a SIP processing change to take effect, the Cisco CallManager service must be restarted. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124 It is possible to mitigate these vulnerabilities by implementing filtering on screening devices and only permitting access to TCP ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that require SIP access to Cisco Unified Communications Manager servers. A workaround exists for the DoS vulnerabilities involving the Packet Capture Service in Cisco Communications Manager version 4.x. Customers who do not require the Packet Capture Service for troubleshooting can use the following instructions to disable this process: * Step 1: Log into the Cisco Unified Communications Manager Administration web interface. * Step 3: Change the Packet Capture Enabled parameter to False, and click Save. Note: For the Packet Capture Service change to take effect, the Cisco CallManager service must be restarted. For information on how to restart the service, refer to the "Restarting the Cisco CallManager Service" section of the document at the following location: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124 Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Multiple Vulnerabilities in Cisco Unified Communications Manager" which is available at the following location: http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-August-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl 6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY= =kz9x -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . There are no available workarounds to mitigate these vulnerabilities. Details ======= Cisco Intercompany Media Engine provides a technique for establishing direct IP connectivity between enterprises by combining peer-to-peer technologies with the existing public switched telephone network (PSTN) infrastructure. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA45738 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45738/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45738 RELEASE DATE: 2011-08-25 DISCUSS ADVISORY: http://secunia.com/advisories/45738/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45738/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45738 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco Unified Communications Manager, which can be exploited by malicious people to cause a DoS (Denial of Service). Note: This vulnerability only affects version 7.0.x and later. The vulnerabilities are reported in versions 6.x, 7.x, and 8.x. SOLUTION: Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or 8.6(1). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Citrix Access Gateway is a universal SSL VPN device. Part of the input on the relevant login page is missing filtering before returning to the user, and the attacker can exploit the vulnerability for cross-site scripting attacks, executing arbitrary HTML and script code on the target user's browser. Get sensitive information or hijack user sessions. The Citrix Access Gateway is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Citrix Access Gateway Enterprise Edition versions 9.2-49.8 and prior are vulnerable. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Citrix Access Gateway Unspecified Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA45726 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45726/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45726 RELEASE DATE: 2011-08-25 DISCUSS ADVISORY: http://secunia.com/advisories/45726/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45726/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45726 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Citrix Access Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input related to the logon portal is not properly sanitised before being returned to the user. SOLUTION: Apply update. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://support.citrix.com/article/CTX129971 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SAP NetWeaver is a service-oriented application and integration platform. Provides a development and runtime environment for SAP applications, as well as custom development and integration with other applications and systems. SAP NetWeaver has any file deletion vulnerability in the implementation of EPS_DELETE_FILE(). This vulnerability can be exploited by remote attackers to delete any file on the affected computer or to steal the hash of the SAP server account in the Windows environment through SMBRelay attack. An attacker can use the default SAP account (such as TMSADM or SAPCPIC) to remotely execute the function EPS_DELETE_FILE to delete any file in the OS, or send a hash of the SAP account to the remote host or perform a smbrelay attack. Attackers can exploit this issue with directory-traversal strings ('../') to delete arbitrary files; this may aid in launching further attacks

Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to text searching. Google Chrome Has a deficiency in processing related to text search. (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible. Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-10-12-4 Safari 5.1.1 Safari 5.1.1 is now available and addresses the following: Safari Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a malicious website may cause the execution of arbitrary Javascript in the context of installed Safari Extensions Description: A directory traversal issue existed in the handling of safari-extension:// URLs. Visiting a malicious website may cause execution of arbitrary Javascript in the context of installed Safari Extensions, which may have context-dependent ramifications including files from the user's system being sent to a remote server. CVE-ID CVE-2011-3229 : Aaron Sigel of vtty.com Safari Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2 Impact: Visiting a malicious website may lead to arbitrary code execution Description: A policy issue existed in the handling of file:// URLs. This issue does not affect Windows systems. CVE-ID CVE-2011-3230 : Aaron Sigel of vtty.com Safari Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Visiting a malicious website may lead to arbitrary code execution Description: An uninitialized memory access issue existed in the handling of SSL certificates. This issue does not affect OS X Lion systems or Windows systems. CVE-ID CVE-2011-3231 : Jason Broccardo of Fermi National Accelerator Laboratory WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. CVE-ID CVE-2011-1440 : Jose A. Vazquez of spa-s3c.blogspot.com CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team CVE-2011-2341 : Apple CVE-2011-2351 : miaubiz CVE-2011-2352 : Apple CVE-2011-2354 : Apple CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2011-2359 : miaubiz CVE-2011-2788 : Mikolaj Malecki of Samsung CVE-2011-2790 : miaubiz CVE-2011-2792 : miaubiz CVE-2011-2797 : miaubiz CVE-2011-2799 : miaubiz CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-2811 : Apple CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using AddressSanitizer CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2815 : SkyLined of Google Chrome Security Team CVE-2011-2816 : Apple CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2818 : Martin Barbella CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google CVE-2011-2823 : SkyLined of Google Chrome Security Team CVE-2011-2827 : miaubiz CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-3232 : Aki Helin of OUSPG CVE-2011-3233 : Sadrul Habib Chowdhury of the Chromium development community, Cris Neckar and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3234 : miaubiz CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the Chromium development community, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the Chromium development community, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3238 : Martin Barbella CVE-2011-3239 : Slawomir Blazek CVE-2011-3241 : Apple WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: A maliciously crafted website may be able to track the URLs that a user visits within a frame Description: A cross-origin issue existed in the handling of the beforeload event. CVE-ID CVE-2011-2800 : Juho Nurminen WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of the window.open method. CVE-ID CVE-2011-2805 : Sergey Glazunov WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of the document.documentURI property. CVE-ID CVE-2011-2819 : Sergey Glazunov WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of inactive DOM windows. CVE-ID CVE-2011-3243 : Sergey Glazunov WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2 Impact: In Private Browsing mode, cookies may be set even if "Block cookies" is set to "Always" Description: A logic issue existed in the handling of cookies in Private Browsing mode. This issue does not affect Windows systems. CVE-ID CVE-2011-3242 : John Adamczyk Safari 5.1.1 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari for OS X Lion v10.7.2 The download file is named: Safari5.1.1Lion.dmg Its SHA-1 digest is: 368113397d35475a0a4d0b0dbf3b31f543cfb4c5 Safari for Mac OS X v10.6.8 The download file is named: Safari5.1.1SnowLeopard.dmg Its SHA-1 digest is: 4c588d86032ab24984b721354748f028b559fb37 Safari for Windows 7, Vista or XP The download file is named: SafariSetup.exe Its SHA-1 digest is: 5a2d3e0c0e601938f1d64d517e6a8199cd563d10 Safari for Windows 7, Vista or XP from the Microsoft Choice Screen The download file is named: Safari_Setup.exe Its SHA-1 digest is: f0094f19b7a6b0a96a4fe6407b0037223ae44b15 Safari+QuickTime for Windows 7, Vista or XP The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 3dbfe52e5be6409d0ad1fcb22e747963e10db218 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJOlLv6AAoJEGnF2JsdZQeeqOUH/RWDBq5xXEegxI+N92+9lB42 J6ZBcO8rrigAhYz59ZJG0NF8VGZI0DSFI+dxC8XeoKfiamvkaZo1lYGLdqWiTkxz 6ODprWbfGVcwFd9rNeCbIc9E5FV0SRbS1xCv+JnrwR2i2raqgAEWc4CpAcH5mgqT 5G2cWhwS8EMUNXZz/C0IjkfNBAjQ2c9BHVHj0Wid5vyXutju3WOcBXwqcbTpNANI NiVHf5ucaRep6110riIYazuCdFLCcwZDaySw2n2ZhelliTz1tpCa7uVoJfZjyeyw xwY/QjLDBTSpUYDTPC//XG7ZswptKHFjrX4KtxD9XTltq5wNGJavJzKf2qa4jrM= =ZXdu -----END PGP SIGNATURE-----

Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a line box. Google Chrome is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible. Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-10-12-4 Safari 5.1.1 Safari 5.1.1 is now available and addresses the following: Safari Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a malicious website may cause the execution of arbitrary Javascript in the context of installed Safari Extensions Description: A directory traversal issue existed in the handling of safari-extension:// URLs. Visiting a malicious website may cause execution of arbitrary Javascript in the context of installed Safari Extensions, which may have context-dependent ramifications including files from the user's system being sent to a remote server. CVE-ID CVE-2011-3229 : Aaron Sigel of vtty.com Safari Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2 Impact: Visiting a malicious website may lead to arbitrary code execution Description: A policy issue existed in the handling of file:// URLs. This issue does not affect Windows systems. CVE-ID CVE-2011-3230 : Aaron Sigel of vtty.com Safari Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Visiting a malicious website may lead to arbitrary code execution Description: An uninitialized memory access issue existed in the handling of SSL certificates. This issue does not affect OS X Lion systems or Windows systems. CVE-ID CVE-2011-3231 : Jason Broccardo of Fermi National Accelerator Laboratory WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. CVE-ID CVE-2011-1440 : Jose A. Vazquez of spa-s3c.blogspot.com CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team CVE-2011-2341 : Apple CVE-2011-2351 : miaubiz CVE-2011-2352 : Apple CVE-2011-2354 : Apple CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2011-2359 : miaubiz CVE-2011-2788 : Mikolaj Malecki of Samsung CVE-2011-2790 : miaubiz CVE-2011-2792 : miaubiz CVE-2011-2797 : miaubiz CVE-2011-2799 : miaubiz CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-2811 : Apple CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using AddressSanitizer CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2815 : SkyLined of Google Chrome Security Team CVE-2011-2816 : Apple CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2818 : Martin Barbella CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google CVE-2011-2823 : SkyLined of Google Chrome Security Team CVE-2011-2827 : miaubiz CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-3232 : Aki Helin of OUSPG CVE-2011-3233 : Sadrul Habib Chowdhury of the Chromium development community, Cris Neckar and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3234 : miaubiz CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the Chromium development community, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the Chromium development community, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-3238 : Martin Barbella CVE-2011-3239 : Slawomir Blazek CVE-2011-3241 : Apple WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: A maliciously crafted website may be able to track the URLs that a user visits within a frame Description: A cross-origin issue existed in the handling of the beforeload event. CVE-ID CVE-2011-2800 : Juho Nurminen WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of the window.open method. CVE-ID CVE-2011-2805 : Sergey Glazunov WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of the document.documentURI property. CVE-ID CVE-2011-2819 : Sergey Glazunov WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of inactive DOM windows. CVE-ID CVE-2011-3243 : Sergey Glazunov WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.2, OS X Lion Server v10.7.2 Impact: In Private Browsing mode, cookies may be set even if "Block cookies" is set to "Always" Description: A logic issue existed in the handling of cookies in Private Browsing mode. This issue does not affect Windows systems. CVE-ID CVE-2011-3242 : John Adamczyk Safari 5.1.1 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari for OS X Lion v10.7.2 The download file is named: Safari5.1.1Lion.dmg Its SHA-1 digest is: 368113397d35475a0a4d0b0dbf3b31f543cfb4c5 Safari for Mac OS X v10.6.8 The download file is named: Safari5.1.1SnowLeopard.dmg Its SHA-1 digest is: 4c588d86032ab24984b721354748f028b559fb37 Safari for Windows 7, Vista or XP The download file is named: SafariSetup.exe Its SHA-1 digest is: 5a2d3e0c0e601938f1d64d517e6a8199cd563d10 Safari for Windows 7, Vista or XP from the Microsoft Choice Screen The download file is named: Safari_Setup.exe Its SHA-1 digest is: f0094f19b7a6b0a96a4fe6407b0037223ae44b15 Safari+QuickTime for Windows 7, Vista or XP The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 3dbfe52e5be6409d0ad1fcb22e747963e10db218 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJOlLv6AAoJEGnF2JsdZQeeqOUH/RWDBq5xXEegxI+N92+9lB42 J6ZBcO8rrigAhYz59ZJG0NF8VGZI0DSFI+dxC8XeoKfiamvkaZo1lYGLdqWiTkxz 6ODprWbfGVcwFd9rNeCbIc9E5FV0SRbS1xCv+JnrwR2i2raqgAEWc4CpAcH5mgqT 5G2cWhwS8EMUNXZz/C0IjkfNBAjQ2c9BHVHj0Wid5vyXutju3WOcBXwqcbTpNANI NiVHf5ucaRep6110riIYazuCdFLCcwZDaySw2n2ZhelliTz1tpCa7uVoJfZjyeyw xwY/QjLDBTSpUYDTPC//XG7ZswptKHFjrX4KtxD9XTltq5wNGJavJzKf2qa4jrM= =ZXdu -----END PGP SIGNATURE-----

Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving custom fonts. Used in multiple products Webkit There is a service disruption (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing and utilization of font objects. When the code parses the @font-face CSS element it does not validate that the font-family is legitimate. Later, if the same font-family is applied within CSS the code will access an invalid element of its internal font object. This can be leveraged by a remote attacker to execute code under the context of the user running the browser. Google Chrome is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible. Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue is addressed through an improved domain name validity check. This issue does not affect OS X systems. CVE-ID CVE-2012-0640 : nshah WebKit Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista, XP SP2 or later Impact: HTTP authentication credentials may be inadvertently disclosed to another site Description: If a site uses HTTP authentication and redirects to another site, the authentication credentials may be sent to the other site. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48288 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48288/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48288 RELEASE DATE: 2012-03-09 DISCUSS ADVISORY: http://secunia.com/advisories/48288/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48288/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48288 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people with physical access to bypass certain security restrictions and by malicious people to disclose sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's device. 1) An error within the CFNetwork component when handling URLs can be exploited to disclose sensitive information by tricking the user into visiting a malicious website. 3) A logic error within the kernel does not properly handle debug system calls and can be exploited to bypass the sandbox restrictions. 4) An integer overflow error within the libresolv library when handling DNS resource records can be exploited to corrupt heap memory. 9) A cross-origin error in the WebKit component can be exploited to bypass the same-origin policy and disclose a cookie by tricking the user into visiting a malicious website. 10) An error within the WebKit component when handling drag-and-drop actions can be exploited to conduct cross-site scripting attacks. 11) Multiple unspecified errors within the WebKit component can be exploited to conduct cross-site scripting attacks. 12) Some vulnerabilities are caused due to a bundled vulnerable version of WebKit. SOLUTION: Apply iOS 5.1 Software Update. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Erling Ellingsen, Facebook. 2, 8) pod2g. 3) 2012 iOS Jailbreak Dream Team. 5) Roland Kohler, the German Federal Ministry of Economics and Technology. 6) Eric Melville, American Express. 9) Sergey Glazunov. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5192 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-03-07-2 iOS 5.1 Software Update iOS 5.1 Software Update is now available and addresses the following: CFNetwork Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An issue existed in CFNetwork's handling of malformed URLs. When accessing a maliciously crafted URL, CFNetwork could send unexpected request headers. CVE-ID CVE-2012-0641 : Erling Ellingsen of Facebook HFS Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Mounting a maliciously crafted disk image may lead to a device shutdown or arbitrary code execution Description: An integer underflow existed with the handling of HFS catalog files. CVE-ID CVE-2012-0642 : pod2g Kernel Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: A malicious program could bypass sandbox restrictions Description: A logic issue existed in the handling of debug system calls. This may allow a malicious program to gain code execution in other programs with the same user privileges. CVE-ID CVE-2012-0643 : 2012 iOS Jailbreak Dream Team libresolv Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Applications that use the libresolv library may be vulnerable to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of DNS resource records, which may lead to heap memory corruption. CVE-ID CVE-2011-3453 : Ilja van Sprundel of IOActive Passcode Lock Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: A person with physical access to the device may be able to bypass the screen lock Description: A race condition issue existed in the handling of slide to dial gestures. This may allow a person with physical access to the device to bypass the Passcode Lock screen. CVE-ID CVE-2012-0644 : Roland Kohler of the German Federal Ministry of Economics and Technology Safari Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Web page visits may be recorded in browser history even when Private Browsing is active Description: Safari's Private Browsing is designed to prevent recording of a browsing session. Pages visited as a result of a site using the JavaScript methods pushState or replaceState were recorded in the browser history even when Private Browsing mode was active. This issue is addressed by not recording such visits when Private Browsing is active. CVE-ID CVE-2012-0585 : Eric Melville of American Express Siri Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: An attacker with physical access to a locked phone could get access to frontmost email message Description: A design issue existed in Siri's lock screen restrictions. If Siri was enabled for use on the lock screen, and Mail was open with a message selected behind the lock screen, a voice command could be used to send that message to an arbitrary recipient. This issue is addressed by disabling forwarding of active messages from the lock screen. CVE-ID CVE-2012-0645 VPN Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: A maliciously crafted system configuration file may lead to arbitrary code execution with system privileges Description: A format string vulnerability existed in the handling of racoon configuration files. CVE-ID CVE-2012-0646 : pod2g WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to the disclosure of cookies Description: A cross-origin issue existed in WebKit, which may allow cookies to be disclosed across origins. CVE-ID CVE-2011-3887 : Sergey Glazunov WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website and dragging content with the mouse may lead to a cross-site scripting attack Description: A cross-origin issue existed in WebKit, which may allow content to be dragged and dropped across origins. CVE-ID CVE-2012-0590 : Adam Barth of Google Chrome Security Team WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: Multiple cross-origin issues existed in WebKit. CVE-ID CVE-2011-3881 : Sergey Glazunov CVE-2012-0586 : Sergey Glazunov CVE-2012-0587 : Sergey Glazunov CVE-2012-0588 : Jochen Eisinger of Google Chrome Team CVE-2012-0589 : Alan Austin of polyvore.com WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. CVE-ID CVE-2011-2825 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-2833 : Apple CVE-2011-2846 : Arthur Gerkis, miaubiz CVE-2011-2847 : miaubiz, Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2854 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2855 : Arthur Gerkis, wushi of team509 working with iDefense VCP CVE-2011-2857 : miaubiz CVE-2011-2860 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2867 : Dirk Schulze CVE-2011-2868 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2869 : Cris Neckar of Google Chrome Security Team using AddressSanitizer CVE-2011-2870 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2871 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2872 : Abhishek Arya (Inferno) and Cris Neckar of Google Chrome Security Team using AddressSanitizer CVE-2011-2873 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2877 : miaubiz CVE-2011-3885 : miaubiz CVE-2011-3888 : miaubiz CVE-2011-3897 : pa_kt working with TippingPoint's Zero Day Initiative CVE-2011-3908 : Aki Helin of OUSPG CVE-2011-3909 : Google Chrome Security Team (scarybeasts) and Chu CVE-2011-3928 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2012-0591 : miaubiz, and Martin Barbella CVE-2012-0592 : Alexander Gavrun working with TippingPoint's Zero Day Initiative CVE-2012-0593 : Lei Zhang of the Chromium development community CVE-2012-0594 : Adam Klein of the Chromium development community CVE-2012-0595 : Apple CVE-2012-0596 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0597 : miaubiz CVE-2012-0598 : Sergey Glazunov CVE-2012-0599 : Dmytro Gorbunov of SaveSources.com CVE-2012-0600 : Marshall Greenblatt, Dharani Govindan of Google Chrome, miaubiz, Aki Helin of OUSPG, Apple CVE-2012-0601 : Apple CVE-2012-0602 : Apple CVE-2012-0603 : Apple CVE-2012-0604 : Apple CVE-2012-0605 : Apple CVE-2012-0606 : Apple CVE-2012-0607 : Apple CVE-2012-0608 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0609 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0610 : miaubiz, Martin Barbella using AddressSanitizer CVE-2012-0611 : Martin Barbella using AddressSanitizer CVE-2012-0612 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0613 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0614 : miaubiz, Martin Barbella using AddressSanitizer CVE-2012-0615 : Martin Barbella using AddressSanitizer CVE-2012-0616 : miaubiz CVE-2012-0617 : Martin Barbella using AddressSanitizer CVE-2012-0618 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0619 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0620 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0621 : Martin Barbella using AddressSanitizer CVE-2012-0622 : Dave Levin and Abhishek Arya of the Google Chrome Security Team CVE-2012-0623 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0624 : Martin Barbella using AddressSanitizer CVE-2012-0625 : Martin Barbella CVE-2012-0626 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0627 : Apple CVE-2012-0628 : Slawomir Blazek, miaubiz, Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0629 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2012-0630 : Sergio Villar Senin of Igalia CVE-2012-0631 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2012-0632 : Cris Neckar of the Google Chrome Security Team using AddressSanitizer CVE-2012-0633 : Apple CVE-2012-0635 : Julien Chaffraix of the Chromium development community, Martin Barbella using AddressSanitizer Installation note: This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone, iPod touch or iPad is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone, iPod touch, or iPad. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone, iPod touch, or iPad is docked to your computer. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "5.1". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJPV6M3AAoJEGnF2JsdZQeef/cIAKBSn0czLzJO9fu6ZyjLRvxq 4pIZgfyEVGBzpn+9IeiGFTkkVf+bOsA+Q3RlcsG5g0RlbyFgnuWu59HHsnkrElbM bCfnnTF5eYZX/3fnLzxpX7BUsEona3nf1gHfR24OeEn36C8rZ6rZJfMLqCJNNZGY RDSga1oeMN/AbgZuR9sYKudkE0GOmkLZfR2G4WXmrU+JncR6XoROUwoJBPhg8z90 HAxgDEbduuLLOSe7CHLS3apbh0L2tmxPCWpiBmEMg6PTlFF0HhJQJ0wusrUc8nX6 7TDsAho73wCOpChzBGQeemc6+UEN2uDmUgwVkN6n4D/qN1u6E+d3coUXOlb8hIY= =qPeE -----END PGP SIGNATURE-----

Double free vulnerability in libxml2, as used in Google Chrome before 13.0.782.215, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted XPath expression. Google Chrome is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible. Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). Packages for 2009.0 are provided as of the Extended Maintenance Program. The verification of md5 checksums and GPG signatures is performed automatically for you. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03360041 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03360041 Version: 1 HPSBMU02786 SSRT100877 rev.1 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Unauthorized Access, Disclosure of Information, Data Modification, Denial of Service (DoS), Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-06-26 Last Updated: 2012-06-26 Potential Security Impact: Remote unauthorized access, disclosure of information, data modification, Denial of Service (DoS), execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in unauthorized access, disclosure of information, data modification, Denial of Service (DoS), and execution of arbitrary code. References: CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3379, CVE-2011-3607, CVE-2011-4078, CVE-2011-4108, CVE-2011-4153, CVE-2011-4317, CVE-2011-4415, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2011-4885, CVE-2012-0021, CVE-2012-0027, CVE-2012-0031, CVE-2012-0036, CVE-2012-0053, CVE-2012-0057, CVE-2012-0830, CVE-2012-1165, CVE-2012-1823, CVE-2012-2012 (AUTOCOMPLETE enabled), CVE-2012-2013 (DoS), CVE-2012-2014 (Improper input validation), CVE-2012-2015 (Privilege Elevation), CVE-2012-2016 (Information disclosure), SSRT100336, SSRT100753, SSRT100669, SSRT100676, SSRT100695, SSRT100714, SSRT100760, SSRT100786, SSRT100787, SSRT100815, SSRT100840, SSRT100843, SSRT100869 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP System Management Homepage (SMH) before v7.1.1 running on Linux and Windows. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2012-2012 (AV:N/AC:L/Au:N/C:C/I:C/A:P) 9.7 CVE-2012-2013 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2012-2014 (AV:N/AC:M/Au:S/C:N/I:N/A:N) 6.8 CVE-2012-2015 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 6.5 CVE-2012-2016 (AV:L/AC:M/Au:S/C:C/I:N/A:N) 4.4 CVE-2011-1944 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 CVE-2011-2821 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-2834 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2011-3379 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-3607 (AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4 CVE-2011-4078 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-4108 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2011-4153 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-4317 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2011-4415 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1.2 CVE-2011-4576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-4577 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-4619 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-4885 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-0021 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6 CVE-2012-0027 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-0031 (AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6 CVE-2012-0036 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-0053 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2012-0057 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4 CVE-2012-0830 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-1165 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-1823 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided HP System Management Homepage v7.1.1 or subsequent to resolve the vulnerabilities. HP System Management Homepage v7.1.1 is available here: HP System Management Homepage for Windows x64 [Download here] or enter the following URL into the browser address window. http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa meId%253D4091409%257CswEnvOID%253D4064%257CswLang%253D8%257CswItem%253DMTX-ab 0d4e9bb4654a8da503eccfd9%257Cmode%253D3%257Caction%253DdriverDocument&javax.p ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign ette.cachetoken HP System Management Homepage for Windows x86 [Download here] or enter the following URL into the browser address window. http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa meId%253D4091409%257CswEnvOID%253D4022%257CswLang%253D8%257CswItem%253DMTX-f7 c0d15d28474255bd0ec23136%257Cmode%253D3%257Caction%253DdriverDocument&javax.p ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign ette.cachetoken HP System Management Homepage for Linux (AMD64/EM64T) [Download here] or enter the following URL into the browser address window. http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa meId%253D4091409%257CswEnvOID%253D4035%257CswLang%253D8%257CswItem%253DMTX-18 d373dd1361400fbaca892942%257Cmode%253D3%257Caction%253DdriverDocument&javax.p ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign ette.cachetoken HP System Management Homepage for Linux (x86) [Download here] or enter the following URL into the browser address window. http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa meId%253D4091409%257CswEnvOID%253D4006%257CswLang%253D8%257CswItem%253DMTX-9e 8a0188f97d48139dcb466509%257Cmode%253D3%257Caction%253DdriverDocument&javax.p ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign ette.cachetoken HISTORY Version:1 (rev.1) 26 June 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. This issue does not affect OS X Mountain Lion systems. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: libxml2: Multiple vulnerabilities Date: October 26, 2011 Bugs: #345555, #370715, #386985 ID: 201110-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in libxml2 which could lead to execution of arbitrary code or a Denial of Service. Background ========== libxml2 is the XML C parser and toolkit developed for the Gnome project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libxml2 < 2.7.8-r3 >= 2.7.8-r3 Description =========== Multiple vulnerabilities have been discovered in libxml2. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All libxml2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.8-r3" References ========== [ 1 ] CVE-2010-4008 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4008 [ 2 ] CVE-2010-4494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4494 [ 3 ] CVE-2011-1944 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1944 [ 4 ] CVE-2011-2821 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2821 [ 5 ] CVE-2011-2834 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2834 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-26.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Summary: Updated mingw32-libxml2 packages that fix several security issues are now available for Red Hat Enterprise Linux 6. This advisory also contains information about future updates for the mingw32 packages, as well as the deprecation of the packages with the release of Red Hat Enterprise Linux 6.4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch 3. Description: These packages provide the libxml2 library, a development toolbox providing the implementation of various XML standards, for users of MinGW (Minimalist GNU for Windows). IMPORTANT NOTE: The mingw32 packages in Red Hat Enterprise Linux 6 will no longer be updated proactively and will be deprecated with the release of Red Hat Enterprise Linux 6.4. These packages were provided to support other capabilities in Red Hat Enterprise Linux and were not intended for direct customer use. Customers are advised to not use these packages with immediate effect. Future updates to these packages will be at Red Hat's discretion and these packages may be removed in a future minor release. A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3919) A heap-based buffer underflow flaw was found in the way libxml2 decoded certain entities. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-5134) It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. To mitigate this issue, randomization has been added to the hashing function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-0841) Multiple flaws were found in the way libxml2 parsed certain XPath (XML Path Language) expressions. (CVE-2010-4008, CVE-2010-4494, CVE-2011-2821, CVE-2011-2834) Two heap-based buffer overflow flaws were found in the way libxml2 decoded certain XML files. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0216, CVE-2011-3102) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libxml2 parsed certain XPath expressions. (CVE-2011-1944) An out-of-bounds memory read flaw was found in libxml2. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash. Upstream acknowledges Bui Quang Minh from Bkis as the original reporter of CVE-2010-4008. All users of mingw32-libxml2 are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 645341 - CVE-2010-4008 libxml2: Crash (stack frame overflow or NULL pointer dereference) by traversal of XPath axis 665963 - CVE-2010-4494 libxml2: double-free in XPath processing code 709747 - CVE-2011-1944 libxml, libxml2: Heap-based buffer overflow by adding new namespace node to an existing nodeset or merging nodesets 724906 - CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding 735712 - CVE-2011-2821 libxml2: double free caused by malformed XPath expression in XSLT 735751 - CVE-2011-2834 libxml2: double-free caused by malformed XPath expression in XSLT 767387 - CVE-2011-3905 libxml2 out of bounds read 771896 - CVE-2011-3919 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name 787067 - CVE-2012-0841 libxml2: hash table collisions CPU usage DoS 822109 - CVE-2011-3102 libxml: An off-by-one out-of-bounds write by XPointer part evaluation 880466 - CVE-2012-5134 libxml2: Heap-buffer-underflow in xmlParseAttValueComplex 6. Package List: Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-4008.html https://www.redhat.com/security/data/cve/CVE-2010-4494.html https://www.redhat.com/security/data/cve/CVE-2011-0216.html https://www.redhat.com/security/data/cve/CVE-2011-1944.html https://www.redhat.com/security/data/cve/CVE-2011-2821.html https://www.redhat.com/security/data/cve/CVE-2011-2834.html https://www.redhat.com/security/data/cve/CVE-2011-3102.html https://www.redhat.com/security/data/cve/CVE-2011-3905.html https://www.redhat.com/security/data/cve/CVE-2011-3919.html https://www.redhat.com/security/data/cve/CVE-2012-0841.html https://www.redhat.com/security/data/cve/CVE-2012-5134.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-09-19-1 iOS 6 iOS 6 is now available and addresses the following: CFNetwork Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An issue existed in CFNetwork's handling of malformed URLs. CFNetwork may send requests to an incorrect hostname, resulting in the disclosure of sensitive information. This issue was addressed through improvements to URL handling. CVE-ID CVE-2012-3724 : Erling Ellingsen of Facebook CoreGraphics Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Multiple vulnerabilities in FreeType Description: Multiple vulnerabilities existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. These issues were addressed by updating FreeType to version 2.4.9. Further information is available via the FreeType site at http://www.freetype.org/ CVE-ID CVE-2012-1126 CVE-2012-1127 CVE-2012-1128 CVE-2012-1129 CVE-2012-1130 CVE-2012-1131 CVE-2012-1132 CVE-2012-1133 CVE-2012-1134 CVE-2012-1135 CVE-2012-1136 CVE-2012-1137 CVE-2012-1138 CVE-2012-1139 CVE-2012-1140 CVE-2012-1141 CVE-2012-1142 CVE-2012-1143 CVE-2012-1144 CoreMedia Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization. CVE-ID CVE-2012-3722 : Will Dormann of the CERT/CC DHCP Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A malicious Wi-Fi network may be able to determine networks a device has previously accessed Description: Upon connecting to a Wi-Fi network, iOS may broadcast MAC addresses of previously accessed networks per the DNAv4 protocol. This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi networks. CVE-ID CVE-2012-3725 : Mark Wuergler of Immunity, Inc. ImageIO Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of ThunderScan encoded TIFF images. This issue was addressed by updating libtiff to version 3.9.5. CVE-ID CVE-2011-1167 ImageIO Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in libpng's handling of PNG images. These issues were addressed through improved validation of PNG images. CVE-ID CVE-2011-3026 : Juri Aedla CVE-2011-3048 CVE-2011-3328 ImageIO Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution Description: A double free issue existed in ImageIO's handling of JPEG images. This issue was addressed through improved memory management. CVE-ID CVE-2012-3726 : Phil of PKJE Consulting ImageIO Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in libTIFF's handling of TIFF images. This issue was addressed through improved validation of TIFF images. CVE-ID CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day Initiative International Components for Unicode Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking. CVE-ID CVE-2011-4599 IPSec Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Loading a maliciously crafted racoon configuration file may lead to arbitrary code execution Description: A buffer overflow existed in the handling of racoon configuration files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3727 : iOS Jailbreak Dream Team Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to execute arbitrary code with system privileges Description: An invalid pointer dereference issue existed in the kernel's handling of packet filter ioctls. This may allow an attacker to alter kernel memory. This issue was addressed through improved error handling. CVE-ID CVE-2012-3728 : iOS Jailbreak Dream Team Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to determine kernel memory layout Description: An uninitialized memory access issue existed in the Berkeley Packet Filter interpreter, which led to the disclosure of memory content. This issue was addressed through improved memory initialization. CVE-ID CVE-2012-3729 : Dan Rosenberg libxml Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution Description: Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues were addressed by applying the relevant upstream patches. CVE-ID CVE-2011-1944 : Chris Evans of Google Chrome Security Team CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences CVE-2011-3919 : Juri Aedla Mail Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Mail may present the wrong attachment in a message Description: A logic issue existed in Mail's handling of attachments. If a subsequent mail attachment used the same Content-ID as a previous one, the previous attachment would be displayed, even in the case where the 2 mails originated from different senders. This could facilitate some spoofing or phishing attacks. This issue was addressed through improved handling of attachments. CVE-ID CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security Team Mail Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Email attachments may be read without user's passcode Description: A logic issue existed in Mail's use of Data Protection on email attachments. This issue was addressed by properly setting the Data Protection class for email attachments. CVE-ID CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich Stuntebeck of AirWatch Mail Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: An attacker may spoof the sender of a S/MIME signed message Description: S/MIME signed messages displayed the untrusted 'From' address, instead of the name associated with the message signer's identity. This issue was addressed by displaying the address associated with the message signer's identity when it is available. CVE-ID CVE-2012-3732 : An anonymous researcher Messages Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A user may unintentionally disclose the existence of their email addresses Description: When a user had multiple email addresses associated with iMessage, replying to a message may have resulted in the reply being sent from a different email address. This may disclose another email address associated to the user's account. This issue was addressed by always replying from the email address the original message was sent to. CVE-ID CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC Office Viewer Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Unencrypted document data may be written to a temporary file Description: An information disclosure issue existed in the support for viewing Microsoft Office files. When viewing a document, the Office Viewer would write a temporary file containing data from the viewed document to the temporary directory of the invoking process. For an application that uses data protection or other encryption to protect the user's files, this could lead to information disclosure. This issue was addressed by avoiding creation of temporary files when viewing Office documents. CVE-ID CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies OpenGL Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Applications that use OS X's OpenGL implementation may be vulnerable to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the handling of GLSL compilation. These issues were addressed through improved validation of GLSL shaders. CVE-ID CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and Marc Schoenefeld of the Red Hat Security Response Team Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device could briefly view the last used third-party app on a locked device Description: A logic issue existed with the display of the "Slide to Power Off" slider on the lock screen. This issue was addressed through improved lock state management. CVE-ID CVE-2012-3735 : Chris Lawrence DBB Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to bypass the screen lock Description: A logic issue existed in the termination of FaceTime calls from the lock screen. This issue was addressed through improved lock state management. CVE-ID CVE-2012-3736 : Ian Vitek of 2Secure AB Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: All photos may be accessible at the lock screen Description: A design issue existed in the support for viewing photos that were taken at the lock screen. In order to determine which photos to permit access to, the passcode lock consulted the time at which the device was locked and compared it to the time that a photo was taken. By spoofing the current time, an attacker could gain access to photos that were taken before the device was locked. This issues was addressed by explicitly keeping track of the photos that were taken while the device was locked. CVE-ID CVE-2012-3737 : Ade Barkah of BlueWax Inc. Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to a locked device may perform FaceTime calls Description: A logic issue existed in the Emergency Dialer screen, which permitted FaceTime calls via Voice Dialing on the locked device. This could also disclose the user's contacts via contact suggestions. This issue was addressed by disabling Voice Dialing on the Emergency Dialer screen. CVE-ID CVE-2012-3738 : Ade Barkah of BlueWax Inc. Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to bypass the screen lock Description: Using the camera from the screen lock could in some cases interfere with automatic lock functionality, allowing a person with physical access to the device to bypass the Passcode Lock screen. This issue was addressed through improved lock state management. CVE-ID CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal Computing Centre (BRZ) Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to bypass the screen lock Description: A state management issue existed in the handling of the screen lock. This issue was addressed through improved lock state management. CVE-ID CVE-2012-3740 : Ian Vitek of 2Secure AB Restrictions Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A user may be able to make purchases without entering Apple ID credentials Description: After disabling Restrictions, iOS may not ask for the user's password during a transaction. This issue was addressed by additional enforcement of purchase authorization. CVE-ID CVE-2012-3741 : Kevin Makens of Redwood High School Safari Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Websites may use characters with an appearance similar to the lock icon in their titles Description: Websites could use a Unicode character to create a lock icon in the page title. This icon was similar in appearance to the icon used to indicate a secure connection, and could have lead the user to believe a secure connection had been established. This issue was addressed by removing these characters from page titles. CVE-ID CVE-2012-3742 : Boku Kihara of Lepidum Safari Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Passwords may autocomplete even when the site specifies that autocomplete should be disabled Description: Password input elements with the autocomplete attribute set to "off" were being autocompleted. This issue was addressed through improved handling of the autocomplete attribute. CVE-ID CVE-2012-0680 : Dan Poltawski of Moodle System Logs Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Sandboxed apps may obtain system log content Description: Sandboxed apps had read access to /var/log directory, which may allow them to obtain sensitive information contained in system logs. This issue was addressed by denying sandboxed apps access to the /var/log directory. CVE-ID CVE-2012-3743 Telephony Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: An SMS message may appear to have been sent by an arbitrary user Description: Messages displayed the return address of an SMS message as the sender. Return addresses may be spoofed. This issue was addressed by always displaying the originating address instead of the return address. CVE-ID CVE-2012-3744 : pod2g Telephony Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: An SMS message may disrupt cellular connectivity Description: An off-by-one buffer overflow existed in the handling of SMS user data headers. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3745 : pod2g UIKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: An attacker that gains access to a device's filesystem may be able to read files that were being displayed in a UIWebView Description: Applications that use UIWebView may leave unencrypted files on the file system even when a passcode is enabled. This issue was addressed through improved use of data protection. CVE-ID CVE-2012-3746 : Ben Smith of Box WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2011-3016 : miaubiz CVE-2011-3021 : Arthur Gerkis CVE-2011-3027 : miaubiz CVE-2011-3032 : Arthur Gerkis CVE-2011-3034 : Arthur Gerkis CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur Gerkis CVE-2011-3036 : miaubiz CVE-2011-3037 : miaubiz CVE-2011-3038 : miaubiz CVE-2011-3039 : miaubiz CVE-2011-3040 : miaubiz CVE-2011-3041 : miaubiz CVE-2011-3042 : miaubiz CVE-2011-3043 : miaubiz CVE-2011-3044 : Arthur Gerkis CVE-2011-3050 : miaubiz CVE-2011-3053 : miaubiz CVE-2011-3059 : Arthur Gerkis CVE-2011-3060 : miaubiz CVE-2011-3064 : Atte Kettunen of OUSPG CVE-2011-3068 : miaubiz CVE-2011-3069 : miaubiz CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative CVE-2011-3073 : Arthur Gerkis CVE-2011-3074 : Slawomir Blazek CVE-2011-3075 : miaubiz CVE-2011-3076 : miaubiz CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team CVE-2011-3081 : miaubiz CVE-2011-3086 : Arthur Gerkis CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz CVE-2011-3090 : Arthur Gerkis CVE-2011-3105 : miaubiz CVE-2011-3913 : Arthur Gerkis CVE-2011-3924 : Arthur Gerkis CVE-2011-3926 : Arthur Gerkis CVE-2011-3958 : miaubiz CVE-2011-3966 : Aki Helin of OUSPG CVE-2011-3968 : Arthur Gerkis CVE-2011-3969 : Arthur Gerkis CVE-2011-3971 : Arthur Gerkis CVE-2012-0682 : Apple Product Security CVE-2012-0683 : Dave Mandelin of Mozilla CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer, Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2012-1521 : Skylined of the Google Chrome Security Team, Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2012-2818 : miaubiz CVE-2012-3589 : Dave Mandelin of Mozilla CVE-2012-3590 : Apple Product Security CVE-2012-3591 : Apple Product Security CVE-2012-3592 : Apple Product Security CVE-2012-3593 : Apple Product Security CVE-2012-3594 : miaubiz CVE-2012-3595 : Martin Barbella of Google Chrome Security CVE-2012-3596 : Skylined of the Google Chrome Security Team CVE-2012-3597 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3598 : Apple Product Security CVE-2012-3599 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3600 : David Levin of the Chromium development community CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer CVE-2012-3602 : miaubiz CVE-2012-3603 : Apple Product Security CVE-2012-3604 : Skylined of the Google Chrome Security Team CVE-2012-3605 : Cris Neckar of the Google Chrome Security team CVE-2012-3608 : Skylined of the Google Chrome Security Team CVE-2012-3609 : Skylined of the Google Chrome Security Team CVE-2012-3610 : Skylined of the Google Chrome Security Team CVE-2012-3611 : Apple Product Security CVE-2012-3612 : Skylined of the Google Chrome Security Team CVE-2012-3613 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3614 : Yong Li of Research In Motion, Inc. CVE-2012-3615 : Stephen Chenney of the Chromium development community CVE-2012-3617 : Apple Product Security CVE-2012-3618 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3620 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3624 : Skylined of the Google Chrome Security Team CVE-2012-3625 : Skylined of Google Chrome Security Team CVE-2012-3626 : Apple Product Security CVE-2012-3627 : Skylined and Abhishek Arya (Inferno) of Google Chrome Security team CVE-2012-3628 : Apple Product Security CVE-2012-3629 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3630 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3631 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3633 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3634 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3635 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3636 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3637 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3638 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3639 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3640 : miaubiz CVE-2012-3641 : Slawomir Blazek CVE-2012-3642 : miaubiz CVE-2012-3644 : miaubiz CVE-2012-3645 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3646 : Julien Chaffraix of the Chromium development community, Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3647 : Skylined of the Google Chrome Security Team CVE-2012-3648 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3651 : Abhishek Arya (Inferno) and Martin Barbella of the Google Chrome Security Team CVE-2012-3652 : Martin Barbella of Google Chrome Security Team CVE-2012-3653 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3655 : Skylined of the Google Chrome Security Team CVE-2012-3656 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3658 : Apple CVE-2012-3659 : Mario Gomes of netfuzzer.blogspot.com, Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3660 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3661 : Apple Product Security CVE-2012-3663 : Skylined of Google Chrome Security Team CVE-2012-3664 : Thomas Sepez of the Chromium development community CVE-2012-3665 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3666 : Apple CVE-2012-3667 : Trevor Squires of propaneapp.com CVE-2012-3668 : Apple Product Security CVE-2012-3669 : Apple Product Security CVE-2012-3670 : Abhishek Arya (Inferno) of the Google Chrome Security Team, Arthur Gerkis CVE-2012-3671 : Skylined and Martin Barbella of the Google Chrome Security Team CVE-2012-3672 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3673 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3674 : Skylined of Google Chrome Security Team CVE-2012-3676 : Julien Chaffraix of the Chromium development community CVE-2012-3677 : Apple CVE-2012-3678 : Apple Product Security CVE-2012-3679 : Chris Leary of Mozilla CVE-2012-3680 : Skylined of Google Chrome Security Team CVE-2012-3681 : Apple CVE-2012-3682 : Adam Barth of the Google Chrome Security Team CVE-2012-3683 : wushi of team509 working with iDefense VCP CVE-2012-3684 : kuzzcc CVE-2012-3686 : Robin Cao of Torch Mobile (Beijing) CVE-2012-3703 : Apple Product Security CVE-2012-3704 : Skylined of the Google Chrome Security Team CVE-2012-3706 : Apple Product Security CVE-2012-3708 : Apple CVE-2012-3710 : James Robinson of Google CVE-2012-3747 : David Bloom of Cue WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to a cross- site disclosure of information Description: A cross-origin issue existed in the handling of CSS property values. This issue was addressed through improved origin tracking. CVE-ID CVE-2012-3691 : Apple WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: A malicious website may be able to replace the contents of an iframe on another site Description: A cross-origin issue existed in the handling of iframes in popup windows. This issue was addressed through improved origin tracking. CVE-ID CVE-2011-3067 : Sergey Glazunov WebKit Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to a cross- site disclosure of information Description: A cross-origin issue existed in the handling of iframes and fragment identifiers. This issue was addressed through improved origin tracking. CVE-ID CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, and Dan Boneh of the Stanford University Security Laboratory WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Look-alike characters in a URL could be used to masquerade a website Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could have been used to create a URL which contains look-alike characters. These could have been used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue was addressed by supplementing WebKit's list of known look-alike characters. Look- alike characters are rendered in Punycode in the address bar. CVE-ID CVE-2012-3693 : Matt Cooley of Symantec WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of URLs. This may have led to cross-site scripting on sites which use the location.href property. This issue was addressed through improved canonicalization of URLs. CVE-ID CVE-2012-3695 : Masato Kinugawa WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to HTTP request splitting Description: An HTTP header injection issue existed in the handling of WebSockets. This issue was addressed through improved WebSockets URI sanitization. CVE-ID CVE-2012-3696 : David Belcher of the BlackBerry Security Incident Response Team WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A maliciously crafted website may be able to spoof the value in the URL bar Description: A state management issue existed in the handling of session history. Navigations to a fragment on the current page may cause Safari to display incorrect information in the URL bar. This issue was addressed through improved session state tracking. CVE-ID CVE-2011-2845 : Jordi Chancel WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to the disclosure of the disclosure of memory contents Description: An uninitialized memory access issue existed in the handling of SVG images. This issue was addressed through improved memory initialization. CVE-ID CVE-2012-3650 : Apple Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "6.0". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo 3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5 TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0 8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9 n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP XtT4lS60xKz63YSg79dd =LvMt -----END PGP SIGNATURE-----

Ignition is prone to an information-disclosure vulnerability. Exploiting this issue could allow an attacker to gain access to potentially sensitive information. Information obtained may aid in further attacks. Versions prior to Ignition 7.2.8.178 are vulnerable. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Inductive Automation Ignition File Disclosure Vulnerability SECUNIA ADVISORY ID: SA45896 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45896/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45896 RELEASE DATE: 2011-09-06 DISCUSS ADVISORY: http://secunia.com/advisories/45896/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45896/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45896 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Inductive Automation Ignition, which can be exploited by malicious people to disclose potentially sensitive information. Certain unspecified input passed via the URL is not properly verified before being used to display files. This can be exploited to disclose the contents of files. SOLUTION: Update to version 7.2.8.178. PROVIDED AND/OR DISCOVERED BY: Rub\xe9n Santamarta via ICS-CERT. ORIGINAL ADVISORY: http://www.us-cert.gov/control_systems/pdf/ICSA-11-231-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------