VARIoT IoT vulnerabilities database
| VAR-200308-0006 | CVE-2003-0425 | Apple QuickTime/Darwin Streaming Server Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to read arbitrary files via a ... (triple dot) in an HTTP request. This vulnerability may be possible to exploit using "/.../" sequences within the request sent to the server.
This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server
Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html
CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502
1. Affected system(s):
KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux
UNKNOWN/NOT TESTED:
o other platforms (Solaris)
2.
3. Vendor status and information
Apple
http://www.apple.com/
The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.
4. Solution
Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:
http://developer.apple.com/darwin/projects/streaming/
Please see the next section for detailed fix information.
5. Detailed analysis
There are several vulnerabilities.
Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
will cause a denial of service on the server. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced. For example:
==> GET /AUX HTTP/1.0
Denial of Service by Request for ../ DOS Device Name
CVE ID: CAN-2003-0502
Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
Fixed: In version 4.1.3g (Win32)
This is a variant of CAN-2003-0421. A fix for CAN-2003-0421
was included in Streaming Server version, 4.1.3f, but further
testing revealed that it was vulnerable to a variant where
the device name was prefixed by dotdot slash (../), as in:
==> GET /../AUX HTTP/1.0
Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting the /view_broadcast.cgi script over HTTP (port 1220)
will cause a denial of service on the server if the required
request parameters are not sent. The connection will be
closed midway through servicing the request and no new
connections will be allowed to the server.
Example:
==> GET /view_broadcast.cgi HTTP/1.0
<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection
Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.
The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.
This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected.
Script Source Disclosure by Appending Special Characters
CVE ID: CAN-2003-0424
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
The source code of any script can be obtained by appending the
special characters %2e (period) or %20 (space) to an HTTP request
for that script. For example, requesting /view_broadcast.cgi%2e
will reveal the source code for that script.
Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.
Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)
When Darwin Streaming Server is first installed, the
HTTP-based administration server (typically port 1220)
presents a "Setup Assistant" page where the user is prompted
to set a new administrator password. This would allow any
remote user to connect and set up an administrator password
before the server administrator has had a chance to do so.
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
| VAR-200308-0005 | CVE-2003-0424 | Apple QuickTime/Darwin Streaming Server Script Source Leak Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to obtain the source code for scripts by appending encoded space (%20) or . (%2e) characters to an HTTP request for the script, e.g. view_broadcast.cgi. A problem in the handling of requests appended with special characters has been reported in Apple QuickTime/Darwin Streaming Server. This issue may make it possible for an attacker to gain unauthorized access to source code hosted by the server.
This vulnerability was reported to affect QuickTime/Darwin Streaming Server 4.1.3e and earlier on Windows. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________
Rapid7 Advisory R7-0015
Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server
Published: July 22, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0015.html
CVE: CAN-2003-0421, CAN-2003-0422, CAN-2003-0423, CAN-2003-0424,
CAN-2003-0425, CAN-2003-0426, CAN-2003-0502
1. Affected system(s):
KNOWN VULNERABLE:
o QuickTime/Darwin Streaming Server v4.1.3 for MacOS X
o QuickTime/Darwin Streaming Server v4.1.3 for Win32
o QuickTime/Darwin Streaming Server v4.1.3 for Linux
UNKNOWN/NOT TESTED:
o other platforms (Solaris)
2. Summary
Several vulnerabilities have been found in the Apple
QuickTime/Darwin Streaming Server, including denial of service,
web root traversal, and script source disclosure.
3. Vendor status and information
Apple
http://www.apple.com/
The vendor has been notified and has released fixes for all but
one of the issues, which is currently under investigation.
4. Solution
Upgrade to version 4.1.3g or later of Darwin Streaming Server,
which may be obtained as a free download from:
http://developer.apple.com/darwin/projects/streaming/
Please see the next section for detailed fix information.
5. Detailed analysis
There are several vulnerabilities.
Denial of Service by HTTP Request for DOS Device Name
CVE ID: CAN-2003-0421
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting a DOS device name (e.g. AUX) over HTTP (port 1220)
will cause a denial of service on the server. An initial
HTTP 404 response will be returned for the device request,
but future requests will not be serviced. For example:
==> GET /AUX HTTP/1.0
Denial of Service by Request for ../ DOS Device Name
CVE ID: CAN-2003-0502
Affects: Darwin Streaming Server v4.1.3f and earlier (Win32 only)
Fixed: In version 4.1.3g (Win32)
This is a variant of CAN-2003-0421. A fix for CAN-2003-0421
was included in Streaming Server version, 4.1.3f, but further
testing revealed that it was vulnerable to a variant where
the device name was prefixed by dotdot slash (../), as in:
==> GET /../AUX HTTP/1.0
Denial of Service by HTTP Request for /view_broadcast.cgi Script
CVE ID: CAN-2003-0422
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Requesting the /view_broadcast.cgi script over HTTP (port 1220)
will cause a denial of service on the server if the required
request parameters are not sent. The connection will be
closed midway through servicing the request and no new
connections will be allowed to the server.
Example:
==> GET /view_broadcast.cgi HTTP/1.0
<== HTTP/1.0 200 OK
<== Content-Type: video/quicktime
<==
<== rtsp://
^^ server drops connection
Source Disclosure via HTTP Request for /parse_xml.cgi Script
CVE ID: CAN-2003-0423
Affects: Darwin Streaming Server v4.1.3g and earlier
Fixed: No fix is available at this time. Apple is aware of
this issue and they are investigating it further.
The source code of any file within the web root can be obtained
by issuing a request for /parse_xml.cgi?filename=[file], where
[file] is the file whose source code you wish to view.
This is only a serious risk if the administrator has installed
custom scripts on Darwin Streaming Server that need to be
protected. For example, requesting /view_broadcast.cgi%2e
will reveal the source code for that script.
Web Root Traversal and Arbitrary File Disclosure (Win32)
CVE ID: CAN-2003-0425
Affects: Darwin Streaming Server v4.1.3e and earlier (Win32 only)
Fixed: In version 4.1.3f (Win32)
Any file on the system can be retrieved by using three dots
to break out of the web root. For example, requesting
/.../qtusers will return the QuickTime user/password file.
Default Install Allows Remote User to Set Admin Password
CVE ID: CAN-2003-0426
Affects: Darwin Streaming Server v4.1.3e and earlier (Mac OS X only)
Fixed: In version 4.1.3f (Mac OS X)
When Darwin Streaming Server is first installed, the
HTTP-based administration server (typically port 1220)
presents a "Setup Assistant" page where the user is prompted
to set a new administrator password. This would allow any
remote user to connect and set up an administrator password
before the server administrator has had a chance to do so.
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx3UVST52JC2U8wAEQLPIwCg2Ps9jBufF8N6dGgCaoxEMijMtbcAnRL8
793Plejp5hw/r1OkojX2CQaB
=OD0m
-----END PGP SIGNATURE-----
| VAR-200411-0172 | CVE-2004-0079 | OpenSSL contains null-pointer assignment in do_change_cipher_spec() function |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. OpenSSL Is SSL/TLS Due to incomplete implementation of do_change_cipher_spec() In the function NULL A vulnerability exists where pointers are not handled properly.OpenSSL An application that uses the service disrupts service operation (DoS) It may be in a state. OpenSSL is an open source SSL implementation used to implement high-strength encryption of network communications. It is now widely used in various network applications.
Using the Codenomicon TLS test tool, OpenSSL found a NULL pointer allocation in the do_change_cipher_spec () function. Applications that rely on this library will generate a denial of service.
For the first issue, a NULL-pointer assignment can be triggered by attackers during SSL/TLS handshake exchanges. The CVE candidate name for this vulnerability is CAN-2004-0079. Versions 0.9.6c to 0.9.6k (inclusive) and from 0.9.7a to 0.9.7c (inclusive) are vulnerable.
The second issue is also exploited during the SSL/TLS handshake, but only when Kerberos ciphersuites are in use. The vendor has reported that this vulnerability may not be a threat to many, because it occurs only when Kerberos ciphersuites are in use, an uncommon configuration. The CVE candidate name for this vulnerability is CAN-2004-0112. Versions 0.9.7a, 0.9.7b, and 0.9.7c are affected.
This entry will be retired when individual BID records are created for each issue.
*Note: A third denial-of-service vulnerability included in the announcement was discovered affecting 0.9.6 and fixed in 0.9.6d. The CVE candidate name for this vulnerability is CAN-2004-0081. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are reported prone to multiple vulnerabilities.
Oracle has released a Critical Patch Update to address these issues in various supported applications and platforms.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. While various levels of authorization are required to leverage some issues, others do not require any authorization.
This BID will be divided and updated into separate BIDs when more information is available. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability
Revision 1.0
For Public Release 2004 March 17 at 1300 UTC (GMT)
----------------------------------------------------------------------
Contents
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures
----------------------------------------------------------------------
Summary
A new vulnerability in the OpenSSL implementation for SSL
has been announced on March 17, 2004.
An affected network device running an SSL server based on an affected
OpenSSL implementation may be vulnerable to a Denial of Service (DoS)
attack. There are workarounds available to mitigate the effects of this
vulnerability on Cisco products in the workaround section of this
advisory. Cisco is providing fixed software, and recommends that customers
upgrade to it when it is available.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.
* Cisco IOS 12.1(11)E and later in the 12.1E release train. Only crypto
images (56i and k2) are vulnerable for the Cisco 7100 and 7200 Series
Routers.
* Cisco IOS 12.2SY release train. Only crypto images (k8, k9 and k91)
are vulnerable for the Cisco Catalyst 6500 Series and Cisco 7600
Series Routers.
* Cisco PIX Firewall
* Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series and Cisco 7600 Series routers
* Cisco MDS 9000 Series Multilayer Switch
* Cisco Content Service Switch (CSS) 11000 series
* Cisco Global Site Selector (GSS) 4480
* CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common
Management Foundation (CMF) version 2.1
* Cisco Access Registrar (CAR)
The following products have their SSL implementation based on the OpenSSL
code and are not affected by this vulnerability.
* Cisco Secure Intrusion Detection System (NetRanger) appliance. This
includes the IDS-42xx appliances, NM-CIDS and WS-SVS-IDSM2.
* Cisco SN 5428 and SN 5428-2 Storage Router
* Cisco CNS Configuration Engine
* Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and
6500 Series switches and Cisco 7600 Series routers
* Cisco SIP Proxy Server (SPS)
* CiscoWorks 1105 Hosting Solution Engine (HSE)
* CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)
* Cisco Ethernet Subscriber Solution Engine (ESSE)
The following products, which implement SSL, are not affected by this
vulnerability.
* Cisco VPN 3000 Series Concentrators
CatOS does not implement SSL and is not vulnerable.
No other Cisco products are currently known to be affected by this
vulnerability. This vulnerability is still being actively investigated
across Cisco products and status of some products has still not been
determined.
Details
Secure Sockets Layer (SSL), is a protocol used to encrypt the data
transferred over an TCP session. SSL in Cisco products is mainly used by
the HyperText Transfer Protocol Secure (HTTPS) web service for which the
default TCP port is 443. The affected products, listed above, are only
vulnerable if they have the HTTPS service enabled and the access to the
service is not limited to trusted hosts or network management
workstations.
To check if the HTTPS service is enabled one can do the following:
1. Check the configuration on the device to verify the status of the
HTTPS service.
2. Try to connect to the device using a standard web browser that
supports SSL using a URL similar to https://ip_address_of_device/.
3. Try and connect to the default HTTPS port, TCP 443, using Telnet.
telnet ip_address_of_device 443. If the session connects the service
is enabled and accessible. This
crash on many Cisco products would cause the device to reload.
A third vulnerability described in the NISCC advisory is a bug in older
versions of OpenSSL, versions before 0.9.6d, that can also lead to a
Denial of Service attack. None of the Cisco OpenSSL implementations are
known to be affected by this older OpenSSL issue.
* Cisco IOS - All 12.1(11)E and later IOS software crypto (56i and k2)
image releases in the 12.1E release train for the Cisco 7100 and 7200
Series Routers are affected by this vulnerability. All IOS software
crypto (k8, k9, and k91) image releases in the 12.2SY release train
for the Cisco Catalyst 6500 Series and Cisco 7600 Series Routers are
affected by this vulnerability. The SSH implementation in IOS is not
dependent on any OpenSSL code. SSH implementations in IOS do not
handle certificates, yet, and therefore do not use any SSL code for
SSH. OpenSSL in 12.1E and 12.2SY release trains is only used for
providing the HTTPS and VPN Device Manager (VDM) services. This
vulnerability is documented in the Cisco Bug Toolkit (registered
customers only) as Bug ID CSCee00041. The HTTPS web service, that uses
the OpenSSL code, on the device is disabled by default. The no ip http
secure-server command may be used to disable the HTTPS web service on
the device, if required. The SSH and IPSec services in IOS are not
vulnerable to this vulnerability.
* Cisco PIX Firewall - PIX 6.x releases are affected by this
vulnerability. PIX 5.x releases do not contain any SSL code and are
not vulnerable. This vulnerability is documented in the Cisco Bug
Toolkit (registered customers only) as Bug ID CSCed90672.
* Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series and Cisco 7600 Series routers - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCee02055.
* Cisco MDS 9000 Series Multilayer Switches - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCed96246.
* Cisco Content Service Switch (CSS) 11000 series - WebNS version 6.x
and 7.x are affected by this vulnerability. This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCee01234 for SCM and is documented in the Cisco Bug Toolkit
(registered customers only) as Bug ID CSCee01240 for the SSL module.
* Cisco Global Site Selector (GSS) 4480 - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCee01057.
* CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common
Management Foundation (CMF) version 2.1 - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCsa13748.
* Cisco Access Registrar (CAR) - This vulnerability is documented in the
Cisco Bug Toolkit (registered customers only) as Bug ID CSCee01956.
The Internetworking Terms and Cisco Systems Acronyms online guides can be
found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
Impact
An affected network device running an SSL server based on the OpenSSL
implementation may be vulnerable to a Denial of Service (DoS) attack.
Software Versions and Fixes
* Cisco IOS -
+----------------------------------------+
|Release| Fixed Releases |Availability |
| Train | | |
|-------+------------------+-------------|
|12.2SY |12.2(14)SY4 |March 25 |
|-------+------------------+-------------|
| |12.1(13)E14 |April 8 |
|12.1E |12.1.(19)E7 |April 8 |
| |12.1(20)E3 |April 26 |
+----------------------------------------+
* Cisco PIX Firewall - The vulnerability is fixed in software releases
6.0(4)102, 6.1(5)102, 6.2(3)107, and 6.3(3)124. These engineering
builds may be obtained by contacting the Cisco Technical Assistance
Center (TAC). TAC Contact information is given in the Obtaining Fixed
Software section below.
* Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series and Cisco 7600 Series routers - The vulnerability is fixed in
software release 1.1.3(14) which will be available by Monday, 22 of
March, 2004. This engineering builds may be obtained by contacting the
Cisco Technical Assistance Center (TAC). TAC Contact information is
given in the Obtaining Fixed Software section below.
* Cisco MDS 9000 Series Multilayer Switches - No fixed software release
or software availability date has been determined yet.
* Cisco Content Service Switch (CSS) 11000 series -No fixed software
release or software availability date has been determined yet.
* Cisco Global Site Selector (GSS) 4480 - No fixed software release or
software availability date has been determined yet.
* CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common
Management Foundation (CMF) version 2.1 - No fixed software release or
software availability date has been determined yet.
* Cisco Access Registrar (CAR) - The vulnerability is fixed in software
release 3.5.0.12 which will be available by Friday, 26 of March, 2004.
Obtaining Fixed Software
Cisco is offering free software upgrades to address this vulnerability for
all affected customers.
Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise using
such software upgrades, Customers agree to be bound by the terms of
Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
forth at the Cisco Connection Online Software Center at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com/tacpage/sw-center. To access the software
download URL, you must be a registered user and you must be logged in.
Customers whose Cisco products are provided or maintained through a prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers, should contact that
support organization for assistance with obtaining the software
upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC) using the contact information listed below. In
these cases, customers are entitled to obtain a free upgrade to a later
version of the same release or as indicated by the applicable corrected
software version in the Software Versions and Fixes section (noted above).
Cisco TAC contacts are as follows:
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized telephone
numbers and instructions and e-mail addresses for use in various
languages.
Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a upgrade. Upgrades for
non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
The Cisco PSIRT recommends that affected users upgrade to a fixed software
version of code as soon as it is available.
* Restrict access to the HTTPS server on the network device. Allow
access to the network device only from trusted workstations by using
access lists / MAC filters that are available on the affected
platforms.
* Disable the SSL server / service on the network device. This
workaround must be weighed against the need for secure communications
with the vulnerable device.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any malicious use of the vulnerability
described in this advisory.
This vulnerability was reported to Cisco PSIRT by NISCC.
Status of This Notice: INTERIM
This is an interim advisory. Although Cisco cannot guarantee the accuracy
of all statements in this advisory, all of the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.
Distribution
This advisory will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml .
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key having the fingerprint 8C82 5207
0CA9 ED40 1DD2 EE2A 7B31 A8CF 32B6 B590 and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org (includes CERT/CC)
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.netsys.com
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged to
check the above URL for any updates.
Revision History
+------------------------------------------+
|Revision 1.0|2004-March-17|Initial |
| | |release. |
+------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's worldwide
website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
This advisory is copyright 2004 by Cisco Systems, Inc. This advisory may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
including all date and version information.
----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT
iD8DBQFAWFvZezGozzK2tZARAqIwAKDXDMLAY6eDYyU8y1MhKZUto2SRxwCg+oid
7AhsNlLsNVSLwTRKTHSigu0=
=gtba
-----END PGP SIGNATURE-----
. Any
application that makes use of OpenSSL's SSL/TLS library may be
affected. Any application that makes use of OpenSSL's SSL/TLS library
may be affected.
Recommendations
---------------
Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications
statically linked to OpenSSL libraries.
OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
FTP from the following master locations (you can find the various FTP
mirrors under http://www.openssl.org/source/mirror.html):
ftp://ftp.openssl.org/source/
The distribution file names are:
o openssl-0.9.7d.tar.gz
MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5
o openssl-0.9.6m.tar.gz [normal]
MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9
o openssl-engine-0.9.6m.tar.gz [engine]
MD5 checksum: 4c39d2524bd466180f9077f8efddac8c
The checksums were calculated using the following command:
openssl md5 openssl-0.9*.tar.gz
Credits
-------
Patches for these issues were created by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team. The OpenSSL team would
like to thank Codenomicon for supplying the TLS Test Tool which was
used to discover these vulnerabilities, and Joe Orton of Red Hat for
performing the majority of the testing.
References
----------
http://www.codenomicon.com/testtools/tls/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20040317.txt
| VAR-200407-0075 | CVE-2004-0488 | Apache HTTP Server of mod_ssl Vulnerable to buffer overflow |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN. mod_ssl Is httpd.conf In SSLOptions Is a directive option FakeBasicAuth If enabled, a buffer overflow vulnerability exists.SSL Is enabled Apache HTTP Server Service disruption at (DoS) It may be in a state. Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are reported prone to multiple vulnerabilities.
Oracle has released a Critical Patch Update to address these issues in various supported applications and platforms. Other non-supported versions may be affected, but Symantec has not confirmed this.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. While various levels of authorization are required to leverage some issues, others do not require any authorization.
This BID will be divided and updated into separate BIDs when more information is available. A stack-based buffer overflow has been reported in the Apache 'mod_ssl' module.
This issue is exposed in utility code for uuencoding binary data.
This issue would most likely result in a denial of service if triggered, but could theoretically allow arbitrary code to run. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, but this may not be the case with other architectures. Mod_SSL is the SSL implementation on the Apache server, used to provide encryption support for the Apache web server. A remote attacker can use the ssl_engine_kernel.c module that uses this function to conduct a denial of service attack or execute arbitrary instructions in the WEB process
| VAR-200411-0173 | CVE-2004-0081 | OpenSSL does not properly handle unknown message types |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. This vulnerability was addressed in OpenSSL 0.9.6d and 0.9.7. The vulnerability is OpenSSL Applications and systems that use the library may also be affected. For more detailed information about other systems NISCC-224012 (JVN) , NISCC Advisory 224012 (CPNI Advisory 00389) Please check also.OpenSSL An application that uses the service disrupts service operation (DoS) It may be in a state.
For the first issue, a NULL-pointer assignment can be triggered by attackers during SSL/TLS handshake exchanges. The CVE candidate name for this vulnerability is CAN-2004-0079. Versions 0.9.6c to 0.9.6k (inclusive) and from 0.9.7a to 0.9.7c (inclusive) are vulnerable.
The second issue is also exploited during the SSL/TLS handshake, but only when Kerberos ciphersuites are in use. The vendor has reported that this vulnerability may not be a threat to many, because it occurs only when Kerberos ciphersuites are in use, an uncommon configuration. The CVE candidate name for this vulnerability is CAN-2004-0112. Versions 0.9.7a, 0.9.7b, and 0.9.7c are affected.
This entry will be retired when individual BID records are created for each issue.
*Note: A third denial-of-service vulnerability included in the announcement was discovered affecting 0.9.6 and fixed in 0.9.6d. The CVE candidate name for this vulnerability is CAN-2004-0081. Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are reported prone to multiple vulnerabilities.
Oracle has released a Critical Patch Update to address these issues in various supported applications and platforms.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. While various levels of authorization are required to leverage some issues, others do not require any authorization.
This BID will be divided and updated into separate BIDs when more information is available. An attacker could exploit these vulnerabilities to take complete control of an affected database.
TITLE:
Fedora update for openssl096b
SECUNIA ADVISORY ID:
SA17381
VERIFY ADVISORY:
http://secunia.com/advisories/17381/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
OPERATING SYSTEM:
Fedora Core 3
http://secunia.com/product/4222/
DESCRIPTION:
Fedora has issued an update for openssl096b. This fixes some
vulnerabilities, which can be exploited by malicious people to cause
a DoS (Denial of Service).
For more information:
SA10133
SA11139
SOLUTION:
Apply updated packages.
Fedora Core 3:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
8d68e4b430aa7c5ca067c12866ae694e
SRPMS/openssl096b-0.9.6b-21.42.src.rpm
54a9e78a2fdd625b9dc9121e09eb4398
x86_64/openssl096b-0.9.6b-21.42.x86_64.rpm
c5c6174e23eba8d038889d08f49231b8
x86_64/debug/openssl096b-debuginfo-0.9.6b-21.42.x86_64.rpm
56b63fc150d0c099b2e4f0950e21005b
x86_64/openssl096b-0.9.6b-21.42.i386.rpm
56b63fc150d0c099b2e4f0950e21005b
i386/openssl096b-0.9.6b-21.42.i386.rpm
93195495585c7e9789041c75b1ed5380
i386/debug/openssl096b-debuginfo-0.9.6b-21.42.i386.rpm
OTHER REFERENCES:
SA10133:
http://secunia.com/advisories/10133/
SA11139:
http://secunia.com/advisories/11139/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200411-0171 | CVE-2004-0112 | OpenSSL does not adequately validate length of Kerberos ticket during SSL/TLS handshake |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. OpenSSL for, Kerberos using a cipher suite SSL/TLS When communicating, there is a flaw in not properly checking the communication data during the key exchange during handshake, and it is intentionally created. Please note that this vulnerability OpenSSL Applications and systems using the library may also be affected. For more detailed information about other systems, NISCC-224012 (JVN) , NISCC Advisory 224012 (CPNI Advisory 00389) Please also check.OpenSSL Applications that use this crash and cause a denial of service. (DoS) may become a state. OpenSSL is an open source SSL implementation used to implement high-strength encryption of network communications. It is now widely used in various network applications.
When using Kerberos ciphersuites, there is a flaw in the SSL / TLS handshake code. A remote attacker can construct a special SSL / TLS handshake and send it to a server configured with Kerberos ciphersuites. Most applications do not use Kerberos ciphersuites. It is therefore not affected by this vulnerability.
For the first issue, a NULL-pointer assignment can be triggered by attackers during SSL/TLS handshake exchanges. Versions 0.9.6c to 0.9.6k (inclusive) and from 0.9.7a to 0.9.7c (inclusive) are vulnerable. The vendor has reported that this vulnerability may not be a threat to many, because it occurs only when Kerberos ciphersuites are in use, an uncommon configuration.
This entry will be retired when individual BID records are created for each issue.
*Note: A third denial-of-service vulnerability included in the announcement was discovered affecting 0.9.6 and fixed in 0.9.6d. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc.
TITLE:
Fedora update for openssl096b
SECUNIA ADVISORY ID:
SA17381
VERIFY ADVISORY:
http://secunia.com/advisories/17381/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
OPERATING SYSTEM:
Fedora Core 3
http://secunia.com/product/4222/
DESCRIPTION:
Fedora has issued an update for openssl096b.
For more information:
SA10133
SA11139
SOLUTION:
Apply updated packages.
Fedora Core 3:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
8d68e4b430aa7c5ca067c12866ae694e
SRPMS/openssl096b-0.9.6b-21.42.src.rpm
54a9e78a2fdd625b9dc9121e09eb4398
x86_64/openssl096b-0.9.6b-21.42.x86_64.rpm
c5c6174e23eba8d038889d08f49231b8
x86_64/debug/openssl096b-debuginfo-0.9.6b-21.42.x86_64.rpm
56b63fc150d0c099b2e4f0950e21005b
x86_64/openssl096b-0.9.6b-21.42.i386.rpm
56b63fc150d0c099b2e4f0950e21005b
i386/openssl096b-0.9.6b-21.42.i386.rpm
93195495585c7e9789041c75b1ed5380
i386/debug/openssl096b-debuginfo-0.9.6b-21.42.i386.rpm
OTHER REFERENCES:
SA10133:
http://secunia.com/advisories/10133/
SA11139:
http://secunia.com/advisories/11139/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability
Revision 1.0
For Public Release 2004 March 17 at 1300 UTC (GMT)
----------------------------------------------------------------------
Contents
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures
----------------------------------------------------------------------
Summary
A new vulnerability in the OpenSSL implementation for SSL
has been announced on March 17, 2004.
An affected network device running an SSL server based on an affected
OpenSSL implementation may be vulnerable to a Denial of Service (DoS)
attack. There are workarounds available to mitigate the effects of this
vulnerability on Cisco products in the workaround section of this
advisory. Cisco is providing fixed software, and recommends that customers
upgrade to it when it is available.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.
* Cisco IOS 12.1(11)E and later in the 12.1E release train. Only crypto
images (56i and k2) are vulnerable for the Cisco 7100 and 7200 Series
Routers.
* Cisco IOS 12.2SY release train. Only crypto images (k8, k9 and k91)
are vulnerable for the Cisco Catalyst 6500 Series and Cisco 7600
Series Routers.
* Cisco PIX Firewall
* Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series and Cisco 7600 Series routers
* Cisco MDS 9000 Series Multilayer Switch
* Cisco Content Service Switch (CSS) 11000 series
* Cisco Global Site Selector (GSS) 4480
* CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common
Management Foundation (CMF) version 2.1
* Cisco Access Registrar (CAR)
The following products have their SSL implementation based on the OpenSSL
code and are not affected by this vulnerability.
* Cisco Secure Intrusion Detection System (NetRanger) appliance. This
includes the IDS-42xx appliances, NM-CIDS and WS-SVS-IDSM2.
* Cisco SN 5428 and SN 5428-2 Storage Router
* Cisco CNS Configuration Engine
* Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and
6500 Series switches and Cisco 7600 Series routers
* Cisco SIP Proxy Server (SPS)
* CiscoWorks 1105 Hosting Solution Engine (HSE)
* CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)
* Cisco Ethernet Subscriber Solution Engine (ESSE)
The following products, which implement SSL, are not affected by this
vulnerability.
* Cisco VPN 3000 Series Concentrators
CatOS does not implement SSL and is not vulnerable. This vulnerability is still being actively investigated
across Cisco products and status of some products has still not been
determined.
Details
Secure Sockets Layer (SSL), is a protocol used to encrypt the data
transferred over an TCP session. SSL in Cisco products is mainly used by
the HyperText Transfer Protocol Secure (HTTPS) web service for which the
default TCP port is 443. The affected products, listed above, are only
vulnerable if they have the HTTPS service enabled and the access to the
service is not limited to trusted hosts or network management
workstations.
To check if the HTTPS service is enabled one can do the following:
1. Check the configuration on the device to verify the status of the
HTTPS service.
2. Try to connect to the device using a standard web browser that
supports SSL using a URL similar to https://ip_address_of_device/.
3. Try and connect to the default HTTPS port, TCP 443, using Telnet.
telnet ip_address_of_device 443. If the session connects the service
is enabled and accessible.
Testing by the OpenSSL development team has uncovered a null-pointer
assignment in the do_change_cipher_spec() function. This
crash on many Cisco products would cause the device to reload.
A third vulnerability described in the NISCC advisory is a bug in older
versions of OpenSSL, versions before 0.9.6d, that can also lead to a
Denial of Service attack. None of the Cisco OpenSSL implementations are
known to be affected by this older OpenSSL issue.
* Cisco IOS - All 12.1(11)E and later IOS software crypto (56i and k2)
image releases in the 12.1E release train for the Cisco 7100 and 7200
Series Routers are affected by this vulnerability. All IOS software
crypto (k8, k9, and k91) image releases in the 12.2SY release train
for the Cisco Catalyst 6500 Series and Cisco 7600 Series Routers are
affected by this vulnerability. The SSH implementation in IOS is not
dependent on any OpenSSL code. SSH implementations in IOS do not
handle certificates, yet, and therefore do not use any SSL code for
SSH. OpenSSL in 12.1E and 12.2SY release trains is only used for
providing the HTTPS and VPN Device Manager (VDM) services. This
vulnerability is documented in the Cisco Bug Toolkit (registered
customers only) as Bug ID CSCee00041. The HTTPS web service, that uses
the OpenSSL code, on the device is disabled by default. The no ip http
secure-server command may be used to disable the HTTPS web service on
the device, if required. The SSH and IPSec services in IOS are not
vulnerable to this vulnerability.
* Cisco PIX Firewall - PIX 6.x releases are affected by this
vulnerability. PIX 5.x releases do not contain any SSL code and are
not vulnerable. This vulnerability is documented in the Cisco Bug
Toolkit (registered customers only) as Bug ID CSCed90672.
* Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series and Cisco 7600 Series routers - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCee02055.
* Cisco MDS 9000 Series Multilayer Switches - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCed96246.
* Cisco Content Service Switch (CSS) 11000 series - WebNS version 6.x
and 7.x are affected by this vulnerability. This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCee01234 for SCM and is documented in the Cisco Bug Toolkit
(registered customers only) as Bug ID CSCee01240 for the SSL module.
* Cisco Global Site Selector (GSS) 4480 - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCee01057.
* CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common
Management Foundation (CMF) version 2.1 - This vulnerability is
documented in the Cisco Bug Toolkit (registered customers only) as Bug
ID CSCsa13748.
* Cisco Access Registrar (CAR) - This vulnerability is documented in the
Cisco Bug Toolkit (registered customers only) as Bug ID CSCee01956.
The Internetworking Terms and Cisco Systems Acronyms online guides can be
found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
Impact
An affected network device running an SSL server based on the OpenSSL
implementation may be vulnerable to a Denial of Service (DoS) attack.
Software Versions and Fixes
* Cisco IOS -
+----------------------------------------+
|Release| Fixed Releases |Availability |
| Train | | |
|-------+------------------+-------------|
|12.2SY |12.2(14)SY4 |March 25 |
|-------+------------------+-------------|
| |12.1(13)E14 |April 8 |
|12.1E |12.1.(19)E7 |April 8 |
| |12.1(20)E3 |April 26 |
+----------------------------------------+
* Cisco PIX Firewall - The vulnerability is fixed in software releases
6.0(4)102, 6.1(5)102, 6.2(3)107, and 6.3(3)124. These engineering
builds may be obtained by contacting the Cisco Technical Assistance
Center (TAC). TAC Contact information is given in the Obtaining Fixed
Software section below.
* Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series and Cisco 7600 Series routers - The vulnerability is fixed in
software release 1.1.3(14) which will be available by Monday, 22 of
March, 2004. This engineering builds may be obtained by contacting the
Cisco Technical Assistance Center (TAC). TAC Contact information is
given in the Obtaining Fixed Software section below.
* Cisco MDS 9000 Series Multilayer Switches - No fixed software release
or software availability date has been determined yet.
* Cisco Content Service Switch (CSS) 11000 series -No fixed software
release or software availability date has been determined yet.
* Cisco Global Site Selector (GSS) 4480 - No fixed software release or
software availability date has been determined yet.
* CiscoWorks Common Services (CWCS) version 2.2 and CiscoWorks Common
Management Foundation (CMF) version 2.1 - No fixed software release or
software availability date has been determined yet.
* Cisco Access Registrar (CAR) - The vulnerability is fixed in software
release 3.5.0.12 which will be available by Friday, 26 of March, 2004.
Obtaining Fixed Software
Cisco is offering free software upgrades to address this vulnerability for
all affected customers.
Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise using
such software upgrades, Customers agree to be bound by the terms of
Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
forth at the Cisco Connection Online Software Center at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com/tacpage/sw-center. To access the software
download URL, you must be a registered user and you must be logged in.
Customers whose Cisco products are provided or maintained through a prior
or existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers, should contact that
support organization for assistance with obtaining the software
upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC) using the contact information listed below. In
these cases, customers are entitled to obtain a free upgrade to a later
version of the same release or as indicated by the applicable corrected
software version in the Software Versions and Fixes section (noted above).
Cisco TAC contacts are as follows:
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized telephone
numbers and instructions and e-mail addresses for use in various
languages.
Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a upgrade. Upgrades for
non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
The Cisco PSIRT recommends that affected users upgrade to a fixed software
version of code as soon as it is available.
* Restrict access to the HTTPS server on the network device. Allow
access to the network device only from trusted workstations by using
access lists / MAC filters that are available on the affected
platforms.
* Disable the SSL server / service on the network device. This
workaround must be weighed against the need for secure communications
with the vulnerable device.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any malicious use of the vulnerability
described in this advisory.
Status of This Notice: INTERIM
This is an interim advisory. Although Cisco cannot guarantee the accuracy
of all statements in this advisory, all of the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.
Distribution
This advisory will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml .
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key having the fingerprint 8C82 5207
0CA9 ED40 1DD2 EE2A 7B31 A8CF 32B6 B590 and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org (includes CERT/CC)
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.netsys.com
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged to
check the above URL for any updates.
Revision History
+------------------------------------------+
|Revision 1.0|2004-March-17|Initial |
| | |release. |
+------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's worldwide
website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
This advisory is copyright 2004 by Cisco Systems, Inc. This advisory may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
including all date and version information.
----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT
iD8DBQFAWFvZezGozzK2tZARAqIwAKDXDMLAY6eDYyU8y1MhKZUto2SRxwCg+oid
7AhsNlLsNVSLwTRKTHSigu0=
=gtba
-----END PGP SIGNATURE-----
.
OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
FTP from the following master locations (you can find the various FTP
mirrors under http://www.openssl.org/source/mirror.html):
ftp://ftp.openssl.org/source/
The distribution file names are:
o openssl-0.9.7d.tar.gz
MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5
o openssl-0.9.6m.tar.gz [normal]
MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9
o openssl-engine-0.9.6m.tar.gz [engine]
MD5 checksum: 4c39d2524bd466180f9077f8efddac8c
The checksums were calculated using the following command:
openssl md5 openssl-0.9*.tar.gz
Credits
-------
Patches for these issues were created by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team. The OpenSSL team would
like to thank Codenomicon for supplying the TLS Test Tool which was
used to discover these vulnerabilities, and Joe Orton of Red Hat for
performing the majority of the testing.
References
----------
http://www.codenomicon.com/testtools/tls/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20040317.txt
| VAR-200312-0218 | CVE-2003-0851 | OpenSSL 0.9.6k does not properly handle ASN.1 sequences |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences. OpenSSL Is ASN.1 (Abstract Syntax Notation One) A vulnerability that causes deep recursion exists due to poor handling of sequences.By sending a client certificate crafted by a third party to the target host, OpenSSL Server using the library interferes with service operation (DoS) It may be in a state. A problem has been identified in OpenSSL when handling specific types of ASN.1 requests.
This issue is also known to affect numerous Cisco products. It is possible that other vendors will also be acknowledging this issue and providing fixes. Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are reported prone to multiple vulnerabilities.
Oracle has released a Critical Patch Update to address these issues in various supported applications and platforms. Other non-supported versions may be affected, but Symantec has not confirmed this.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. While various levels of authorization are required to leverage some issues, others do not require any authorization.
This BID will be divided and updated into separate BIDs when more information is available. An attacker could exploit these vulnerabilities to take complete control of an affected database.
TITLE:
Red Hat update for openssl
SECUNIA ADVISORY ID:
SA17398
VERIFY ADVISORY:
http://secunia.com/advisories/17398/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
OPERATING SYSTEM:
RedHat Linux Advanced Workstation 2.1 for Itanium
http://secunia.com/product/1326/
RedHat Enterprise Linux WS 2.1
http://secunia.com/product/1044/
RedHat Enterprise Linux ES 2.1
http://secunia.com/product/1306/
RedHat Enterprise Linux AS 2.1
http://secunia.com/product/48/
DESCRIPTION:
Red Hat has issued an update for openssl.
http://rhn.redhat.com/
ORIGINAL ADVISORY:
http://rhn.redhat.com/errata/RHSA-2005-829.html
OTHER REFERENCES:
SA11139:
http://secunia.com/advisories/11139/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. OpenSSL Security Advisory [4 November 2003]
Denial of Service in ASN.1 parsing
==================================
Previously, OpenSSL 0.9.6k was released on the 30 September 2003 to
address various ASN.1 issues. The issues were found using a test
suite from NISCC (www.niscc.gov.uk) and fixed by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team.
Subsequent to that release, Novell Inc. carried out further testing
using the NISCC suite. This could be
performed for example by sending a client certificate to a SSL/TLS
enabled server which is configured to accept them.
Patches for this issue have been created by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team.
Who is affected?
----------------
OpenSSL 0.9.6k is affected by the bug, but the denial of service does
not affect all platforms. This issue does not affect OpenSSL 0.9.7.
Currently only OpenSSL running on Windows platforms is known to crash.
Recommendations
---------------
Upgrade to OpenSSL 0.9.6l or 0.9.7c. Recompile any OpenSSL
applications statically linked to OpenSSL libraries.
OpenSSL 0.9.6l is available for download via HTTP and FTP from the
following master locations (you can find the various FTP mirrors under
https://www.openssl.org/source/mirror.html):
o https://www.openssl.org/source/
o ftp://ftp.openssl.org/source/
The distribution file name is:
o openssl-0.9.6l.tar.gz [normal]
MD5 checksum: 843a65ddc56634f0e30a4f9474bb5b27
o openssl-engine-0.9.6l.tar.gz [engine]
MD5 checksum: dd372198cdf31667f2cb29cd76fbda1c
The checksums were calculated using the following command:
openssl md5 < openssl-0.9.6l.tar.gz
openssl md5 < openssl-engine-0.9.6l.tar.gz
References
----------
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0851 to this issue.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0851
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20031104.txt
| VAR-200508-0319 | CVE-2005-2526 | Mac OS X CPUS Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
CUPS in Mac OS X 10.3.9 and 10.4.2 allows remote attackers to cause a denial of service (CPU consumption) by sending a partial IPP request and closing the connection. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues
| VAR-200508-0318 | CVE-2005-2525 | Mac OS X CUPS Denial of service attack vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
CUPS in Mac OS X 10.3.9 and 10.4.2 does not properly close file descriptors when handling multiple simultaneous print jobs, which allows remote attackers to cause a denial of service (printing halt). Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues
| VAR-200508-0315 | CVE-2005-2521 | OpenSSL SSL Handshake NULL Pointer denial of service attack vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Buffer overflow in traceroute in Mac OS X 10.3.9 allows local users to execute arbitrary code via unknown vectors. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. OpenSSL is an open source general-purpose encryption library developed by the OpenSSL team that can implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. A bug in OpenSSL's handling of the SSL/TLS handshake implementation could be exploited by a remote attacker to crash OpenSSL. Using the Codenomicon TLS testing tool, OpenSSL found a NULL pointer allocation in the do_change_cipher_spec() function. A remote attacker can construct a special SSL/TLS handshake and send it to a server using the OpenSSL library, which can cause OpenSSL to crash, and applications that rely on this library will cause a denial of service
| VAR-200508-0314 | CVE-2005-2520 | Mac OS X Cryptographic assistant Password leak vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The password assistant in Mac OS X 10.4 to 10.4.2, when used to create multiple accounts from the same process, does not reset the suggested password list when the assistant is displayed, which allows attackers to view recently used passwords. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues
| VAR-200508-0313 | CVE-2005-2519 | Mac OS X Directory server slpd Privilege escalation vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
slpd in Directory Services in Mac OS X 10.3.9 creates insecure temporary files as root, which allows local users to gain privileges. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues
| VAR-200508-0309 | CVE-2005-2515 | Mac OS X Quartz Composer Screen saver password bypass vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Quartz Composer Screen Saver in Mac OS X 10.4.2 allows local users to access links from the RSS Visualizer even when a password is required. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues
| VAR-200508-0317 | CVE-2005-2523 | Mac OS X Weblog Server Multiple Cross-Site Scripting Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Weblog Server in Mac OS X 10.4 to 10.4.2 allow remote attackers to inject arbitrary web script or HTML via unknown vectors. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. It is now being assigned its own BID
| VAR-200508-0311 | CVE-2005-2517 | OpenSSL SSL Handshake NULL Pointer denial of service attack vulnerability |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
Safari in Mac OS X 10.3.9 and 10.4.2 submits forms from an XSL formatted page to the next page that is browsed by the user, which causes form data to be sent to the wrong site. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. OpenSSL is an open source general-purpose encryption library developed by the OpenSSL team that can implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. A bug in OpenSSL's handling of the SSL/TLS handshake implementation could be exploited by a remote attacker to crash OpenSSL. Using the Codenomicon TLS testing tool, OpenSSL found a NULL pointer allocation in the do_change_cipher_spec() function. A remote attacker can construct a special SSL/TLS handshake and send it to a server using the OpenSSL library, which can cause OpenSSL to crash, and applications that rely on this library will cause a denial of service
| VAR-200508-0308 | CVE-2005-2514 | Mac OS X ping Command buffer overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in ping in Mac OS X 10.3.9 allows local users to execute arbitrary code. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues
| VAR-200508-0307 | CVE-2005-2513 | OpenSSL SSL Handshake NULL Pointer denial of service attack vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unknown vulnerability in HItoolbox for Mac OS X 10.4.2 allows VoiceOver services to read secure input fields.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. OpenSSL is an open source general-purpose encryption library developed by the OpenSSL team that can implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. A bug in OpenSSL's handling of the SSL/TLS handshake implementation could be exploited by a remote attacker to crash OpenSSL. Using the Codenomicon TLS testing tool, OpenSSL found a NULL pointer allocation in the do_change_cipher_spec() function. A remote attacker can construct a special SSL/TLS handshake and send it to a server using the OpenSSL library, which can cause OpenSSL to crash, and applications that rely on this library will cause a denial of service
| VAR-200508-0306 | CVE-2005-2512 | Mac OS X Mail.app Information disclosure vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Mail.app in Mac OS 10.4.2 and earlier, when printing or forwarding an HTML message, loads remote images even when the user's preferences state otherwise, which could result in a privacy leak. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues
| VAR-200508-0305 | CVE-2005-2511 | Mac OS X AppKit Terminal Window access control vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unknown vulnerability in Mac OS X 10.4.2 and earlier, when using Kerberos authentication with LDAP, allows attackers to gain access to a root Terminal window. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues
| VAR-200508-0304 | CVE-2005-2510 | Mac OS X AppKit Server Admin Tools bypass security policy vulnerabilities |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
The Server Admin tool in servermgr_ipfilter for Mac OS X 10.4 to 10.4.2, when using multiple subnets and Address Groups, does not always properly write firewall rules to the Active Rules when certain conditions occur, which could result in firewall policies that are less restrictive than intended by the administrator. Multiple security vulnerabilities are reported to affect Apple Mac OS X; updates are available.
Apache is prone to five vulnerabilities ranging from buffer overflows to access validation vulnerabilities. The CVE Mitre candidate IDs CAN-2005-1344, CAN-2004-0942, CAN-2004-0885, CAN-2004-1083, and CAN-2004-1084 are assigned to these issues.
Appkit is prone to three vulnerabilities. Two of these could result in arbitrary code execution, the third could permit the creation of local accounts. The CVE Mitre candidate IDs CAN-2005-2501, CAN-2005-2502, and CAN-2005-2503 are assigned to these issues.
Bluetooth is prone to a vulnerability regarding authentication bypass. The CVE Mitre candidate ID CAN-2005-2504 is assigned to this issue.
CoreFoundation is prone to two vulnerabilities, one resulting in a buffer overflow, the other a denial-of-service vulnerability. The CVE Mitre candidate IDs CAN-2005-2505 and CAN-2005-2506 are assigned to these issues.
CUPS is prone to two vulnerabilities resulting in a denial of service until the service can be restarted. The CVE Mitre candidate IDs CAN-2005-2525 and CAN-2005-2526 are assigned to these issues.
Directory Services is prone to three vulnerabilities. These issues vary from buffer overflow, unauthorized account creation and deletion, and privilege escalation. The CVE Mitre candidate IDs CAN-2005-2507, CAN-2005-2508 and CAN-2005-2519 are assigned to these issues.
HItoolbox is prone to a vulnerability that could result in information disclosure. The CVE Mitre candidate ID CAN-2005-2513 is assigned to this issue.
Kerberos is prone to five vulnerabilities that may result in a buffer overflow, execution of arbitrary code, and root compromise. The CVE Mitre candidate IDs CAN-2004-1189, CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, and CAN-2005-2511 are assigned to these issues.
loginwindow is prone to a vulnerability that could permit a user to gain access to other logged-in accounts. The CVE Mitre candidate ID CAN-2005-2509 is assigned to this issue.
Mail is prone to a vulnerability regarding the loss of privacy when remote images are loaded into HTML email. The CVE Mitre candidate ID CAN-2005-2512 is assigned to this issue.
MySQL is prone to three vulnerabilities that include arbitrary code execution by remote authenticated users. The CVE Mitre candidate IDs CAN-2005-0709, CAN-2005-0710, and CAN-2005-0711 are assigned to these issues.
OpenSSL is prone to two vulnerabilities resulting in denial of service. The CVE Mitre candidate IDs CAN-2004-0079 and CAN-2004-0112 are assigned to these issues.
ping is prone to a vulnerability that could allow local privilege escalation and arbitrary code execution. The CVE Mitre candidate ID CAN-2005-2514 is assigned to this issue.
QuartzComposerScreenSaver is prone to a vulnerability that could allow users to open pages while the RSS Visualizer screen is locked. The CVE Mitre candidate ID CAN-2005-2515 is assigned to this issue.
Safari is prone to two vulnerabilities that could result in arbitrary command execution or have information submitted to an incorrect site. The CVE Mitre candidate IDs CAN-2005-2516 and CAN-2005-2517 are assigned to these issues.
SecurityInterface is prone to a vulnerability that could expose recently used passwords. The CVE Mitre candidate ID CAN-2005-2520 is assigned to this issue.
servermgrd is prone to a buffer-overflow vulnerability that could ultimately lead to the execution of arbitrary code. The CVE Mitre candidate ID CAN-2005-2518 is assigned to this issue.
servermgr_ipfilter is prone to a vulnerability regarding firewall settings not always being written to the Active Rules. The CVE Mitre candidate ID CAN-2005-2510 is assigned to this issue.
SquirrelMail is prone to two vulnerabilities including a cross-site scripting issue. The CVE Mitre candidate IDs CAN-2005-1769 and CAN-2005-2095 are assigned to these issues.
traceroute is prone to a vulnerability that could result in arbitrary code execution and privilege escalation. The CVE Mitre candidate ID CAN-2005-2521 is assigned to this issue.
WebKit is affected by a vulnerability that could result in code execution regarding a malformed PDF file. The CVE Mitre candidate ID CAN-2005-2522 is assigned to this issue.
Weblog Server is prone to multiple cross-site scripting vulnerabilities. The CVE Mitre candidate ID CAN-2005-2523 is assigned to this issue.
X11 is prone to a vulnerability that could result in arbitrary code execution. The CVE Mitre candidate ID CAN-2005-0605 is assigned to this issue.
zlib is prone to two denial-of-service vulnerabilities that may ultimately lead to arbitrary code execution. The CVE Mitre candidate IDs CAN-2005-2096 and CAN-2005-1849 are assigned to these issues.
These vulnerabilities will be separated into individual BIDs upon further analysis of the issues