VARIoT IoT vulnerabilities database

HP Discovery & Dependency Mapping Inventory (DDMI) 7.50, 7.51, 7.60, 7.61, 7.70, and 9.30 launches the Windows SNMP service with its default configuration, which allows remote attackers to obtain potentially sensitive information or have unspecified other impact by leveraging the public read community. HP Discovery and Dependency Mapping Inventory (DDMI) is prone to a remote information-disclosure vulnerability. Remote attackers can exploit this issue to obtain sensitive information that may lead to further attacks. The vulnerability could be exploited remotely to allow unauthorized read-only access to the data available via the SNMP protocol. References: CVE-2011-0890 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Securing the Windows SNMP service DDMI requires the Windows SNMP service for its operation. If necessary DDMI will install and configure the Windows SNMP service using the Windows default security settings. As a result the SNMP read community string may be set to public . To modify the default security configuration of the of the Windows SNMP service: Open the Windows Services Control Panel applet, select Administrative Tools and then select Services. Select the SNMP Service, right click on it and select Properties and navigate to the Security tab. Amend the security settings as required to change the default read community string to a value other than public. Add the updated read community string to the appropriate DDM Inventory SNMP profile. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk2Hc7gACgkQ4B86/C0qfVmbswCgxy1tw165EpDQohbsigBboD52 60QAoN86XN6RKoIdtGzCCx64rePwzmNc =dgb3 -----END PGP SIGNATURE-----

The default configuration of Terminal in Apple Mac OS X 10.6 before 10.6.7 uses SSH protocol version 1 within the New Remote Connection dialog, which might make it easier for man-in-the-middle attackers to spoof SSH servers by leveraging protocol vulnerabilities. Mac OS X is prone to a remote security vulnerability. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 14) An integer overflow error in ImageIO within the handling of XBM files can be exploited to potentially execute arbitrary code. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code. 18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. For more information: SA37977 SA42396 21) An error within the "i386_set_ldt()" system call can be exploited by malicious, local users to execute arbitrary code with system privileges. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. 33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The TP-LINK TL-WR740N is a wireless router device. The TP-LINK TL-WR740N device has an unspecified error when processing the request. The attacker can send a large number of packets to make the WebConsole and UPnP services unstable. Caused a denial of service attack.

Multiple stack-based buffer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code via (1) a long username in an On_FC_CONNECT_FCS_LOGIN packet, and crafted (2) On_FC_CTAGLIST_FCS_CADDTAG, (3) On_FC_CTAGLIST_FCS_CDELTAG, (4) On_FC_CTAGLIST_FCS_ADDTAGMS, (5) On_FC_RFUSER_FCS_LOGIN, (6) unspecified "On_FC_BINFILE_FCS_*FILE", (7) On_FC_CGETTAG_FCS_GETTELEMETRY, (8) On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY, (9) On_FC_CGETTAG_FCS_SETTELEMETRY, (10) On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY, and (11) On_FC_SCRIPT_FCS_STARTPROG packets to port 910. (2)On_FC_CTAGLIST_FCS_CADDTAG (3)On_FC_CTAGLIST_FCS_CDELTAG (4)On_FC_CTAGLIST_FCS_ADDTAGMS (5)On_FC_RFUSER_FCS_LOGIN (6)unspecified "On_FC_BINFILE_FCS_*FILE (7)On_FC_CGETTAG_FCS_GETTELEMETRY (8)On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY (9)On_FC_CGETTAG_FCS_SETTELEMETRY (10)On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY (11)On_FC_SCRIPT_FCS_STARTPROG packets to port 910. DATAC RealWin is a SCADA server product that operates a single PC or multiple PCs over a TCP/IP network. DATAC RealWin SCADA Server can exploit vulnerabilities for buffer overflow attacks due to incorrect validation of user-supplied input. Successful exploitation of a vulnerability can execute arbitrary code in an application security context. DATAC RealWin is prone to multiple remote buffer-overflow vulnerabilities because of a failure to properly bounds check user-supplied input. Failed exploit attempts will cause a denial-of-service condition. DATAC RealWin versions 2.1 and prior are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: RealWin FlexWin Connection Packet Processing Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA43848 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43848/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43848 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43848/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43848/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43848 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered multiple vulnerabilities in RealWin, which can be exploited by malicious people to compromise a vulnerable system. 6) An input validation error when processing "On_FC_MISC_FCS_MSGBROADCAST" packets can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to TCP port 910. 7) An input validation error when processing "On_FC_MISC_FCS_MSGSEND" packets can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to TCP port 910. The vulnerabilities are confirmed in version 2.1 Build 6.1.10.10. SOLUTION: Restrict access to trusted hosts only (e.g. via network access control lists). PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/realwin_2-adv.txt http://aluigi.altervista.org/adv/realwin_3-adv.txt http://aluigi.altervista.org/adv/realwin_4-adv.txt http://aluigi.altervista.org/adv/realwin_5-adv.txt http://aluigi.altervista.org/adv/realwin_6-adv.txt http://aluigi.altervista.org/adv/realwin_7-adv.txt http://aluigi.altervista.org/adv/realwin_8-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Symantec LiveUpdate Administrator is a Symantec product upgrade management program. GENESIS32/64 is a new generation of industrial control software developed by ICONICS of the United States. GENESIS32/64 can trigger multiple memory corruption and integer overflow vulnerabilities due to incorrect validation of user-supplied input. Successful exploitation of a vulnerability can execute arbitrary code in an application security context. Failed exploit attempts will likely result in denial-of-service conditions. The following versions are vulnerable; other versions may also be affected: GENESIS32 9.21 GENESIS64 10.51

Format string vulnerability in the logText function in shmemmgr9.dll in IGSSdataServer.exe 9.00.00.11074, and 9.00.00.11063 and earlier, in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated using the RMS Reports Delete command, related to the logging of messages to GSST.LOG. NOTE: some of these details are obtained from third party information. The 7T Interactive Graphical SCADA System is an automated monitoring and control system. 7T Interactive Graphical SCADA System Remotely attackers can exploit vulnerabilities to execute arbitrary code in the application context or use directory traversal strings to perform unauthorized operations due to incorrect validation of user-supplied input. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: 7-Technologies Interactive Graphical SCADA System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43849 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43849/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43849 RELEASE DATE: 2011-03-23 DISCUSS ADVISORY: http://secunia.com/advisories/43849/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43849/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43849 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered multiple vulnerabilities in 7-Technologies Interactive Graphical SCADA System, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) An input validation error in IGSSdataServer.exe when processing certain commands can be exploited to read and write arbitrary files via a specially crafted packet containing directory traversal specifiers sent to TCP port 12401. 2) A boundary error in IGSSdataServer.exe when processing the "ListAll" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 3) A boundary error in IGSSdataServer.exe when processing the "Write file" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 4) A boundary error in IGSSdataServer.exe when processing the "ReadFile" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 5) A boundary error in IGSSdataServer.exe when processing the "Delete" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 6) A boundary error in IGSSdataServer.exe when processing the "RenameFile" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 7) A boundary error in IGSSdataServer.exe when processing the "FileInfo" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 8) A boundary error in IGSSdataServer.exe when processing the RMS Reports "Add" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 9) A boundary error in IGSSdataServer.exe when processing the RMS Reports "ReadFile" and "Write file" commands can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 10) A boundary error in IGSSdataServer.exe when processing the RMS Reports "Rename" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 11) A format string error in IGSSdataServer.exe when creating a log message using the "logText()" function (shmemmgr9.dll) can be exploited to cause the process to crash via e.g. a specially crafted RMS Reports "Delete" command sent to TCP port 12401. 12) A boundary error in IGSSdataServer.exe when creating a SQL query string to process the STDREP update request can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. Successful exploitation of this vulnerability may allow execution of arbitrary code. 13) An input validation error in dc.exe when processing certain commands can be exploited to execute any program on the system via a specially crafted packet containing directory traversal specifiers sent to TCP port 12397. Successful exploitation of vulnerabilities #2 through #10 and #13 allows execution of arbitrary code. The vulnerabilities are confirmed in version 9.0-11074. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only (e.g. via network access control lists). PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/igss_1-adv.txt http://aluigi.altervista.org/adv/igss_2-adv.txt http://aluigi.altervista.org/adv/igss_3-adv.txt http://aluigi.altervista.org/adv/igss_4-adv.txt http://aluigi.altervista.org/adv/igss_5-adv.txt http://aluigi.altervista.org/adv/igss_6-adv.txt http://aluigi.altervista.org/adv/igss_7-adv.txt http://aluigi.altervista.org/adv/igss_8-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to (1) read (opcode 0x3) or (2) create or write (opcode 0x2) arbitrary files via ..\ (dot dot backslash) sequences to TCP port 12401. The 7T Interactive Graphical SCADA System is an automated monitoring and control system. 7T Interactive Graphical SCADA System Remotely attackers can exploit vulnerabilities to execute arbitrary code in the application context or use directory traversal strings to perform unauthorized operations due to incorrect validation of user-supplied input. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: 7-Technologies Interactive Graphical SCADA System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43849 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43849/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43849 RELEASE DATE: 2011-03-23 DISCUSS ADVISORY: http://secunia.com/advisories/43849/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43849/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43849 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered multiple vulnerabilities in 7-Technologies Interactive Graphical SCADA System, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system. 2) A boundary error in IGSSdataServer.exe when processing the "ListAll" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 3) A boundary error in IGSSdataServer.exe when processing the "Write file" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 4) A boundary error in IGSSdataServer.exe when processing the "ReadFile" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 5) A boundary error in IGSSdataServer.exe when processing the "Delete" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 6) A boundary error in IGSSdataServer.exe when processing the "RenameFile" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 7) A boundary error in IGSSdataServer.exe when processing the "FileInfo" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 8) A boundary error in IGSSdataServer.exe when processing the RMS Reports "Add" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 9) A boundary error in IGSSdataServer.exe when processing the RMS Reports "ReadFile" and "Write file" commands can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 10) A boundary error in IGSSdataServer.exe when processing the RMS Reports "Rename" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 11) A format string error in IGSSdataServer.exe when creating a log message using the "logText()" function (shmemmgr9.dll) can be exploited to cause the process to crash via e.g. a specially crafted RMS Reports "Delete" command sent to TCP port 12401. 12) A boundary error in IGSSdataServer.exe when creating a SQL query string to process the STDREP update request can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. Successful exploitation of this vulnerability may allow execution of arbitrary code. 13) An input validation error in dc.exe when processing certain commands can be exploited to execute any program on the system via a specially crafted packet containing directory traversal specifiers sent to TCP port 12397. Successful exploitation of vulnerabilities #2 through #10 and #13 allows execution of arbitrary code. The vulnerabilities are confirmed in version 9.0-11074. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only (e.g. via network access control lists). PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/igss_1-adv.txt http://aluigi.altervista.org/adv/igss_2-adv.txt http://aluigi.altervista.org/adv/igss_3-adv.txt http://aluigi.altervista.org/adv/igss_4-adv.txt http://aluigi.altervista.org/adv/igss_5-adv.txt http://aluigi.altervista.org/adv/igss_6-adv.txt http://aluigi.altervista.org/adv/igss_7-adv.txt http://aluigi.altervista.org/adv/igss_8-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple stack-based buffer overflows in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted (1) ListAll, (2) Write File, (3) ReadFile, (4) Delete, (5) RenameFile, and (6) FileInfo commands in an 0xd opcode; (7) the Add, (8) ReadFile, (9) Write File, (10) Rename, (11) Delete, and (12) Add commands in an RMS report templates (0x7) opcode; and (13) 0x4 command in an STDREP request (0x8) opcode to TCP port 12401. The 7T Interactive Graphical SCADA System is an automated monitoring and control system. 7T Interactive Graphical SCADA System Remotely attackers can exploit vulnerabilities to execute arbitrary code in the application context or use directory traversal strings to perform unauthorized operations due to incorrect validation of user-supplied input. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: 7-Technologies Interactive Graphical SCADA System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43849 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43849/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43849 RELEASE DATE: 2011-03-23 DISCUSS ADVISORY: http://secunia.com/advisories/43849/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43849/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43849 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered multiple vulnerabilities in 7-Technologies Interactive Graphical SCADA System, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) An input validation error in IGSSdataServer.exe when processing certain commands can be exploited to read and write arbitrary files via a specially crafted packet containing directory traversal specifiers sent to TCP port 12401. 2) A boundary error in IGSSdataServer.exe when processing the "ListAll" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 4) A boundary error in IGSSdataServer.exe when processing the "ReadFile" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 5) A boundary error in IGSSdataServer.exe when processing the "Delete" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 6) A boundary error in IGSSdataServer.exe when processing the "RenameFile" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 7) A boundary error in IGSSdataServer.exe when processing the "FileInfo" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 10) A boundary error in IGSSdataServer.exe when processing the RMS Reports "Rename" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 11) A format string error in IGSSdataServer.exe when creating a log message using the "logText()" function (shmemmgr9.dll) can be exploited to cause the process to crash via e.g. a specially crafted RMS Reports "Delete" command sent to TCP port 12401. 12) A boundary error in IGSSdataServer.exe when creating a SQL query string to process the STDREP update request can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. Successful exploitation of this vulnerability may allow execution of arbitrary code. 13) An input validation error in dc.exe when processing certain commands can be exploited to execute any program on the system via a specially crafted packet containing directory traversal specifiers sent to TCP port 12397. Successful exploitation of vulnerabilities #2 through #10 and #13 allows execution of arbitrary code. The vulnerabilities are confirmed in version 9.0-11074. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only (e.g. via network access control lists). PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/igss_1-adv.txt http://aluigi.altervista.org/adv/igss_2-adv.txt http://aluigi.altervista.org/adv/igss_3-adv.txt http://aluigi.altervista.org/adv/igss_4-adv.txt http://aluigi.altervista.org/adv/igss_5-adv.txt http://aluigi.altervista.org/adv/igss_6-adv.txt http://aluigi.altervista.org/adv/igss_7-adv.txt http://aluigi.altervista.org/adv/igss_8-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple integer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code via crafted (1) On_FC_MISC_FCS_MSGBROADCAST and (2) On_FC_MISC_FCS_MSGSEND packets, which trigger a heap-based buffer overflow. DATAC RealWin is a SCADA server product that operates a single PC or multiple PCs over a TCP/IP network. DATAC RealWin SCADA Server can exploit vulnerabilities for buffer overflow attacks due to incorrect validation of user-supplied input. Successful exploitation of a vulnerability can execute arbitrary code in an application security context. DATAC RealWin is prone to multiple remote buffer-overflow vulnerabilities because of a failure to properly bounds check user-supplied input. Failed exploit attempts will cause a denial-of-service condition. DATAC RealWin versions 2.1 and prior are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: RealWin FlexWin Connection Packet Processing Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA43848 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43848/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43848 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43848/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43848/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43848 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered multiple vulnerabilities in RealWin, which can be exploited by malicious people to compromise a vulnerable system. The vulnerabilities are confirmed in version 2.1 Build 6.1.10.10. SOLUTION: Restrict access to trusted hosts only (e.g. via network access control lists). PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/realwin_2-adv.txt http://aluigi.altervista.org/adv/realwin_3-adv.txt http://aluigi.altervista.org/adv/realwin_4-adv.txt http://aluigi.altervista.org/adv/realwin_5-adv.txt http://aluigi.altervista.org/adv/realwin_6-adv.txt http://aluigi.altervista.org/adv/realwin_7-adv.txt http://aluigi.altervista.org/adv/realwin_8-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Siemens Tecnomatix FactoryLink is an industrial automation software. There are several security vulnerabilities in Siemens Tecnomatix FactoryLink, including buffer overflows, memory corruption, information disclosure, and denial of service attacks. An attacker can exploit a vulnerability to gain sensitive information, run arbitrary code, or crash an application. Other attacks may also be possible. Siemens Tecnomatix FactoryLink 8.0.1.1473 is vulnerable; other versions may also be affected

Use-after-free vulnerability in the addOSPLext method in the Honeywell ScanServer ActiveX control 780.0.20.5 allows remote attackers to execute arbitrary code via a crafted HTML document. When processing the \"addOSPLext()\" method, there is a post-release error. The Honeywell ScanServer ActiveX control is prone to a remote code-execution vulnerability. An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Honeywell ScanServer ActiveX control 780.0.20.5 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Honeywell ScanServer ActiveX Control Use-After-Free Vulnerability SECUNIA ADVISORY ID: SA43360 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43360/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43360 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43360/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43360/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43360 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Secunia Research has discovered a vulnerability in Honeywell ScanServer ActiveX Control, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a use-after-free error when handling the "addOSPLext()" method and can be exploited to dereference already freed memory via a specially crafted web page. The vulnerability is confirmed in version 780.0.20.5. PROVIDED AND/OR DISCOVERED BY: Carsten Eiram, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2011-22/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in dc.exe 9.00.00.11059 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to execute arbitrary programs via ..\ (dot dot backslash) sequences in opcodes (1) 0xa and (2) 0x17 to TCP port 12397. The 7T Interactive Graphical SCADA System is an automated monitoring and control system. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: 7-Technologies Interactive Graphical SCADA System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43849 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43849/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43849 RELEASE DATE: 2011-03-23 DISCUSS ADVISORY: http://secunia.com/advisories/43849/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43849/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43849 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered multiple vulnerabilities in 7-Technologies Interactive Graphical SCADA System, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) An input validation error in IGSSdataServer.exe when processing certain commands can be exploited to read and write arbitrary files via a specially crafted packet containing directory traversal specifiers sent to TCP port 12401. 2) A boundary error in IGSSdataServer.exe when processing the "ListAll" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 3) A boundary error in IGSSdataServer.exe when processing the "Write file" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 4) A boundary error in IGSSdataServer.exe when processing the "ReadFile" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 5) A boundary error in IGSSdataServer.exe when processing the "Delete" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 6) A boundary error in IGSSdataServer.exe when processing the "RenameFile" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 7) A boundary error in IGSSdataServer.exe when processing the "FileInfo" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 8) A boundary error in IGSSdataServer.exe when processing the RMS Reports "Add" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 9) A boundary error in IGSSdataServer.exe when processing the RMS Reports "ReadFile" and "Write file" commands can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 10) A boundary error in IGSSdataServer.exe when processing the RMS Reports "Rename" command can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. 11) A format string error in IGSSdataServer.exe when creating a log message using the "logText()" function (shmemmgr9.dll) can be exploited to cause the process to crash via e.g. a specially crafted RMS Reports "Delete" command sent to TCP port 12401. 12) A boundary error in IGSSdataServer.exe when creating a SQL query string to process the STDREP update request can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 12401. Successful exploitation of this vulnerability may allow execution of arbitrary code. Successful exploitation of vulnerabilities #2 through #10 and #13 allows execution of arbitrary code. The vulnerabilities are confirmed in version 9.0-11074. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only (e.g. via network access control lists). PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/igss_1-adv.txt http://aluigi.altervista.org/adv/igss_2-adv.txt http://aluigi.altervista.org/adv/igss_3-adv.txt http://aluigi.altervista.org/adv/igss_4-adv.txt http://aluigi.altervista.org/adv/igss_5-adv.txt http://aluigi.altervista.org/adv/igss_6-adv.txt http://aluigi.altervista.org/adv/igss_7-adv.txt http://aluigi.altervista.org/adv/igss_8-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (session reset) via a malformed AS_PATHLIMIT path attribute. Quagga is prone to a remote denial-of-service vulnerability in the Border Gateway Protocol daemon (bgpd). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Quagga: Multiple vulnerabilities Date: February 21, 2012 Bugs: #334303, #359903, #384651 ID: 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in Quagga, the worst of which leading to remote execution of arbitrary code. Background ========== Quagga is a free routing daemon replacing Zebra supporting RIP, OSPF and BGP. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/quagga < 0.99.20 >= 0.99.20 Description =========== Multiple vulnerabilities have been discovered in Quagga. Please review the CVE identifiers referenced below for details. Impact ====== A BGP peer could send a Route-Refresh message with specially-crafted ORF record, which can cause Quagga's bgpd to crash or possibly execute arbitrary code with the privileges of the user running Quagga's bgpd; a BGP update AS path request with unknown AS type, or malformed AS-Pathlimit or Extended-Community attributes could lead to Denial of Service (daemon crash), an error in bgpd when handling AS_PATH attributes within UPDATE messages can be exploited to cause a heap-based buffer overflow resulting in a crash of the daemon and disruption of IPv4 routing, two errors in ospf6d and ospfd can each be exploited to crash the daemon and disrupt IP routing. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.99.20 " References ========== [ 1 ] CVE-2010-1674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1674 [ 2 ] CVE-2010-1675 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1675 [ 3 ] CVE-2010-2948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2948 [ 4 ] CVE-2010-2949 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2949 [ 5 ] CVE-2011-3323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3323 [ 6 ] CVE-2011-3324 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3324 [ 7 ] CVE-2011-3325 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3325 [ 8 ] CVE-2011-3326 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3326 [ 9 ] CVE-2011-3327 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3327 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201202-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-1095-1 March 29, 2011 quagga vulnerabilities CVE-2010-1674, CVE-2010-1675 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: quagga 0.99.2-1ubuntu3.8 Ubuntu 8.04 LTS: quagga 0.99.9-2ubuntu1.5 Ubuntu 9.10: quagga 0.99.13-1ubuntu0.2 Ubuntu 10.04 LTS: quagga 0.99.15-1ubuntu0.2 Ubuntu 10.10: quagga 0.99.17-1ubuntu0.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Quagga incorrectly parsed certain malformed extended communities. This issue only affected Ubuntu 8.04 LTS, 9.10, 10.04 LTS and 10.10. (CVE-2010-1675) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8.diff.gz Size/MD5: 36113 1eb66fc5a3782ce0589f2b282e696be2 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8.dsc Size/MD5: 1411 87fd7a9171f7c4a4783ad4dc0805f1e1 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2.orig.tar.gz Size/MD5: 2185137 88087d90697fcf5fe192352634f340b3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.2-1ubuntu3.8_all.deb Size/MD5: 664436 d8113a629e9b671fc0bb82464673039d amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8_amd64.deb Size/MD5: 1401410 014fe0299907e363b1ffb42c75c89ee1 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8_i386.deb Size/MD5: 1199776 21c7bb4881d3ba04dfc33e862571307f powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8_powerpc.deb Size/MD5: 1351840 38aed9b6353cb4726cede9f8ec9316b0 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8_sparc.deb Size/MD5: 1322762 acb31557865b45c8f66cec902472f18f Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5.diff.gz Size/MD5: 39262 3c6096477f97056af0838c3408b04f35 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5.dsc Size/MD5: 1620 80f65b3b497f46ec444fa32c2162bbc4 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9.orig.tar.gz Size/MD5: 2341067 4dbdaf91bf6609803819d97d5fccc4c9 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.9-2ubuntu1.5_all.deb Size/MD5: 662098 1c1e9e6549bb08f0a35b67f0d3912b9d amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_amd64.deb Size/MD5: 1620432 1951c3240090d233607c5e89bd1225db i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_i386.deb Size/MD5: 1463056 15eddb43ab310e96ef948547469e72a5 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_lpia.deb Size/MD5: 1462096 ed77eba019eb94648d3fa9511f5a66b1 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_powerpc.deb Size/MD5: 1659220 0b0d9f9d494bd351004c24deba1486e5 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_sparc.deb Size/MD5: 1521800 69d72391cb794ea1aff05a3c027d1d0b Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2.diff.gz Size/MD5: 36744 ca2b7bc99044a0cd3a9dca3074092d7e http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2.dsc Size/MD5: 2062 f56ce9074d4b944d1ac402917751c8d2 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13.orig.tar.gz Size/MD5: 2172551 55a7d2dcf016580a7c7412b3518cd942 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.13-1ubuntu0.2_all.deb Size/MD5: 661830 d317a74df29d0d9d2b29d8125901fbdc amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_amd64.deb Size/MD5: 1704898 517cf7575403cc3d8dfad3919cc94222 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_i386.deb Size/MD5: 1565536 2b55c6c86db3e7975532beb621cdf2d1 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_armel.deb Size/MD5: 1494646 8e7bb17883bb8b330631ce1940ca1325 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_lpia.deb Size/MD5: 1550538 90aecebc5d3e040b4f39cde032254e4e powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_powerpc.deb Size/MD5: 1646082 0dbfc717390f284b00b373eb9c8eddc1 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_sparc.deb Size/MD5: 1624232 0ad27739f04adebb1041175ba59ac9db Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2.diff.gz Size/MD5: 38186 c160867f187579266c7e9e2530901c46 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2.dsc Size/MD5: 2043 2782c599e61e924024bac7c91bf625dc http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15.orig.tar.gz Size/MD5: 2191159 8975414c76a295f4855a417af0b5ddce Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.15-1ubuntu0.2_all.deb Size/MD5: 764192 21b1009ec5cfa212cfb67b510de43195 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_amd64.deb Size/MD5: 1713668 9437d1d013562e9d5d1f63f13e793076 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_i386.deb Size/MD5: 1570952 c5d82ca896668c53ef9677f0fee9eaa5 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_armel.deb Size/MD5: 1514696 16e37adb96dc8598618197de47acd024 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_powerpc.deb Size/MD5: 1653666 6003dce9a240f5fa898c3998d427bb25 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_sparc.deb Size/MD5: 1669528 9b6a52df93c0b1df44b96c3d3bf0981b Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1.diff.gz Size/MD5: 36082 0ea8c4782b542282bc7df2802f946901 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1.dsc Size/MD5: 2052 472f8f02bc416bf043867b062434dba1 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17.orig.tar.gz Size/MD5: 2202151 37b9022adca04b03863d2d79787e643f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.17-1ubuntu0.1_all.deb Size/MD5: 608746 60d0be23780e4b79af1e9eece53ddb89 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1_amd64.deb Size/MD5: 1693118 512b7d6309cfaee4beb2196bf47c56be i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1_i386.deb Size/MD5: 1546418 e6a2d015781c42db6ce07c5a17f0bfea armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1_armel.deb Size/MD5: 1580728 7aa4098e017a8c5e721e91712d13d7b2 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1_powerpc.deb Size/MD5: 1626462 21bd8343d8d5753b08b581b93e158f93 . ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Quagga Two Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA43770 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43770/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43770 RELEASE DATE: 2011-03-23 DISCUSS ADVISORY: http://secunia.com/advisories/43770/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43770/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43770 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Quagga, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) A NULL-pointer dereference error when parsing certain extended community attributes can be exploited to crash the "bgpd" daemon via specially crafted extended community attributes. Note: Successful exploitation may require that the attacker is a directly configured peer. 2) An error within the AS path limit/TTL functionality when parsing certain AS_PATHLIMIT attributes can be exploited to reset BGP sessions by sending specially crafted AS_PATHLIMIT attributes. The vulnerabilities are reported in versions prior to 0.99.18. SOLUTION: Update to version 0.99.18. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Quagga: http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200 DSA-2197-1: http://lists.debian.org/debian-security-announce/2011/msg00065.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Updated packages are available that bring Quagga to version 0.99.18 which provides numerous bugfixes over the previous 0.99.17 version, and also corrects these issues. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2197-1 security@debian.org http://www.debian.org/security/ Florian Weimer March 21, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : quagga Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2010-1674 CVE-2010-1675 It has been discovered that the Quagga routing daemon contains two denial-of-service vulnerabilities in its BGP implementation: CVE-2010-1674 A crafted Extended Communities attribute triggers a null pointer dereference which causes the BGP daemon to crash. The crafted attributes are not propagated by the Internet core, so only explicitly configured direct peers are able to exploit this vulnerability in typical configurations. CVE-2010-1675 The BGP daemon resets BGP sessions when it encounters malformed AS_PATHLIMIT attributes, introducing a distributed BGP session reset vulnerability which disrupts packet forwarding. Such malformed attributes are propagated by the Internet core, and exploitation of this vulnerability is not restricted to directly configured BGP peers. This security update removes AS_PATHLIMIT processing from the BGP implementation, preserving the configuration statements for backwards compatibility. (Standardization of this BGP extension was abandoned long ago.) For the oldstable distribution (lenny), these problems have been fixed in version 0.99.10-1lenny5. For the stable distribution (squeeze), these problems have been fixed in version 0.99.17-2+squeeze2. For the testing distribution (wheezy) and the unstable distribution (sid), these problems will fixed soon. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJNh6YIAAoJEL97/wQC1SS+NM8IAKIkTfjywBL7reUL+qfnDQuE Lp7/0vs/NpT3X4emH8dJiALXQkjzfr1CmyeCB+ZHxhuctr4lTCmJbcng6NPv9bxq m3RmwgBuawsqZhkAjqXJQd72zNftrGgt6kYnCk9SkgezeRkfUxZTa6QMwm/ykLAW 2WzkdXkb9CqPVIOD7Drr6gz077u3qqIAsJjgbtExNPWAgYszjCMMDb+idcI9jfAZ GdSQwsGZxqlqKbYp0DTkv7a8Q59cS8bLMZzNag+mY3wlJq1u+eAVuvplDDhU6/cx Nr6Y14LkiRGiZJ8a4j52XfJ/69HsX1TeedVDf5Z6icBa+FIoL252da0Lo1lGNgw= =5Ue5 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The extended-community parser in bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed Extended Communities attribute. Quagga is prone to a remote denial-of-service vulnerability caused by a NULL-pointer dereference in the Border Gateway Protocol daemon (bgpd). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Quagga: Multiple vulnerabilities Date: February 21, 2012 Bugs: #334303, #359903, #384651 ID: 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in Quagga, the worst of which leading to remote execution of arbitrary code. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/quagga < 0.99.20 >= 0.99.20 Description =========== Multiple vulnerabilities have been discovered in Quagga. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.99.20 " References ========== [ 1 ] CVE-2010-1674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1674 [ 2 ] CVE-2010-1675 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1675 [ 3 ] CVE-2010-2948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2948 [ 4 ] CVE-2010-2949 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2949 [ 5 ] CVE-2011-3323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3323 [ 6 ] CVE-2011-3324 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3324 [ 7 ] CVE-2011-3325 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3325 [ 8 ] CVE-2011-3326 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3326 [ 9 ] CVE-2011-3327 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3327 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201202-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-1095-1 March 29, 2011 quagga vulnerabilities CVE-2010-1674, CVE-2010-1675 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: quagga 0.99.2-1ubuntu3.8 Ubuntu 8.04 LTS: quagga 0.99.9-2ubuntu1.5 Ubuntu 9.10: quagga 0.99.13-1ubuntu0.2 Ubuntu 10.04 LTS: quagga 0.99.15-1ubuntu0.2 Ubuntu 10.10: quagga 0.99.17-1ubuntu0.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Quagga incorrectly parsed certain malformed extended communities. A remote attacker could use this flaw to disrupt BGP sessions, resulting in a denial of service. This issue only affected Ubuntu 8.04 LTS, 9.10, 10.04 LTS and 10.10. (CVE-2010-1675) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8.diff.gz Size/MD5: 36113 1eb66fc5a3782ce0589f2b282e696be2 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8.dsc Size/MD5: 1411 87fd7a9171f7c4a4783ad4dc0805f1e1 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2.orig.tar.gz Size/MD5: 2185137 88087d90697fcf5fe192352634f340b3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.2-1ubuntu3.8_all.deb Size/MD5: 664436 d8113a629e9b671fc0bb82464673039d amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8_amd64.deb Size/MD5: 1401410 014fe0299907e363b1ffb42c75c89ee1 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8_i386.deb Size/MD5: 1199776 21c7bb4881d3ba04dfc33e862571307f powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8_powerpc.deb Size/MD5: 1351840 38aed9b6353cb4726cede9f8ec9316b0 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.8_sparc.deb Size/MD5: 1322762 acb31557865b45c8f66cec902472f18f Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5.diff.gz Size/MD5: 39262 3c6096477f97056af0838c3408b04f35 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5.dsc Size/MD5: 1620 80f65b3b497f46ec444fa32c2162bbc4 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9.orig.tar.gz Size/MD5: 2341067 4dbdaf91bf6609803819d97d5fccc4c9 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.9-2ubuntu1.5_all.deb Size/MD5: 662098 1c1e9e6549bb08f0a35b67f0d3912b9d amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_amd64.deb Size/MD5: 1620432 1951c3240090d233607c5e89bd1225db i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_i386.deb Size/MD5: 1463056 15eddb43ab310e96ef948547469e72a5 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_lpia.deb Size/MD5: 1462096 ed77eba019eb94648d3fa9511f5a66b1 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_powerpc.deb Size/MD5: 1659220 0b0d9f9d494bd351004c24deba1486e5 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.5_sparc.deb Size/MD5: 1521800 69d72391cb794ea1aff05a3c027d1d0b Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2.diff.gz Size/MD5: 36744 ca2b7bc99044a0cd3a9dca3074092d7e http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2.dsc Size/MD5: 2062 f56ce9074d4b944d1ac402917751c8d2 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13.orig.tar.gz Size/MD5: 2172551 55a7d2dcf016580a7c7412b3518cd942 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.13-1ubuntu0.2_all.deb Size/MD5: 661830 d317a74df29d0d9d2b29d8125901fbdc amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_amd64.deb Size/MD5: 1704898 517cf7575403cc3d8dfad3919cc94222 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_i386.deb Size/MD5: 1565536 2b55c6c86db3e7975532beb621cdf2d1 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_armel.deb Size/MD5: 1494646 8e7bb17883bb8b330631ce1940ca1325 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_lpia.deb Size/MD5: 1550538 90aecebc5d3e040b4f39cde032254e4e powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_powerpc.deb Size/MD5: 1646082 0dbfc717390f284b00b373eb9c8eddc1 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.2_sparc.deb Size/MD5: 1624232 0ad27739f04adebb1041175ba59ac9db Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2.diff.gz Size/MD5: 38186 c160867f187579266c7e9e2530901c46 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2.dsc Size/MD5: 2043 2782c599e61e924024bac7c91bf625dc http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15.orig.tar.gz Size/MD5: 2191159 8975414c76a295f4855a417af0b5ddce Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.15-1ubuntu0.2_all.deb Size/MD5: 764192 21b1009ec5cfa212cfb67b510de43195 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_amd64.deb Size/MD5: 1713668 9437d1d013562e9d5d1f63f13e793076 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_i386.deb Size/MD5: 1570952 c5d82ca896668c53ef9677f0fee9eaa5 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_armel.deb Size/MD5: 1514696 16e37adb96dc8598618197de47acd024 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_powerpc.deb Size/MD5: 1653666 6003dce9a240f5fa898c3998d427bb25 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.15-1ubuntu0.2_sparc.deb Size/MD5: 1669528 9b6a52df93c0b1df44b96c3d3bf0981b Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1.diff.gz Size/MD5: 36082 0ea8c4782b542282bc7df2802f946901 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1.dsc Size/MD5: 2052 472f8f02bc416bf043867b062434dba1 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17.orig.tar.gz Size/MD5: 2202151 37b9022adca04b03863d2d79787e643f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.17-1ubuntu0.1_all.deb Size/MD5: 608746 60d0be23780e4b79af1e9eece53ddb89 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1_amd64.deb Size/MD5: 1693118 512b7d6309cfaee4beb2196bf47c56be i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1_i386.deb Size/MD5: 1546418 e6a2d015781c42db6ce07c5a17f0bfea armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1_armel.deb Size/MD5: 1580728 7aa4098e017a8c5e721e91712d13d7b2 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.17-1ubuntu0.1_powerpc.deb Size/MD5: 1626462 21bd8343d8d5753b08b581b93e158f93 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: quagga security update Advisory ID: RHSA-2012:1258-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1258.html Issue date: 2012-09-12 CVE Names: CVE-2010-1674 CVE-2011-3323 CVE-2011-3324 CVE-2011-3325 CVE-2011-3326 CVE-2011-3327 CVE-2012-0249 CVE-2012-0250 ===================================================================== 1. Summary: Updated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Quagga is a TCP/IP based routing software suite. The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest Path First) routing protocol. A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially-crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. A configured BGP peer could crash bgpd on a target system via a specially-crafted BGP message. (CVE-2010-1674) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Red Hat would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249 and CVE-2012-0250. CERT-FI acknowledges Riku Hietamäki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249 and CVE-2012-0250. Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 654603 - CVE-2010-1674 quagga: DoS (crash) by processing malformed extended community attribute in a route 738393 - CVE-2011-3323 Quagga (ospf6d): Stack-based buffer overflow while decoding Link State Update packet with malformed Inter Area Prefix LSA 738394 - CVE-2011-3324 Quagga (ospf6d): Denial of service by decoding malformed Database Description packet headers 738396 - CVE-2011-3325 Quagga (ospfd): Denial of service by decoding too short Hello packet or Hello packet with invalid OSPFv2 header type 738398 - CVE-2011-3326 Quagga (ospfd): Denial of service by decoding Link State Update LSAs of unknown type 738400 - CVE-2011-3327 Quagga (bgpd): Heap-based buffer overflow by decoding BGP UPDATE message with unknown AS_PATH attributes 802827 - CVE-2012-0249 quagga (ospfd): Assertion failure due improper length check for a received LS-Update OSPF packet 802829 - CVE-2012-0250 quagga (ospfd): Crash by processing LS-Update OSPF packet due improper length check of the Network-LSA structures 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/quagga-0.98.6-7.el5_8.1.src.rpm i386: quagga-contrib-0.98.6-7.el5_8.1.i386.rpm quagga-debuginfo-0.98.6-7.el5_8.1.i386.rpm x86_64: quagga-contrib-0.98.6-7.el5_8.1.x86_64.rpm quagga-debuginfo-0.98.6-7.el5_8.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/quagga-0.98.6-7.el5_8.1.src.rpm i386: quagga-0.98.6-7.el5_8.1.i386.rpm quagga-debuginfo-0.98.6-7.el5_8.1.i386.rpm quagga-devel-0.98.6-7.el5_8.1.i386.rpm x86_64: quagga-0.98.6-7.el5_8.1.x86_64.rpm quagga-debuginfo-0.98.6-7.el5_8.1.i386.rpm quagga-debuginfo-0.98.6-7.el5_8.1.x86_64.rpm quagga-devel-0.98.6-7.el5_8.1.i386.rpm quagga-devel-0.98.6-7.el5_8.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/quagga-0.98.6-7.el5_8.1.src.rpm i386: quagga-0.98.6-7.el5_8.1.i386.rpm quagga-contrib-0.98.6-7.el5_8.1.i386.rpm quagga-debuginfo-0.98.6-7.el5_8.1.i386.rpm quagga-devel-0.98.6-7.el5_8.1.i386.rpm ia64: quagga-0.98.6-7.el5_8.1.ia64.rpm quagga-contrib-0.98.6-7.el5_8.1.ia64.rpm quagga-debuginfo-0.98.6-7.el5_8.1.ia64.rpm quagga-devel-0.98.6-7.el5_8.1.ia64.rpm ppc: quagga-0.98.6-7.el5_8.1.ppc.rpm quagga-contrib-0.98.6-7.el5_8.1.ppc.rpm quagga-debuginfo-0.98.6-7.el5_8.1.ppc.rpm quagga-debuginfo-0.98.6-7.el5_8.1.ppc64.rpm quagga-devel-0.98.6-7.el5_8.1.ppc.rpm quagga-devel-0.98.6-7.el5_8.1.ppc64.rpm s390x: quagga-0.98.6-7.el5_8.1.s390x.rpm quagga-contrib-0.98.6-7.el5_8.1.s390x.rpm quagga-debuginfo-0.98.6-7.el5_8.1.s390.rpm quagga-debuginfo-0.98.6-7.el5_8.1.s390x.rpm quagga-devel-0.98.6-7.el5_8.1.s390.rpm quagga-devel-0.98.6-7.el5_8.1.s390x.rpm x86_64: quagga-0.98.6-7.el5_8.1.x86_64.rpm quagga-contrib-0.98.6-7.el5_8.1.x86_64.rpm quagga-debuginfo-0.98.6-7.el5_8.1.i386.rpm quagga-debuginfo-0.98.6-7.el5_8.1.x86_64.rpm quagga-devel-0.98.6-7.el5_8.1.i386.rpm quagga-devel-0.98.6-7.el5_8.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-1674.html https://www.redhat.com/security/data/cve/CVE-2011-3323.html https://www.redhat.com/security/data/cve/CVE-2011-3324.html https://www.redhat.com/security/data/cve/CVE-2011-3325.html https://www.redhat.com/security/data/cve/CVE-2011-3326.html https://www.redhat.com/security/data/cve/CVE-2011-3327.html https://www.redhat.com/security/data/cve/CVE-2012-0249.html https://www.redhat.com/security/data/cve/CVE-2012-0250.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQUOwgXlSAg2UNWIIRAnpmAKCmR0UYneuYqhGXzZc7Wol864tlKACeIGwA EBCd27eTiT5JPHMgOGBqNSI= =Q9Tw -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. The crafted attributes are not propagated by the Internet core, so only explicitly configured direct peers are able to exploit this vulnerability in typical configurations. CVE-2010-1675 The BGP daemon resets BGP sessions when it encounters malformed AS_PATHLIMIT attributes, introducing a distributed BGP session reset vulnerability which disrupts packet forwarding. Such malformed attributes are propagated by the Internet core, and exploitation of this vulnerability is not restricted to directly configured BGP peers. This security update removes AS_PATHLIMIT processing from the BGP implementation, preserving the configuration statements for backwards compatibility. (Standardization of this BGP extension was abandoned long ago.) For the oldstable distribution (lenny), these problems have been fixed in version 0.99.10-1lenny5. For the stable distribution (squeeze), these problems have been fixed in version 0.99.17-2+squeeze2. For the testing distribution (wheezy) and the unstable distribution (sid), these problems will fixed soon. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Integer overflow in ImageIO in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with JPEG encoding. Apple Mac OS X is prone to a remote integer-overflow vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. Versions prior to OS X 10.6.7 are vulnerable. NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. 33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. For more information: SA41652 36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Install Helper in Installer in Apple Mac OS X before 10.6.7 does not properly process an unspecified URL, which might allow remote attackers to track user logins by logging network traffic from an agent that was intended to send network traffic to an Apple server. Apple Mac OS X is prone to a vulnerability that affects URI processing in Install Helper. Exploiting this issue can allow attackers to provide unexpected input and possibly bypass input-validation protection mechanisms, leading to the installation of an agent that contacts an arbitrary server. Users may have a false sense of security, believing that the agent contacts Apple, not an arbitrary domain. Mac OS X 10.6 through 10.6.6 and Mac OS X Server 10.6 through 10.6.6 are vulnerable. NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 14) An integer overflow error in ImageIO within the handling of XBM files can be exploited to potentially execute arbitrary code. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code. 18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. For more information: SA37977 SA42396 21) An error within the "i386_set_ldt()" system call can be exploited by malicious, local users to execute arbitrary code with system privileges. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. 33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. For more information: SA41652 36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted JPEG2000 image. Apple QuickTime is prone to multiple memory-corruption vulnerabilities. An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Mac OS X versions 10.6 through 10.6.6 and Mac OS X Server versions 10.6 through 10.6.6 are vulnerable. NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-08-03-1 QuickTime 7.7 QuickTime 7.7 is now available and addresses the following: QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted pict file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in QuickTime's handling of pict files. CVE-ID CVE-2011-0186 : Will Dormann of the CERT/CC QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site Description: A cross-origin issue existed in QuickTime plug-in's handling of cross-site redirects. Visiting a maliciously crafted website may lead to the disclosure of video data from another site. This issue is addressed by preventing QuickTime from following cross- site redirects. CVE-ID CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR) QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted WAV file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in QuickTime's handling of RIFF WAV files. CVE-ID CVE-2011-0210 : Honggang Ren of Fortinet's FortiGuard Labs QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in QuickTime's handling of audio channels in movie files. CVE-ID CVE-2011-0211 : Luigi Auriemma working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted JPEG file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in QuickTime's handling of JPEG files. CVE-ID CVE-2011-0213 : Luigi Auriemma working with iDefense VCP QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in QuickTime's handling of GIF images. CVE-ID CVE-2011-0246 : an anonymous contributor working with Beyond Security's SecuriTeam Secure Disclosure program QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted H.264 movie file may lead to an unexpected application termination or arbitrary code execution Description: Multiple stack buffer overflows existed in the handling of H.264 encoded movie files. CVE-ID CVE-2011-0247 : Roi Mallo and Sherab Giovannini working with TippingPoint's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website using Internet Explorer may lead to an unexpected application termination or arbitrary code execution Description: A stack buffer overflow existed in the QuickTime ActiveX control's handling of QTL files. CVE-ID CVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in the handling of STSS atoms in QuickTime movie files. CVE-ID CVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in the handling of STSZ atoms in QuickTime movie files. CVE-ID CVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative QuickTime Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in the handling of STTS atoms in QuickTime movie files. CVE-ID CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative QuickTime 7.7 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ For Mac OS X v10.5.8 The download file is named: "QuickTime77Leopard.dmg" Its SHA-1 digest is: 0deb99cc44015af7c396750d2c9dd4cbd59fb355 For Windows 7 / Vista / XP SP3 The download file is named: "QuickTimeInstaller.exe" Its SHA-1 digest is: a99f61d67be6a6b42e11d17b0b4f25cd88b74dc9 QuickTime is incorporated into Mac OS X v10.6 and later. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQEcBAEBAgAGBQJOOZuHAAoJEGnF2JsdZQeeNWIH/A+KRxzYTBC5nCZQ6m/sRdU0 OrauYjVbXIj1LUgMS9+I0wW4Zg7xtGBEjYBnqiuNuajP5W2+Ts8mNe75ZlEFlNto KFQI7NS/OsTrjCTR1m1sF2zvsyMKDOjviIy90+PDGKejC8c3Zu/Y8GSdZ++I4aEf J2g7BqhBDW/RFOemPGrcvr/iwu3twdkiAHeLXFCcecNCKjSUfoxXDuPd/Ege/kS7 95wsNkLjypSEuLpcmjATSXp5X58nzbUCsrQ2doPzLy1/8oWiG9XsiZznmcYlLhHg trYm+KIMdqBOQWI3uhG+3dG6l2xkJxdYNxHRHXFh78QH0NblHg9u3PmhELUBeXU= =H+iO -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code. 18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. 33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. For more information: SA41652 36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The i386_set_ldt system call in the kernel in Apple Mac OS X before 10.6.7 does not properly handle call gates, which allows local users to gain privileges via vectors involving the creation of a call gate entry. Successfully exploiting this issue can allow attackers to execute arbitrary code with elevated privileges, leading to a complete compromise of the computer. Mac OS X versions 10.6 through 10.6.6 and Mac OS X Server versions 10.6 through 10.6.6 are vulnerable. NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 14) An integer overflow error in ImageIO within the handling of XBM files can be exploited to potentially execute arbitrary code. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code. 18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. 33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. For more information: SA41652 36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in ImageIO in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted XBM image. Apple Mac OS X is prone to an integer-overflow vulnerability. Successful exploits may allow attackers to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The following versions are affected: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X version 10.6 through 10.6.6 Mac OS X Server version 10.6 through 10.6.6 NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code. 18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. 33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. For more information: SA41652 36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

CoreText in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a document that contains a crafted embedded font. Apple Mac OS X is prone to a memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Mac OS X versions 10.6 through 10.6.6 and Mac OS X Server versions 10.6 through 10.6.6 are vulnerable. NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code. 18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. For more information: SA41652 36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------