VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability in topic.php in Camera Life 2.6.2b4 allows remote attackers to inject arbitrary web script or HTML via the name parameter. Camera Life is an open source PHP-based photo management and organization plugin

Cross-site request forgery (CSRF) vulnerability in the HTTP server in Cisco IOS 12.4(23) allows remote attackers to execute arbitrary commands, as demonstrated by executing the hostname command with a level/15/configure/-/hostname request. IOS is prone to a cross-site request forgery vulnerability. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Cisco IOS Cross-Site Scripting and Cross-Site Request Forgery SECUNIA ADVISORY ID: SA33844 VERIFY ADVISORY: http://secunia.com/advisories/33844/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Cisco IOS 12.x http://secunia.com/advisories/product/182/ Cisco IOS R12.x http://secunia.com/advisories/product/50/ DESCRIPTION: Zloss has reported some vulnerabilities in Cisco IOS, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. 1) Input passed via the URL when executing commands is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) The device allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to potentially alter the configuration of the device by tricking the user into visiting a malicious web site. The vulnerabilities are reported in Cisco IOS firmware version 12.4(23). Other versions may also be affected. SOLUTION: Filter malicious characters and character sequences in a proxy. Do not visit untrusted websites while being logged in to the device. PROVIDED AND/OR DISCOVERED BY: Zloss ORIGINAL ADVISORY: http://packetstormsecurity.org/0902-exploits/cisco12423-xss.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ControlLogix is industrial automation control software developed by Rockwell Automation, USA. ControlLogix 1756-ENBT / A EtherNet / IP Bridge uses a web interface to display log files and status information. This interface has URL redirection and cross-site scripting vulnerabilities. If a user is tricked into following a specially crafted URL, the user's browser is redirected to another site, or arbitrary code is executed in the browser session

Open redirect vulnerability in the web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Rockwell Logix Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Uses a web interface to display log files and status information. This web interface includes URL A redirection vulnerability exists.An attacker could be redirected to a different page than the user tried to access with a web browser. This may help the attacker steal cookie-based authentication credentials and launch other attacks. An attacker can exploit this issue to cause a victim's browser to redirect to a malicious site. Successfully exploiting this issue may aid in phishing attacks. Automation ControlLogix is ​​an industrial automation control system developed by Rockwell. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: ControlLogix 1756-ENTB/A Ethernet/IP Bridge Vulnerabilities SECUNIA ADVISORY ID: SA33783 VERIFY ADVISORY: http://secunia.com/advisories/33783/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Exposure of sensitive information WHERE: >From remote OPERATING SYSTEM: ControlLogix 1756-ENTB/A Ethernet/IP Bridge http://secunia.com/advisories/product/21337/ DESCRIPTION: Some vulnerabilities and a weakness have been reported in ControlLogix 1756-ENTB/A Ethernet/IP Bridge, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose potentially sensitive information. 2) An unspecified error in the web interface can be exploited to disclose potentially sensitive internal web page information. SOLUTION: A fixed firmware version is scheduled for release July, 2009. Filter malicious characters and character sequences in a proxy. PROVIDED AND/OR DISCOVERED BY: 1) US-CERT credits Daniel Peck of Digital Bond, Inc. 2) Reported by the vendor. ORIGINAL ADVISORY: US-CERT VU#882619: http://www.kb.cert.org/vuls/id/882619 Rockwell Automation: http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=57729 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in the web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Contains a cross-site scripting vulnerability. Rockwell Logix Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Uses a web interface to display log files and status information. As a result, there is a possibility that data is forged or a user is directed to an unintended site. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Automation ControlLogix is ​​an industrial automation control system developed by Rockwell. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: ControlLogix 1756-ENTB/A Ethernet/IP Bridge Vulnerabilities SECUNIA ADVISORY ID: SA33783 VERIFY ADVISORY: http://secunia.com/advisories/33783/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Exposure of sensitive information WHERE: >From remote OPERATING SYSTEM: ControlLogix 1756-ENTB/A Ethernet/IP Bridge http://secunia.com/advisories/product/21337/ DESCRIPTION: Some vulnerabilities and a weakness have been reported in ControlLogix 1756-ENTB/A Ethernet/IP Bridge, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose potentially sensitive information. 1) Certain unspecified input passed to the web interface is not properly sanitised before being returned to the user. 2) An unspecified error in the web interface can be exploited to disclose potentially sensitive internal web page information. SOLUTION: A fixed firmware version is scheduled for release July, 2009. Filter malicious characters and character sequences in a proxy. PROVIDED AND/OR DISCOVERED BY: 1) US-CERT credits Daniel Peck of Digital Bond, Inc. 2) Reported by the vendor. ORIGINAL ADVISORY: US-CERT VU#882619: http://www.kb.cert.org/vuls/id/882619 Rockwell Automation: http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=57729 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.2.x before 5.2.157.0 allow remote attackers to cause a denial of service (device reload) via a web authentication (aka WebAuth) session that includes a malformed POST request to login.html. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities: - Multiple denial-of-service vulnerabilities - A remote privilege-escalation vulnerability Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users. SOLUTION: Update to a fixed version. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. This security advisory outlines details of the following vulnerabilities: * Denial of Service Vulnerabilities (total of three) * Privilege Escalation Vulnerability These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available for these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml. Affected Products ================= Vulnerable Products +------------------ The following products and software versions are affected for each vulnerability. Denial of Service Vulnerabilities +-------------------------------- Two denial of service (DoS) vulnerabilities affect software versions 4.2 and later. A third DoS vulnerability affects software versions 4.1 and later. Privilege Escalation Vulnerability +--------------------------------- Only WLC software version 4.2.173.0 is affected by this vulnerability. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version. * From the command-line interface, type "show sysinfo" and note the Product Version, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and note the Software Version, as demonstrated in the following example: Router#show wism mod 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. These devices communicate with Controller-based Access Points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This Security Advisory describes multiple distinct vulnerabilities in the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These vulnerabilities are independent of each other. Denial of Service Vulnerabilities +-------------------------------- These vulnerabilities are documented in the following Cisco Bug ID and have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CSCsq44516 - CVE-2009-0058 Web authentication is a Layer 3 security feature that causes the controller to drop IP traffic (except DHCP and DNS related packets) from a particular client until that client has correctly supplied a valid username and password. An attacker may use a vulnerability scanner to cause the device to stop servicing web authentication or cause a reload of the device. The following error messages may appear on the console during an active attack: SshPmStMain/pm_st_main.c:1954/ ssh_pm_st_main_batch_addition_result: Failed to add rule to the engine: restoring old state SshEnginePmApiPm/engine_pm_api_pm.c:1896/ ssh_pme_enable_policy_lookup: Could not allocate message * CSCsm82364 - CVE-2009-0059 An attacker may cause a device reload when sending a malformed post to the web authentication "login.html" page. The following error messages may appear on the WLC console during this attack: Cisco Crash Handler Signal generated during a signal 11, count 193 Memory 0x14ef1e44 has been freed! Note: A crash file is not generated during this attack. Upon receiving these IP packets, the affected device may become unresponsive and require a reboot to recover. Privilege Escalation Vulnerability +--------------------------------- A privilege escalation vulnerability exists only in WLC software version 4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain full administrative rights on the affected system. Note: Wireless network users are not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsv62283 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0062. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * Certain packets may cause WebAuth services to hang or reload the device (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crash handling invalid post for webauth (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * WLC TSEC driver may hang or crash the device (CSCso60979) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Local Management Users may obtain full admin rights (CSCsv62283) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the denial of service vulnerabilities may cause the affected device to hang or reload. Repeated exploitation could result in a sustained DoS condition. The privilege escalation vulnerability may allow an authenticated user to obtain full administrative rights on the affected system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | Vulnerability | Affected | First | Recommended | | / Bug ID | Release | Fixed | Release | | | | Version | | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.173.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCsq44516 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Contact | Contact TAC | | | | TAC | | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | Vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.112.0 | 4.2.176.0 | | |----------+------------+-------------| | CSCsm82364 | 5.0 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | 5.2.157.0 | 5.2.157.0 | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.117.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCso60979 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.174.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Not | Not | | CSCsv62283 | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | Vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | Vulnerable | vulnerable | +-----------------------------------------------------+ Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510 Access Points (APs) are recommended to migrate to release 4.2.176.0. Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are recommended to migrate to 5.2 or later. Workarounds =========== There are no workarounds for any of these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-February-04 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 04, 2009 Document ID: 108336 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU =waFY -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Directory traversal vulnerability in the HP JetDirect web administration interface in the HP-ChaiSOE 1.0 embedded web server on the LaserJet 9040mfp, LaserJet 9050mfp, and Color LaserJet 9500mfp before firmware 08.110.9; LaserJet 4345mfp and 9200C Digital Sender before firmware 09.120.9; Color LaserJet 4730mfp before firmware 46.200.9; LaserJet 2410, LaserJet 2420, and LaserJet 2430 before firmware 20080819 SPCL112A; LaserJet 4250 and LaserJet 4350 before firmware 20080819 SPCL015A; and LaserJet 9040 and LaserJet 9050 before firmware 20080819 SPCL110A allows remote attackers to read arbitrary files via directory traversal sequences in the URI. Multiple HP printers are prone to an unspecified directory-traversal vulnerability because the device's webserver fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. The vulnerability is caused due to an input validation error within the embedded web server, which can be exploited to gain access to files outside the web root via directory traversal attacks. Vulnerability Research Team ORIGINAL ADVISORY: HPSBPI02398 SSRT080166: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01623905 Version: 1 HPSBPI02398 SSRT080166 rev.1 - Certain HP LaserJet Printers, HP Color LaserJet Printers, and HP Digital Senders, Remote Unauthorized Access to Files NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. The vulnerability could be exploited remotely to gain unauthorized access to files. References: CVE-2008-4419 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The Hewlett-Packard Company thanks the Digital Defense, Inc. (DDI) Vulnerability Research Team (VRT) for reporting this vulnerability to security-alert@hp.com. RESOLUTION HP has provided firmware updates and preliminary firmware updates to resolve this vulnerability. The firmware updates and preliminary firmware updates are available as described below. Note: Each firmware update has instructions for finding the firmware version installed on the product. File - lj24x0fw_08_112_spcl112A.rfu MD5 Sum - b3dbcc8d6d465b0a264b662b13a19685 File - lj4x50fw_08_015_spcl015A.rfu MD5 Sum - 1acfd981cad26e002f655332b1ba5954 File - lj9050-50fw_08_110_spcl110A.rfu MD5 Sum - ed2ded960ba70e563b58e506fbe1faae File - InstallationInstructions.rtf MD5 Sum - 1feb8410771d698ea9599d2fcc462a2d Install the preliminary firmware update as described in the InstallationInstructions.rtf file. PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 4 February 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSYmjW+AfOvwtKn1ZEQJvsQCgpPvSzv5fsmj0X5VKefFVqoVNDA4Anjjo 4sKcDkXGzBXY6VTVHHBnLQ6d =GiEL -----END PGP SIGNATURE-----

Unspecified vulnerability in the Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.2.173.0 allows remote authenticated users to gain privileges via unknown vectors, as demonstrated by escalation from the (1) Lobby Admin and (2) Local Management User privilege levels. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities: - Multiple denial-of-service vulnerabilities - A remote privilege-escalation vulnerability Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users. 1) An unspecified error can be exploited to reload the device or to render the web authentication functionality unusable. 2) An error when processing POST requests sent to the web authentication login.html page can be exploited to trigger a device reload. The vulnerabilities affect Wireless LAN Controller software versions 4.1 and later on all platforms. 3) An error related to the TSEC driver can be exploited to render a device unresponsive via specially crafted IP packets. 4) An unspecified error can be exploited by unprivileged users to gain full administrative rights to an affected system. This vulnerability affects Wireless LAN Controller software version 4.2.173.0. SOLUTION: Update to a fixed version. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Wireless LAN Controller (WLC) TSEC driver in the Cisco 4400 WLC, Cisco Catalyst 6500 and 7600 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.x before 5.1 allows remote attackers to cause a denial of service (device crash or hang) via unknown IP packets. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities: - Multiple denial-of-service vulnerabilities - A remote privilege-escalation vulnerability Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users. SOLUTION: Update to a fixed version. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. This security advisory outlines details of the following vulnerabilities: * Denial of Service Vulnerabilities (total of three) * Privilege Escalation Vulnerability These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available for these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml. Affected Products ================= Vulnerable Products +------------------ The following products and software versions are affected for each vulnerability. Denial of Service Vulnerabilities +-------------------------------- Two denial of service (DoS) vulnerabilities affect software versions 4.2 and later. A third DoS vulnerability affects software versions 4.1 and later. Privilege Escalation Vulnerability +--------------------------------- Only WLC software version 4.2.173.0 is affected by this vulnerability. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version. * From the command-line interface, type "show sysinfo" and note the Product Version, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and note the Software Version, as demonstrated in the following example: Router#show wism mod 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. These devices communicate with Controller-based Access Points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This Security Advisory describes multiple distinct vulnerabilities in the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These vulnerabilities are independent of each other. Denial of Service Vulnerabilities +-------------------------------- These vulnerabilities are documented in the following Cisco Bug ID and have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CSCsq44516 - CVE-2009-0058 Web authentication is a Layer 3 security feature that causes the controller to drop IP traffic (except DHCP and DNS related packets) from a particular client until that client has correctly supplied a valid username and password. An attacker may use a vulnerability scanner to cause the device to stop servicing web authentication or cause a reload of the device. The following error messages may appear on the console during an active attack: SshPmStMain/pm_st_main.c:1954/ ssh_pm_st_main_batch_addition_result: Failed to add rule to the engine: restoring old state SshEnginePmApiPm/engine_pm_api_pm.c:1896/ ssh_pme_enable_policy_lookup: Could not allocate message * CSCsm82364 - CVE-2009-0059 An attacker may cause a device reload when sending a malformed post to the web authentication "login.html" page. The following error messages may appear on the WLC console during this attack: Cisco Crash Handler Signal generated during a signal 11, count 193 Memory 0x14ef1e44 has been freed! Note: A crash file is not generated during this attack. Upon receiving these IP packets, the affected device may become unresponsive and require a reboot to recover. Privilege Escalation Vulnerability +--------------------------------- A privilege escalation vulnerability exists only in WLC software version 4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain full administrative rights on the affected system. Note: Wireless network users are not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsv62283 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0062. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * Certain packets may cause WebAuth services to hang or reload the device (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crash handling invalid post for webauth (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * WLC TSEC driver may hang or crash the device (CSCso60979) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Local Management Users may obtain full admin rights (CSCsv62283) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the denial of service vulnerabilities may cause the affected device to hang or reload. Repeated exploitation could result in a sustained DoS condition. The privilege escalation vulnerability may allow an authenticated user to obtain full administrative rights on the affected system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | Vulnerability | Affected | First | Recommended | | / Bug ID | Release | Fixed | Release | | | | Version | | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.173.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCsq44516 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Contact | Contact TAC | | | | TAC | | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | Vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.112.0 | 4.2.176.0 | | |----------+------------+-------------| | CSCsm82364 | 5.0 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | 5.2.157.0 | 5.2.157.0 | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.117.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCso60979 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.174.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Not | Not | | CSCsv62283 | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | Vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | Vulnerable | vulnerable | +-----------------------------------------------------+ Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510 Access Points (APs) are recommended to migrate to release 4.2.176.0. Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are recommended to migrate to 5.2 or later. Workarounds =========== There are no workarounds for any of these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-February-04 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 04, 2009 Document ID: 108336 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU =waFY -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.x before 5.2 allow remote attackers to cause a denial of service (web authentication outage or device reload) via unspecified network traffic, as demonstrated by a vulnerability scanner. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities: - Multiple denial-of-service vulnerabilities - A remote privilege-escalation vulnerability Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users. SOLUTION: Update to a fixed version. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. This security advisory outlines details of the following vulnerabilities: * Denial of Service Vulnerabilities (total of three) * Privilege Escalation Vulnerability These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available for these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml. Affected Products ================= Vulnerable Products +------------------ The following products and software versions are affected for each vulnerability. Denial of Service Vulnerabilities +-------------------------------- Two denial of service (DoS) vulnerabilities affect software versions 4.2 and later. A third DoS vulnerability affects software versions 4.1 and later. Privilege Escalation Vulnerability +--------------------------------- Only WLC software version 4.2.173.0 is affected by this vulnerability. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version. * From the command-line interface, type "show sysinfo" and note the Product Version, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and note the Software Version, as demonstrated in the following example: Router#show wism mod 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. These devices communicate with Controller-based Access Points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This Security Advisory describes multiple distinct vulnerabilities in the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These vulnerabilities are independent of each other. Denial of Service Vulnerabilities +-------------------------------- These vulnerabilities are documented in the following Cisco Bug ID and have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CSCsq44516 - CVE-2009-0058 Web authentication is a Layer 3 security feature that causes the controller to drop IP traffic (except DHCP and DNS related packets) from a particular client until that client has correctly supplied a valid username and password. An attacker may use a vulnerability scanner to cause the device to stop servicing web authentication or cause a reload of the device. The following error messages may appear on the console during an active attack: SshPmStMain/pm_st_main.c:1954/ ssh_pm_st_main_batch_addition_result: Failed to add rule to the engine: restoring old state SshEnginePmApiPm/engine_pm_api_pm.c:1896/ ssh_pme_enable_policy_lookup: Could not allocate message * CSCsm82364 - CVE-2009-0059 An attacker may cause a device reload when sending a malformed post to the web authentication "login.html" page. The following error messages may appear on the WLC console during this attack: Cisco Crash Handler Signal generated during a signal 11, count 193 Memory 0x14ef1e44 has been freed! Note: A crash file is not generated during this attack. Upon receiving these IP packets, the affected device may become unresponsive and require a reboot to recover. Privilege Escalation Vulnerability +--------------------------------- A privilege escalation vulnerability exists only in WLC software version 4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain full administrative rights on the affected system. Note: Wireless network users are not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsv62283 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0062. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * Certain packets may cause WebAuth services to hang or reload the device (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crash handling invalid post for webauth (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * WLC TSEC driver may hang or crash the device (CSCso60979) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Local Management Users may obtain full admin rights (CSCsv62283) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the denial of service vulnerabilities may cause the affected device to hang or reload. Repeated exploitation could result in a sustained DoS condition. The privilege escalation vulnerability may allow an authenticated user to obtain full administrative rights on the affected system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | Vulnerability | Affected | First | Recommended | | / Bug ID | Release | Fixed | Release | | | | Version | | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.173.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCsq44516 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Contact | Contact TAC | | | | TAC | | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | Vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.112.0 | 4.2.176.0 | | |----------+------------+-------------| | CSCsm82364 | 5.0 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | 5.2.157.0 | 5.2.157.0 | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.117.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCso60979 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.174.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Not | Not | | CSCsv62283 | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | Vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | Vulnerable | vulnerable | +-----------------------------------------------------+ Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510 Access Points (APs) are recommended to migrate to release 4.2.176.0. Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are recommended to migrate to 5.2 or later. Workarounds =========== There are no workarounds for any of these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-February-04 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 04, 2009 Document ID: 108336 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU =waFY -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cross-site scripting (XSS) vulnerability in emaullinks.php in YABSoft Mega File Hosting Script (aka MFH or MFHS) 1.2 allows remote attackers to inject arbitrary web script or HTML via the moudi parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NaviCOPA Web Server is a web server installed on a Windows system that automatically configures HTTP access. If a remote attacker submits a long HTTP GET request to the NaviCOPA Web Server, it can trigger a heap overflow, causing arbitrary code execution; in addition, submitting a specially crafted HTTP request containing a dot character to the server can also reveal the source code of the PHP script. NaviCOPA Web Server is prone to a remote buffer-overflow vulnerability and an information-disclosure vulnerability because the application fails to properly bounds-check or validate user-supplied input. Successful exploits of the buffer-overflow issue may lead to the execution of arbitrary code in the context of the application or to denial-of-service conditions. Also, attackers can exploit the information-disclosure issue to retrieve arbitrary source code in the context of the webserver process. Information harvested may aid in further attacks. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: NaviCOPA Script Source Disclosure and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA33766 VERIFY ADVISORY: http://secunia.com/advisories/33766/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote SOFTWARE: NaviCOPA 3.x http://secunia.com/advisories/product/21322/ DESCRIPTION: e.wiZz! has discovered two vulnerabilities in NaviCOPA, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. 1) A boundary error in the processing of HTTP requests can be exploited to cause a heap-based buffer overflow via an overly long HTTP GET request. PHP scripts via specially crafted requests containing e.g. dot characters. The vulnerabilities are confirmed in version 3.01. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: e.wiZz! ORIGINAL ADVISORY: http://milw0rm.com/exploits/7966 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

InterVations NaviCOPA Web Server 3.01 allows remote attackers to obtain the source code for a web page via an HTTP request with the addition of ::$DATA after the HTML file name. NaviCOPA Web Server is a web server installed on a Windows system that automatically configures HTTP access. NaviCOPA Web Server is prone to a remote buffer-overflow vulnerability and an information-disclosure vulnerability because the application fails to properly bounds-check or validate user-supplied input. Successful exploits of the buffer-overflow issue may lead to the execution of arbitrary code in the context of the application or to denial-of-service conditions. Also, attackers can exploit the information-disclosure issue to retrieve arbitrary source code in the context of the webserver process. Information harvested may aid in further attacks. The CB Resume Builder ('com_cbresumebuilder') component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. Input passed via the "group_id" parameter to index.php (if "option" is set to "com_cbresumebuilder" and "task" is set to "group_member") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. SOLUTION: Edit the source code to ensure that input is properly sanitised. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: NaviCOPA Script Source Disclosure and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA33766 VERIFY ADVISORY: http://secunia.com/advisories/33766/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote SOFTWARE: NaviCOPA 3.x http://secunia.com/advisories/product/21322/ DESCRIPTION: e.wiZz! has discovered two vulnerabilities in NaviCOPA, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. 1) A boundary error in the processing of HTTP requests can be exploited to cause a heap-based buffer overflow via an overly long HTTP GET request. PHP scripts via specially crafted requests containing e.g. dot characters. The vulnerabilities are confirmed in version 3.01. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: e.wiZz! ORIGINAL ADVISORY: http://milw0rm.com/exploits/7966 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

D-Link DIR-300 is prone to a cross-site scripting vulnerability and a security-bypass vulnerability. An attacker may exploit these issues to bypass authentication or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. The issues affect D-Link DIR-300 with firmware 1.04-tomi-1.1.2.

Multiple cross-site request forgery (CSRF) vulnerabilities in ajax.html in Profense Web Application Firewall 2.6.2 and 2.6.3 allow remote attackers to hijack the authentication of administrators for requests that (1) shutdown the server, (2) send ping packets, (3) enable network services, (4) configure a proxy server, and (5) modify other settings via parameters in the query string. Profense is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability. An attacker can exploit the cross-site request forgery issue to alter the settings on affected devices. This may lead to further network-based attacks. The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Profense 2.6.2 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Profense Web Application Firewall Cross-Site Scripting and Cross-Site Request Forgery SECUNIA ADVISORY ID: SA33739 VERIFY ADVISORY: http://secunia.com/advisories/33739/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Profense Web Application Firewall 2.x http://secunia.com/advisories/product/21280/ DESCRIPTION: Michael Brooks has discovered some vulnerabilities in Profense Web Application Firewall, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. 1) Input passed via the "proxy" parameter in proxy.html is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity check to verify the request. This can be exploited to perform certain actions, e.g. to shutdown the system, by enticing a logged-in administrator to visit a malicious web site. The vulnerability is reported in version 2.6.2 and confirmed in version 2.6.3. SOLUTION: Do not follow untrusted links and do not visit untrusted web sites while being logged-in to the web-based management interface. PROVIDED AND/OR DISCOVERED BY: Michael Brooks ORIGINAL ADVISORY: http://milw0rm.com/exploits/7919 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in proxy.html in Profense Web Application Firewall 2.6.2 and 2.6.3 allows remote attackers to inject arbitrary web script or HTML via the proxy parameter in a deny_log manage action. Profense is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability. An attacker can exploit the cross-site request forgery issue to alter the settings on affected devices. This may lead to further network-based attacks. Other attacks are also possible. Profense 2.6.2 is vulnerable; other versions may also be affected. Profense Web Application Firewal is a website firewall. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Profense Web Application Firewall Cross-Site Scripting and Cross-Site Request Forgery SECUNIA ADVISORY ID: SA33739 VERIFY ADVISORY: http://secunia.com/advisories/33739/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Profense Web Application Firewall 2.x http://secunia.com/advisories/product/21280/ DESCRIPTION: Michael Brooks has discovered some vulnerabilities in Profense Web Application Firewall, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. 1) Input passed via the "proxy" parameter in proxy.html is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity check to verify the request. This can be exploited to perform certain actions, e.g. to shutdown the system, by enticing a logged-in administrator to visit a malicious web site. The vulnerability is reported in version 2.6.2 and confirmed in version 2.6.3. SOLUTION: Do not follow untrusted links and do not visit untrusted web sites while being logged-in to the web-based management interface. PROVIDED AND/OR DISCOVERED BY: Michael Brooks ORIGINAL ADVISORY: http://milw0rm.com/exploits/7919 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in the Arclib library (arclib.dll) before 7.3.0.15 in the CA Anti-Virus engine for CA Anti-Virus for the Enterprise 7.1, r8, and r8.1; Anti-Virus 2007 v8 and 2008; Internet Security Suite 2007 v3 and 2008; and other CA products allow remote attackers to bypass virus detection via a malformed archive file. Computer Associates Anti-Virus engine is prone to multiple vulnerabilities that may allow certain compressed archives to bypass the scan engine. Successful exploits will allow attackers to distribute files containing malicious code that the antivirus engine will fail to detect. Products with 'arclib.dll' prior to version 7.3.0.15 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities CA Advisory Reference: CA20090126-01 CA Advisory Date: 2009-01-26 Reported By: Thierry Zoller and Sergio Alvarez of n.runs AG Impact: A remote attacker can evade detection. CA has released a new Anti-Virus engine to address the vulnerabilities. Consequently, detection evasion can be a concern for gateway anti-virus software if archives are not scanned, but the risk is effectively mitigated by the desktop anti-virus engine. Mitigating Factors: See note above. Severity: CA has given these vulnerabilities a Low risk rating. If your product is configured for automatic updates, you should already be protected, and you need to take no action. If your product is not configured for automatic updates, then you simply need to run the update utility included with your product. How to determine if you are affected: For products on Windows: 1. Using Windows Explorer, locate the file "arclib.dll". By default, the file is located in the "C:\Program Files\CA\SharedComponents\ScanEngine" directory (*). 2. Right click on the file and select Properties. 3. Select the Version tab. 4. File Name File Version arclib.dll 7.3.0.15 *For eTrust Intrusion Detection 2.0 the file is located in "Program Files\eTrust\Intrusion Detection\Common", and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in "Program Files\CA\Intrusion Detection\Common". For CA Anti-Virus r8.1 on non-Windows platforms: Use the compver utility provided on the CD to determine the version of Arclib. Example compver utility output: ------------------------------------------------ COMPONENT NAME VERSION ------------------------------------------------ eTrust Antivirus Arclib Archive Library 7.3.0.15 ... (followed by other components) For reference, the following are file names for arclib on non-Windows operating systems: Operating System File name Solaris libarclib.so Linux libarclib.so Mac OS X arclib.bundle Workaround: Do not open email attachments or download files from untrusted sources. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFJfyMKeSWR3+KUGYURAkyRAJ94Db9OT0mSDBo8UiSAK7AWWt5XSgCfc89J SlKLxRwfw06DmTk2tmlcrJI= =Kjse -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP NetWeaver portal, when Internet Explorer 7.0.5730 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted URI, which causes the XSS payload to be reflected in a text/plain document. SAP NetWeaver and Web Dynpro Java are prone to a cross-site scripting vulnerability because the applications fail to sufficiently sanitize user-supplied input. A successful exploit of this vulnerability could allow an attacker to compromise the application, access or modify data, or steal cookie-based authentication credentials. Other attacks are also possible. This issue is associated with SAP notification number 1235253. ############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: NetWeaver/Web DynPro # Vendor: SAP (www.sap.com) # CVD ID: CVE-2008-3358 # Subject: Cross-Site Scripting Vulnerability # Risk: High # Effect: Remotely exploitable # Author: Martin Suess <martin.suess@csnc.ch> # Date: January 27th 2009 # ############################################################# Introduction: ------------- The vulnerability found targets the SAP NetWeaver portal. It is possible to execute JavaScript code in the browser of a valid user when clicking on a specially crafted URL which can be sent to the user by email. This vulnerability can be used to steal the user's session cookie or redirect him to a phishing website which shows the (faked) login screen and gets his logon credentials as soon as he tries to log in on the faked site. Affected: --------- - All tested versions that are vulnerable SAP NetWeaver/Web DynPro [for detailed Information, see SAP Notification 1235253] Description: ------------ A specially crafted URL in SAP NetWeaver allows an attacker to launch a Cross-Site Scripting attack. The resulting page contains only the unfiltered value of the vulnerable parameter. It is possible to create an URL which causes the resulting page to contain malicious JavaScript code. A response to such a request could look like the following example: HTTP/1.1 200 OK Date: Fri, 18 Jul 2008 13:13:30 GMT Server: <server> content-type: text/plain Content-Length: 67 Keep-Alive: timeout=10, max=500 Connection: Keep-Alive <html><title>test</title><body onload="alert(document.cookie)"> </body></html> The code only gets executed in Microsoft Internet Explorer (tested with version 7.0.5730 only). In Firefox (tested with version 3.0 only) it did not get executed as the content-type header of the server response is interpreted more strictly (text/plain). SAP Information Policy: ----------------------- The information is available to registered SAP clients only (SAP Security Notes). Patches: -------- Apply the latest SAP security patches for Netweaver. Timeline: --------- Vendor Status: Patch released Vendor Notified: July 21st 2008 Vendor Response: July 28th 2008 Patch available: October 2008 Advisory Release: January 27th 2009 References: ----------- - SAP Notification 1235253 (problem and patches) . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: SAP NetWeaver Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA33685 VERIFY ADVISORY: http://secunia.com/advisories/33685/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: SAP NetWeaver 4.x http://secunia.com/advisories/product/9490/ DESCRIPTION: A vulnerability has been reported in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation may require that the victim uses a browser which executes JavaScript statements in documents of the content type "text/plain" (e.g. Internet Explorer). SOLUTION: The vendor has reportedly issued a patch via SAP Note 1235253. http://service.sap.com/sap/support/notes/1235253 PROVIDED AND/OR DISCOVERED BY: Martin Suess, Compass Security ORIGINAL ADVISORY: SAP: http://service.sap.com/sap/support/notes/1235253 Compass Security: http://www.csnc.ch/misc/files/advisories/CVE-2008-3358.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari 3.2.1 (aka AppVer 3.525.27.1) on Windows allows remote attackers to cause a denial of service (infinite loop or access violation) via a link to an http URI in which the authority (aka hostname) portion is either a (1) . (dot) or (2) .. (dot dot) sequence. ( Dot dot ) Is a string http URI Service disruption via link to (DoS) There is a possibility of being put into a state. Apple Safari is prone to a denial-of-service vulnerability because it fails to adequately sanitize user-supplied input. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Apple Safari 3.2.1 for Windows is vulnerable; other versions may also be affected. In this http URI, the host port is either a "." sequence or a ".." sequence

CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file. CUPS creates temporary files in an insecure manner. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible. CUPS 1.3.9 is vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:028 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cups Date : January 24, 2009 Affected: 2008.0, 2008.1 _______________________________________________________________________ Problem Description: Security vulnerabilities have been discovered and corrected in CUPS. CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference (CVE-2008-5183). The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions (CVE-2008-5184). CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow (CVE-2008-5286). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5184 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0032 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 9ff1555139c59b89ea0623dfdfff4de5 2008.0/i586/cups-1.3.6-1.4mdv2008.0.i586.rpm 3cda60090d2108259f55cdbc6cf372e5 2008.0/i586/cups-common-1.3.6-1.4mdv2008.0.i586.rpm 1fbbbf89a0341cf430905757bdc6c355 2008.0/i586/cups-serial-1.3.6-1.4mdv2008.0.i586.rpm f6eb5a73b984f77e851cb39826ba26a1 2008.0/i586/libcups2-1.3.6-1.4mdv2008.0.i586.rpm e8279e8427ef9c3ec9536abe94038423 2008.0/i586/libcups2-devel-1.3.6-1.4mdv2008.0.i586.rpm 9974e6ad715a853706ec26acf9ca73c3 2008.0/i586/php-cups-1.3.6-1.4mdv2008.0.i586.rpm 6f6a298d7935094b6fcd18d39c3de1b7 2008.0/SRPMS/cups-1.3.6-1.4mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 355ce3cfb79a4aebbdabedb206a32e05 2008.0/x86_64/cups-1.3.6-1.4mdv2008.0.x86_64.rpm e3a2b95ac7138318d6cefab0fdf3face 2008.0/x86_64/cups-common-1.3.6-1.4mdv2008.0.x86_64.rpm fb0abf9e3d492edd06876b7d4cebe784 2008.0/x86_64/cups-serial-1.3.6-1.4mdv2008.0.x86_64.rpm 5b5196b27e24fb6ad910563ed884ce2e 2008.0/x86_64/lib64cups2-1.3.6-1.4mdv2008.0.x86_64.rpm e8b1cdbba7283ff2e9b76eb498f508d0 2008.0/x86_64/lib64cups2-devel-1.3.6-1.4mdv2008.0.x86_64.rpm 178ca59986af801a2c29611fa16ce2dd 2008.0/x86_64/php-cups-1.3.6-1.4mdv2008.0.x86_64.rpm 6f6a298d7935094b6fcd18d39c3de1b7 2008.0/SRPMS/cups-1.3.6-1.4mdv2008.0.src.rpm Mandriva Linux 2008.1: 93a94c922f72f8844e232ed779a8c66c 2008.1/i586/cups-1.3.6-5.3mdv2008.1.i586.rpm eccb6a07dd53dbbeb490675c2cf311f0 2008.1/i586/cups-common-1.3.6-5.3mdv2008.1.i586.rpm 2ad9c7135f6d8a2217d34055ca8f57b3 2008.1/i586/cups-serial-1.3.6-5.3mdv2008.1.i586.rpm 62d4efcf07165da647db08d6636ac596 2008.1/i586/libcups2-1.3.6-5.3mdv2008.1.i586.rpm f0779950606ab9fa83b9de410a7beb70 2008.1/i586/libcups2-devel-1.3.6-5.3mdv2008.1.i586.rpm d0bd96dc1aec2dab736d538a7bd49a2b 2008.1/i586/php-cups-1.3.6-5.3mdv2008.1.i586.rpm abd1474014a74c467881ca52b4090ace 2008.1/SRPMS/cups-1.3.6-5.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 64aca60db93cd3886f58823155e2f982 2008.1/x86_64/cups-1.3.6-5.3mdv2008.1.x86_64.rpm 2cb2d9467430c4619ed23d37099ad2cc 2008.1/x86_64/cups-common-1.3.6-5.3mdv2008.1.x86_64.rpm 69b5f842144013c41c946783c898c1db 2008.1/x86_64/cups-serial-1.3.6-5.3mdv2008.1.x86_64.rpm 243a0d7da4c4e24ac8c7571a202e1627 2008.1/x86_64/lib64cups2-1.3.6-5.3mdv2008.1.x86_64.rpm 2d4bbbd60d026d3bc272001d447dc5ae 2008.1/x86_64/lib64cups2-devel-1.3.6-5.3mdv2008.1.x86_64.rpm e1a2d953fdc0dbb7eda2097f0e4c38e9 2008.1/x86_64/php-cups-1.3.6-5.3mdv2008.1.x86_64.rpm abd1474014a74c467881ca52b4090ace 2008.1/SRPMS/cups-1.3.6-5.3mdv2008.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJe0RhmqjQ0CJFipgRAsXFAKDBJeogydK5chEfSmEpHuVXDsC6xQCgq+vl JbRgydRjIpXNqGzlnNrqXZI= =2ydF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cisco Security Manager 3.1 and 3.2 before 3.2.2, when Cisco IPS Event Viewer (IEV) is used, exposes TCP ports used by the MySQL daemon and IEV server, which allows remote attackers to obtain "root access" to IEV via unspecified use of TCP sessions to these ports. Attackers can exploit this issue to obtain SYSTEM-level access to data and to the Security Manager service. Successful exploits can result in the complete compromise of affected computers. This issue is tracked by Cisco Bug ID CSCsv66897. This issue affects Security Manager 3.0 up to 3.2. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Cisco Security Manager Security Bypass Vulnerability SECUNIA ADVISORY ID: SA33633 VERIFY ADVISORY: http://secunia.com/advisories/33633/ CRITICAL: Moderately critical IMPACT: Security Bypass, Manipulation of data WHERE: >From local network SOFTWARE: Cisco Security Manager (CSM) 3.x http://secunia.com/advisories/product/18842/ DESCRIPTION: A vulnerability has been reported in Cisco Security Manager, which can be exploited by malicious people to bypass certain security restrictions. This vulnerability is reported in versions 3.1, 3.1.1, 3.2, and 3.2.1. SOLUTION: Update to a fixed version. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: cisco-sa-20090121-csm: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a6192a.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . An unauthenticated, remote attacker could leverage this vulnerability to access the MySQL databases or IEV server. Cisco has released free software updates that address this vulnerability. A workaround is also available to mitigate this vulnerability. As part of Cisco Security Manager installation, the Cisco IEV is installed by default. The IEV is a Java-based application that allows users to view and manage alerts for up to five sensors, including the ability to report top alerts, attackers, and victims over a specified number of hours or days. Users can connect to and view alerts in real time or via imported log files, configure filters and views to help manage alerts, and import and export event data for further analysis. These ports could allow remote, unauthenticated root access to the IEV database and server. The IEV database contains events that are collected from Cisco Intrusion Prevention System (IPS) devices. The IEV server allows an unauthenticated user to add, delete, or modify the devices that are added into the IEV. This vulnerability is documented in Cisco Bug ID: CSCsv66897 This vulnerability have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-3820. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsv66897: Cisco Security Manager/IEV: TCP Ports open for remote connection without any authentication CVSS Base Score - 8.8 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - None CVSS Temporal Score - 7.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may result in remote root access to the IEV database or to the IEV Server. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. A software patch for Cisco Security Manager versions 3.1, 3.1.1, 3.2 and 3.2.1 is available for download at: http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app?psrtdcat20e2 The patch file names by Cisco Security Manager version follow: +------------------------------------------+ | Cisco | | | Security | Patch Filename | | Manager | | | version | | |-----------+------------------------------| | 3.0.x and | Not Vulnerable | | earlier | | |-----------+------------------------------| | 3.1 | CSM310PatchCSCsv66897.zip | |-----------+------------------------------| | 3.1.1.SP3 | CSM311SP3PatchCSCsv66897.zip | |-----------+------------------------------| | 3.2.SP2 | CSM320SP2PatchCSCsv66897.zip | |-----------+------------------------------| | 3.2.1.SP1 | CSM321SP1PatchCSCsv66897.zip | |-----------+------------------------------| | 3.2.2 | Not Vulnerable | +------------------------------------------+ Please read the corresponding readme files for installation instructions. Workarounds =========== In the event that Cisco IEV is not being used, administrators are advised to disable the functionality until a patch is applied. To disable IEV on Cisco Security Manager, perform the following steps: 1. 2. Open the Services dialog box (Choose Start > Administrative Tools > Services). 3. Locate the Cisco IPS Event Viewer service and open Properties. 4. Change Startup Type: to Disabled and click Ok. 5. Stop the Cisco IPS Event Viewer service. 6. 7. Confirm that the Cisco IPS Event Viewer service has not restarted. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090121-csm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was discovered through internal Cisco testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-January-21 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkl3Q3QACgkQ86n/Gc8U/uCrVwCgjzYJzcc9npFzFfdAnudO1QYC JvAAn1Ij4FRrttn3WjOHF+GthJw1x1+K =5AmB -----END PGP SIGNATURE-----