VARIoT IoT vulnerabilities database

Certain system calls in Apple Mac OS X 10.4.1 do not properly enforce the permissions of certain directories without the POSIX read bit set, but with the execute bits set for group or other, which allows local users to list files in otherwise restricted directories. Apple Mac OS X is susceptible to a local information disclosure vulnerability. This is due to a failure of the operating system to properly implement POSIX permissions checking in certain circumstances. This vulnerability allows local attackers to retrieve normally forbidden names contained in directories. This scenario is commonly used to obscure access to public directories (such as '~/Public/Drop Box') for security reasons, as users are required to have knowledge about already existing files contained in these directories to be able to access them

Multiple stack-based and heap-based buffer overflows in Remote Management authentication (zenrem32.exe) on Novell ZENworks 6.5 Desktop and Server Management, ZENworks for Desktops 4.x, ZENworks for Servers 3.x, and Remote Management allows remote attackers to execute arbitrary code via (1) unspecified vectors, (2) type 1 authentication requests, and (3) type 2 authentication requests. Novell ZENworks is prone to multiple remote pre-authentication buffer overflow vulnerabilities. The issues exist in the 'zenrem32.exe' executable and may be exploited by a remote attacker to execute arbitrary code in the context of the affected service. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Novell ZENworks Remote Management Buffer Overflows SECUNIA ADVISORY ID: SA15433 VERIFY ADVISORY: http://secunia.com/advisories/15433/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: Novell ZENworks Desktop Management 6.x http://secunia.com/product/4134/ Novell ZENworks for Desktops 4.x http://secunia.com/product/1246/ Novell ZENworks for Servers 3 http://secunia.com/product/1247/ Novell ZENworks Server Management 6.x http://secunia.com/product/5120/ DESCRIPTION: Alex Wheeler has reported some vulnerabilities in ZENworks products, which can be exploited by malicious people to compromise a vulnerable system. These can be exploited to cause heap-based and stack-based buffer overflows by sending some specially crafted traffic. Successful exploitation allows execution of arbitrary code. PROVIDED AND/OR DISCOVERED BY: Alex Wheeler ORIGINAL ADVISORY: Alex Wheeler: http://www.rem0te.com/public/images/zen.pdf Novell: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Certain TCP implementations may allow a remote attacker to arbitrarily modify host timestamp values, leading to a denial-of-service condition. A denial-of-service vulnerability exists for the TCP RFC 1323. The issue resides in the Protection Against Wrapped Sequence Numbers (PAWS) technique that was included to increase overall TCP performance. When TCP 'timestamps' are enabled, both hosts at the endpoints of a TCP connection employ internal clocks to mark TCP headers with a 'timestamp' value. The issue manifests if an attacker transmits a sufficient TCP PAWS packet to a vulnerable computer. The attacker sets a large value as the packet timestamp. When the target computer processes this packet, the internal timer is updated to the large value that the attacker supplied. This causes all other valid packets that are received subsequent to an attack to be dropped, because they are deemed to be too old or invalid. This type of attack will effectively deny service for a target connection. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:15.tcp Security Advisory The FreeBSD Project Topic: TCP connection stall denial of service Category: core Module: inet Announced: 2005-06-29 Credits: Noritoshi Demizu Affects: All FreeBSD releases. Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0356, CAN-2005-2068 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. TCP packets with the SYN flag set are used during setup of new TCP connections. II. Problem Description Two problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Second, a TCP packet with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options. III. Impact Using either of the two problems an attacker with knowledge of the local and remote IP and port numbers associated with a connection can cause a denial of service situation by stalling the TCP connection. The stalled TCP connection my be closed after some time by the other host. IV. Workaround In some cases it may be possible to defend against these attacks by blocking the attack packets using a firewall. Packets used to effect either of these attacks would have spoofed source IP addresses. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/netinet/tcp_input.c 1.107.2.44 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 src/sys/netinet/tcp_input.c 1.107.2.41.4.3 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 src/sys/netinet/tcp_input.c 1.107.2.41.2.1 RELENG_5 src/sys/netinet/tcp_input.c 1.252.2.16 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 src/sys/netinet/tcp_input.c 1.252.2.14.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 src/sys/netinet/tcp_input.c 1.252.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2068 http://www.kb.cert.org/vuls/id/637934 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:15.tcp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCwxe7FdaIBMps37IRAi39AJ9ss6PVEwloS4SlKEWi5S1hpHnzmACeJF7H rKmK2NtleJ98dTLWW4QLMn4= =6fBH -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products TCP Timestamp Denial of Service SECUNIA ADVISORY ID: SA15393 VERIFY ADVISORY: http://secunia.com/advisories/15393/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco SN5400 Series Storage Routers http://secunia.com/product/2188/ Cisco MGX 8900 Series Multiservice Switches http://secunia.com/product/5117/ Cisco MGX 8800 Series Multiservice Switches http://secunia.com/product/5116/ Cisco MGX 8200 Series Edge Concentrators http://secunia.com/product/5115/ Cisco Content Services Switch 11000 Series (WebNS) http://secunia.com/product/1507/ Cisco Aironet 350 Series Access Point http://secunia.com/product/5114/ Cisco Aironet 1200 Series Access Point http://secunia.com/product/1929/ DESCRIPTION: A vulnerability has been reported in some Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service) on active TCP sessions. The vulnerability is caused due to an error in the implementation of the TCP Timestamp option and can be exploited via specially crafted packets to cause a targeted TCP session to stall until it's reset. Successful exploitation requires knowledge of IP address information of the source and destination of the TCP network connection. The vulnerability affects the following products: * SN5400 series storage routers * CSS11000 series content services switches * AP350 and AP1200 series Access Points running VxWorks * MGX8200, MGX8800, and MGX8900 series WAN switches (only management interfaces) SOLUTION: SN5400 series storage routers: The vulnerability has been addressed by CSCin85370. CSS11000 series content services switches: The vulnerability has been addressed by CSCeh40395. AP350 and AP1200 series Access Points: The vendor recommends upgrading APs running VxWorks to Cisco IOS. MGX series WAN switches: The vulnerability has been documented by CSCeh85125 and CSCeh85130. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Noritoshi Demizu. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050518-tcpts.shtml OTHER REFERENCES: US-CERT VU#637934: http://www.kb.cert.org/vuls/id/637934 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . For more information: SA14904 SOLUTION: Apply updated packages. For more information: SA15393 The vulnerability affects all versions of CacheOS and SGOS. SOLUTION: The vendor recommends disabling RFC1323 support until a patch is available

Acrowave AAP-3100AR wireless router allows remote attackers to bypass authentication by pressing CTRL-C at the username or password prompt in a telnet session, which causes the shell to crash and restart, then leave the user in the new shell. Wlan Ap + Adsl Router is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Acrowave AAP-3100AR Router Authentication Bypass SECUNIA ADVISORY ID: SA15343 VERIFY ADVISORY: http://secunia.com/advisories/15343/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Acrowave AAP-3100AR Router http://secunia.com/product/5094/ DESCRIPTION: Martin Tornwall has reported a vulnerability in Acrowave AAP-3100AR Router, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the authentication process. This can be exploited to login without supplying a username and password by pressing CTRL-C. SOLUTION: Filter access to the telnet interface. PROVIDED AND/OR DISCOVERED BY: Martin Tornwall ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple QuickTime Player 7.0 on Mac OS X 10.4 allows remote attackers to obtain sensitive information via a .mov file with a Quartz Composer composition (.qtz) file that uses certain patches to read local information, then other patches to send the information to the attacker. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Quartz Composer Disclosure of System Information SECUNIA ADVISORY ID: SA15307 VERIFY ADVISORY: http://secunia.com/advisories/15307/ CRITICAL: Not critical IMPACT: Exposure of system information WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: David Remahl has reported a weakness in Apple QuickTime, which can be exploited by malicious people to disclose some system information. The problem is that Quartz Composer compositions embedded in ".mov" files can access certain system information, which can be disclosed to web sites via JavaScript. This can e.g. be exploited to disclose the local username and directory information by tricking a user into visiting a malicious web site. SOLUTION: Disable the QuickTime browser plugin and do not open ".mov" and Quartz Composer files from untrusted sources. PROVIDED AND/OR DISCOVERED BY: David Remahl ORIGINAL ADVISORY: http://remahl.se/david/vuln/018/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unknown vulnerability in Cisco Firewall Services Module (FWSM) 2.3.1 and earlier, when using URL, FTP, or HTTPS filtering exceptions, allows certain TCP packets to bypass access control lists (ACLs). FWSM for Cisco Catalyst 6500/7600 Series is prone to a remote security vulnerability

The new account wizard in Mail.app 2.0 in Mac OS 10.4, when configuring an IMAP mail account and checking the credentials, does not prompt the user to use SSL until after the password has already been sent, which causes the password to be sent in plaintext

zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ GNU zip (gzip) Is a utility that compresses and decompresses files. grep Run zgrep Or unzip the compressed file gunzip Each tool is packaged. Gzip 1.2.4 Previously, there were several security issues: 1) gzip 1.2.4 Included before zgrep There is a problem that does not properly sanitize arguments. (CAN-2005-0758) Details are currently unknown, but local attackers who exploit this issue zgrep An arbitrary command may be executed by passing an intentional file name to. 2) gzip 1.2.4 Previously, when decompressing a compressed file, there was a problem that caused a race condition between writing the decompressed file and changing permissions. (CAN-2005-0988) A local attacker who exploits this issue could alter the permissions of an arbitrary file by replacing the decompressed file with a hard link to the arbitrary file at a specific time. 3) gzip 1.2.4 Included before gunzip Is -N When decompressing a compressed file with a flag, there is a problem that the validity of the file name is not properly checked. (CAN-2005-1228) A remote attacker who exploits this issue ".." Send a compressed file that is a compressed file containing an intentional character string to the target user gzip Inducing a directory traversal attack by inducing unpacking with.Please refer to the “Overview” for the impact of this vulnerability. The 'zgrep' utility is reportedly affected by an arbitrary command-execution vulnerability. An attacker may execute arbitrary commands through zgrep command arguments to potentially gain unauthorized access to the affected computer. Note that this issue poses a security threat only if the arguments originate from a malicious source. This issue affects zgrep 1.2.4; other versions may be affected as well. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: gzip Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA15047 VERIFY ADVISORY: http://secunia.com/advisories/15047/ CRITICAL: Less critical IMPACT: System access WHERE: >From remote SOFTWARE: gzip 1.x http://secunia.com/product/4220/ DESCRIPTION: Ulf H\xe4rnhammar has reported a vulnerability in gzip, which potentially can be exploited by malicious people to compromise a user's system. This makes it possible to have a file extracted to an arbitrary location outside the current directory via directory traversal attacks. The vulnerability has been reported in version 1.2.4, 1.2.4a, 1.3.3, 1.3.4 and 1.3.5. SOLUTION: Do not extract untrusted ".gz" files with the "-N" flag. PROVIDED AND/OR DISCOVERED BY: Ulf H\xe4rnhammar ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200505-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gzip: Multiple vulnerabilities Date: May 09, 2005 Bugs: #89946, #90626 ID: 200505-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== gzip contains multiple vulnerabilities potentially allowing an attacker to execute arbitrary commands. The zgrep utility improperly sanitizes arguments, which may come from an untrusted source (CAN-2005-0758). Impact ====== These vulnerabilities could allow arbitrary command execution, changing the permissions of arbitrary files, and installation of files to an aribitrary location in the filesystem. Workaround ========== There is no known workaround at this time. Resolution ========== All gzip users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.3.5-r6" References ========== [ 1 ] CAN-2005-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758 [ 2 ] CAN-2005-0988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988 [ 3 ] CAN-2005-1228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200505-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ____________________________________________________________________________ Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.002 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.002 Advisory Published: 2007-01-05 21:58 UTC Issue Id (internal): OpenPKG-SI-20070105.01 Issue First Created: 2007-01-05 Issue Last Modified: 2007-01-05 Issue Revision: 04 ____________________________________________________________________________ Subject Name: bzip2 Subject Summary: Compression Tool Subject Home: http://www.bzip.org/ Subject Versions: * <= 1.0.3 Vulnerability Id: CVE-2005-0953, CVE-2005-0758 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: local system Attack Impact: manipulation of data, arbitrary code execution Description: Together with two portability and stability issues, two older security issues were fixed in the compression tool BZip2 [0], versions up to and including 1.0.3. References: [0] http://www.bzip.org/ ____________________________________________________________________________ Primary Package Name: bzip2 Primary Package Home: http://openpkg.org/go/package/bzip2 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID bzip2-1.0.3-E1.0.1 OpenPKG Enterprise E1.0-SOLID openpkg-E1.0.2-E1.0.2 OpenPKG Community 2-STABLE-20061018 bzip2-1.0.4-2.20070105 OpenPKG Community 2-STABLE-20061018 openpkg-2.20070105-2.20070105 OpenPKG Community 2-STABLE bzip2-1.0.4-2.20070105 OpenPKG Community 2-STABLE openpkg-2.20070105-2.20070105 OpenPKG Community CURRENT bzip2-1.0.4-20070105 OpenPKG Community CURRENT openpkg-20070105-20070105 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document. ____________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG GmbH <http://openpkg.com/> iD8DBQFFnrwRZwQuyWG3rjQRAgkdAJ9YBx7auj7ursOTj5M/78Kq3SlGlACfc0aV 2IRFnTk4CCJwa9FPgv1z7c0= =Iq2w -----END PGP SIGNATURE-----

Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address. IPSec Confidentiality when communicating (Confidentiality) Protection only, integrity (Integrity) A vulnerability has been discovered that occurs when protection is not set. ESP Keys used (AES , DES , Triple-DES) Occurs regardless of the version or key size. The vulnerability was encrypted IPSec For communication bit-flipping By using the technique IP header ( Source address, header length, protocol field ) It is abused by tampering with the data inside. After data has been tampered with, it is sent to the sender ICMP There is a possibility that the communication contents will be acquired by receiving the error message.IPSec As a result, it is possible that important information is acquired. A vulnerability affects certain configurations of IPSec. Reports indicate that these attacks may also potentially be possible against IPSec when AH is in use, but only under certain unspecified configurations. The reported attacks take advantage of the fact that no ESP packet payload integrity checks exist when ESP is configured in the vulnerable aforementioned manner. This issue may be leveraged by an attacker to reveal plaintext IP datagrams and potentially sensitive information. Information harvested in this manner may be used to aid in further attacks. This BID will be updated as further information is made available. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: HP Tru64 UNIX IPsec Tunnel ESP Mode Encrypted Data Disclosure SECUNIA ADVISORY ID: SA16401 VERIFY ADVISORY: http://secunia.com/advisories/16401/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From remote OPERATING SYSTEM: HP Tru64 UNIX 5.x http://secunia.com/product/2/ DESCRIPTION: HP has acknowledged a vulnerability in HP Tru64 UNIX, which can be exploited by malicious people to disclose certain sensitive information. The vulnerability affects the following supported versions: * HP Tru64 UNIX 5.1B-3 * HP Tru64 UNIX 5.1B-2/PK4 SOLUTION: Apply ERP kits. PROVIDED AND/OR DISCOVERED BY: NISCC ORIGINAL ADVISORY: HP SSRT5957: http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01217 NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Some configurations using AH to provide integrity protection are also vulnerable. Some configurations using AH to provide integrity protection are also vulnerable. Impact - - ------ If exploited, it is possible for an active attacker to obtain the plaintext version of the IPsec- protected communications using only moderate effort. Severity - - -------- This is rated as high. Summary - - ------- IP Security (IPsec) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer; IPsec has been deployed widely to implement Virtual Private Networks (VPNs). Some configurations using AH to provide integrity protection are also vulnerable. In these configurations, an attacker can modify sections of the IPsec packet, causing either the cleartext inner packet to be redirected or a network host to generate an error message. In the latter case, these errors are relayed via the Internet Control Message Protocol (ICMP); because of the design of ICMP, these messages directly reveal segments of the header and payload of the inner datagram in cleartext. An attacker who can intercept the ICMP messages can then retrieve plaintext data. The attacks have been implemented and demonstrated to work under realistic conditions. [Please note that revisions to this advisory will not be notified by email. All subscribers are advised to regularly check the UNIRAS website for updates to this notice.] Details - - ------- CVE number: CAN-2005-0039 IPsec consists of several separate protocols; these include: * Authentication Header (AH): provides authenticity guarantees for packets, by attaching strong cryptographic checksum to packets. * Encapsulating Security Payload (ESP): provides confidentiality guarantees for packets, by encrypting packets with encryption algorithms. ESP also provides optional authentication services for packets. * Internet Key Exchange (IKE): provide ways to securely negotiate shared keys. AH and ESP has two modes of use: transport mode and tunnel mode. However, without some form of integrity protection, CBC-mode encrypted data is vulnerable to modification by an active attacker. By making careful modifications to selected portions of the payload of the outer packet, an attacker can effect controlled changes to the header of the inner (encrypted) packet. The modified inner packet is subsequently processed by the IP software on the receiving security gateway or the endpoint host; the inner packet, in cleartext form, may be redirected or certain error messages may be produced and communicated by ICMP. Because of the design of ICMP, these messages directly reveal cleartext segments of the header and payload of the inner packet. If these messages can be intercepted by an attacker, then plaintext data is revealed. Attacks exploiting these vulnerabilities rely on the following: * Exploitation of the well-known bit flipping weakness of CBC mode encryption. * Lack of integrity protection for inner packets. * Interaction between IPsec processing and IP processing on security gateways and end hosts. These attacks can be fully automated so as to recover the entire contents of multiple IPsec-protected inner packets. Destination Address Rewriting * An attacker modifies the destination IP address of the encrypted (inner) packet by bit- flipping in the payload of the outer packet. * The security gateway decrypts the outer payload to recover the (modified) inner packet. * The gateway then routes the inner packet according to its (modified) destination IP address. * If successful, the "plaintext" inner datagram arrives at a host of the attacker's choice. 2. IP Options * An attacker modifies the header length of the encrypted (inner) packet by bit-flipping in the payload of the outer packet. * The security gateway decrypts the outer payload to recover the (modified) inner packet. * The gateway then performs IP options processing on the inner packet because of the modified header length, with the first part of the inner payload being interpreted as options bytes. * With some probability, options processing will result in the generation of an ICMP "parameter problem" message. * The ICMP message is routed to the now modified source address of the inner packet. * An attacker intercepts the ICMP message and retrieves the "plaintext" payload of the inner packet. 3. Protocol Field * An attacker modifies the protocol field and source address field of the encrypted (inner) packet by bit-flipping in the payload of the outer packet. * The security gateway decrypts the outer payload to recover the (modified) inner packet. * The gateway forwards the inner packet to the intended recipient. * The intended recipient inspects the protocol field of the inner packet and generates an ICMP "protocol unreachable" message. * The ICMP message is routed to the now modified source address of the inner packet. * An attacker intercepts the ICMP message and retrieves the "plaintext" payload of the inner packet. The attacks are probabilistic in nature and may need to be iterated many times in a first phase in order to be successful. Once this first phase is complete, the results can be reused to efficiently recover the contents of further inner packets. Naturally, the attacker must be able to intercept traffic passing between the security gateways in order to mount the attacks. For the second and third attacks to be successful, the attacker must be able intercept the relevant ICMP messages. Variants of these attacks in which the destination of the ICMP messages can be controlled by the attacker are also possible. Solution - - -------- Any of the following methods can be used to rectify this issue: 1. This is the recommended solution. 2. Use the AH protocol alongside ESP to provide integrity protection. However, this must be done carefully: for example, the configuration where AH in transport mode is applied end-to-end and tunnelled inside ESP is still vulnerable. 3. Remove the error reporting by restricting the generation of ICMP messages or by filtering these messages at a firewall or security gateway. Vendor Information - - ------------------ A list of vendors affected by this vulnerability is not currently available. Please visit the web site in order to check for updates. Credits - - ------- The NISCC Vulnerability Team would like to thank all vendors for their co-operation with the handling of this vulnerability. Contact Information - - ------------------- The NISCC Vulnerability Management Team can be contacted as follows: Email vulteam@niscc.gov.uk Please quote the advisory reference in the subject line Telephone +44 (0)870 487 0748 Ext 4511 Monday - Friday 08:30 - 17:00 Fax +44 (0)870 487 0749 Post Vulnerability Management Team NISCC PO Box 832 London SW1P 1BG We encourage those who wish to communicate via email to make use of our PGP key. This is available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop. Please note that UK government protectively marked material should not be sent to the email address above. If you wish to be added to our email distribution list please email your request to uniras@niscc.gov.uk. What is NISCC? - - -------------- For further information regarding the UK National Infrastructure Security Co-ordination Centre, please visit http://www.niscc.gov.uk/. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. C 2005 Crown Copyright <End of NISCC Vulnerability Advisory> Acknowledgements UNIRAS wishes to acknowledge the contributions of NISCC Vulnerability Team for the information contained in this Briefing. Updates This advisory contains the information released by the original author. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Legal Disclaimer Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. FIRST UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. SOLUTION: The vendor recommends configuring ESP to use both encryption and authentication (see vendor's advisory for more information)

Buffer overflow in Apple iTunes before 4.8 allows remote attackers to execute arbitrary code via a crafted MPEG4 file. This vulnerability was addressed in iTunes 4.8; all earlier versions are likely affected. Apple iTunes is a media player program. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: iTunes MPEG-4 File Parsing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA15310 VERIFY ADVISORY: http://secunia.com/advisories/15310/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: iTunes 4.x http://secunia.com/product/2916/ DESCRIPTION: A vulnerability has been reported in iTunes, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the MPEG-4 file parsing and can be exploited to cause a buffer overflow via a specially crafted MPEG-4 file. Successful exploitation may allow execution of arbitrary code. SOLUTION: Update to version 4.8. http://www.apple.com/support/downloads/itunes48.html PROVIDED AND/OR DISCOVERED BY: The vendor credits Mark Litchfield of NGS Software. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=301596 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Keychain Access in Mac OS X 10.4.2 and earlier keeps a password visible even if a keychain times out while the password is being viewed, which could allow attackers with physical access to obtain the password. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. If all applicable updates have been marked in this way, Software Update will exit without providing an an opportunity to reset the status of these updates so that they may be installed. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This may result in an authenticated user being able to access files or other resources even after they have been removed from a group. This issue does not affect systems prior to Mac OS X v10.4. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. Kernel CVE-ID: CVE-2005-1126, CVE-2005-1406, CVE-2005-2752 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Kernel memory may be disclosed to local users Description: Certain kernel interfaces may return data that includes sensitive information in uninitialized memory. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. An issue in the Software Update and another in the displaying of file and group permissions in the Finder Get Info Window have also been fixed. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

An unspecified kernel interface in Mac OS X 10.4.2 and earlier does not properly clear memory before reusing it, which could allow attackers to obtain sensitive information, a different vulnerability than CVE-2005-1126 and CVE-2005-1406. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. If all applicable updates have been marked in this way, Software Update will exit without providing an an opportunity to reset the status of these updates so that they may be installed. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This may result in an authenticated user being able to access files or other resources even after they have been removed from a group. This issue does not affect systems prior to Mac OS X v10.4. Keychain CVE-ID: CVE-2005-2739 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Keychain Access will continue displaying plaintext passwords after lock timeout Description: Keychain Access is a utility distributed with Mac OS X that is used to view keychain items and change keychain settings. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. An issue in the Software Update and another in the displaying of file and group permissions in the Finder Get Info Window have also been fixed. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

memberd in Mac OS X 10.4 up to 10.4.2, in certain situations, does not quickly synchronize access control checks with changes in group membership, which could allow users to access files and other resources after they have been removed from a group. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. If all applicable updates have been marked in this way, Software Update will exit without providing an an opportunity to reset the status of these updates so that they may be installed. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This issue does not affect systems prior to Mac OS X v10.4. Keychain CVE-ID: CVE-2005-2739 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Keychain Access will continue displaying plaintext passwords after lock timeout Description: Keychain Access is a utility distributed with Mac OS X that is used to view keychain items and change keychain settings. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. Kernel CVE-ID: CVE-2005-1126, CVE-2005-1406, CVE-2005-2752 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Kernel memory may be disclosed to local users Description: Certain kernel interfaces may return data that includes sensitive information in uninitialized memory. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. An issue in the Software Update and another in the displaying of file and group permissions in the Finder Get Info Window have also been fixed. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Software Update in Mac OS X 10.4.2, when the user marks all updates to be ignored, exits without asking the user to reset the status of the updates, which could prevent important, security-relevant updates from being installed. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This may result in an authenticated user being able to access files or other resources even after they have been removed from a group. This issue does not affect systems prior to Mac OS X v10.4. Keychain CVE-ID: CVE-2005-2739 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Keychain Access will continue displaying plaintext passwords after lock timeout Description: Keychain Access is a utility distributed with Mac OS X that is used to view keychain items and change keychain settings. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. Kernel CVE-ID: CVE-2005-1126, CVE-2005-1406, CVE-2005-2752 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Kernel memory may be disclosed to local users Description: Certain kernel interfaces may return data that includes sensitive information in uninitialized memory. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. An issue in the Software Update and another in the displaying of file and group permissions in the Finder Get Info Window have also been fixed. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Finder Get Info window for Mac OS X 10.4 up to 10.4.2 causes Finder to misrepresent file and group ownership information. NOTE: it is not clear whether this issue satisfies the CVE definition of a vulnerability. Apple has released Security Update 2005-10-31 to address multiple Mac OS X local vulnerabilities. The following vulnerabilities were addressed by the security update: - A misleading file ownership display, resulting in a false sense of security. - A software update failure, potentially resulting in a failure to install critical security fixes. - A group membership alteration issue, potentially resulting in unauthorized access due to a delayed changes to group membership. - An information disclosure issue with Keychain, potentially allowing unauthorized users to view already displayed plaintext passwords after the Keychain has automatically locked due to a timeout. - Multiple information disclosure issues in the kernel, potentially allowing local users to gain access to sensitive information, aiding them in further attacks. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. This update addresses the issue by synchronizing the displayed ownership with the actual ownership in all situations. This issue does not affect systems prior to Mac OS X v10.4. If all applicable updates have been marked in this way, Software Update will exit without providing an an opportunity to reset the status of these updates so that they may be installed. This update addresses the issue by asking whether the ignored updates list should be reset when this situation is encountered. This issue does not affect systems prior to Mac OS X v10.4. This may result in an authenticated user being able to access files or other resources even after they have been removed from a group. This issue does not affect systems prior to Mac OS X v10.4. Keychain CVE-ID: CVE-2005-2739 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Keychain Access will continue displaying plaintext passwords after lock timeout Description: Keychain Access is a utility distributed with Mac OS X that is used to view keychain items and change keychain settings. If a keychain automatically locks due to a timeout while viewing a password stored inside it, that password will remain visible. This update patches Keychain Access so that passwords are hidden when keychains lock. This issue does not affect systems prior to Mac OS X v10.4. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue. Kernel CVE-ID: CVE-2005-1126, CVE-2005-1406, CVE-2005-2752 Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2 Impact: Kernel memory may be disclosed to local users Description: Certain kernel interfaces may return data that includes sensitive information in uninitialized memory. These issues affect Mac OS X v10.4.2 and earlier. Credit to Ilja van Sprundel and Neil Archibald of Suresec LTD, and Colin Percival of the FreeBSD team for reporting these issues. This is caused due to the password display not being hidden after timeout. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302763 OTHER REFERENCES: SA14959: http://secunia.com/advisories/14959/ SA15262: http://secunia.com/advisories/15262/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The HTTP proxy service in Server Admin for Mac OS X 10.3.9 does not restrict access when it is enabled, which allows remote attackers to use the proxy. Mac OS X is prone to a remote security vulnerability

lukemftpd in Mac OS X 10.3.9 allows remote authenticated users to escape the chroot environment by logging in with their full name

Mac OS X 10.3.9, when using an LDAP server that does not use ldap_extended_operation, may store initial LDAP passwords for new accounts in plaintext. Mac OS X is prone to a local security vulnerability

Directory traversal vulnerability in the Bluetooth file and object exchange (OBEX) services in Mac OS X 10.3.9 allows remote attackers to read arbitrary files. Apple Mac OS X is prone to a directory-traversal vulnerability. This issue was initially reported in BID 13480 (Apple Mac OS X Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a new BID. Apple has supported Bluetooth devices since Mac OSX 10.2

AppKit in Mac OS X 10.3.9 allows attackers to cause a denial of service (Cocoa application crash) via a malformed TIFF image that causes the NXSeek to use an incorrect offset, leading to an unhandled exception