VARIoT IoT vulnerabilities database
VAR-201110-0449 | CVE-2011-3319 | Cisco WebEx Recording Format (WRF) player of WRF Analysis buffer overflow buffer vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in the WRF parsing functionality in the Cisco WebEx Recording Format (WRF) player T26 before SP49 EP40 and T27 before SP28 allows remote attackers to execute arbitrary code via a crafted WRF file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within atdl2006.dll. The vulnerability is caused by lack of validation when parsing WRF files. A specially crafted WRF file will cause the application to incorrectly push a size value to a memcpy, allowing for corruption of heap memory. An attacker can leverage this vulnerability to execute arbitrary code on the target system under the context of the current user. Cisco WebEx is a web conferencing solution. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities. Failed exploit attempts may result in a denial-of-service condition.
The specific flaw exists within atdl2006.dll. More details
can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex
- -- Disclosure Timeline:
2011-05-25 - Vulnerability reported to vendor
2011-12-07 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* Aniway (Aniway.Anyway@gmail.com)
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Cisco WebEx Player WRF File Processing Vulnerabilities
SECUNIA ADVISORY ID:
SA46607
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46607/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46607
RELEASE DATE:
2011-10-28
DISCUSS ADVISORY:
http://secunia.com/advisories/46607/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46607/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46607
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco WebEx Player, which
can be exploited by malicious people to compromise a user's system.
SOLUTION:
Update to a fixed version (Please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits TippingPoint.
2) Aniway and Anonymous via ZDI.
ORIGINAL ADVISORY:
Cisco:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-308/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on a WebEx meeting
site or on the computer of an online meeting attendee. The players
can be automatically installed when the user accesses a recording
file that is hosted on a WebEx meeting site. The players can also be
manually installed for offline playback after downloading the
application from www.webex.com
If the WRF player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx meeting site.
If the WRF player was manually installed, users will need to manually
install a new version of the player after downloading the latest
version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex
Note: Effective October 18, 2011, Cisco moved the current list of
Cisco Security Advisories and Responses published by Cisco PSIRT. The
new location is http://tools.cisco.com/security/center/publicationListing
You can also navigate to this page from the Cisco
Products and Services menu of the Cisco Security Intelligence
Operations (SIO) Portal. Following this transition, new Cisco
Security Advisories and Responses will be published to the new
location. Although the URL has changed, the content of security
documents and the vulnerability policy are not impacted. Cisco will
continue to disclose security vulnerabilities in accordance with the
published Security Vulnerability Policy.
Affected Products
=================
The vulnerabilities disclosed in this advisory affect the Cisco
WRF players. The Microsoft Windows, Apple Mac OS X, and Linux
versions of the players are all affected. Review the following
table for the list of releases that contain the nonvulnerable
code. Affected versions of the players are those prior to client
build T26 SP49 EP40 and T27 SP28. These build numbers are
available only to WebEx site administrators. End users will see a
version such as "Client build: 27.25.4.11889." This indicates the
server is running software version T27 SP25 EP4.
To determine whether a Cisco WebEx meeting site is running an
affected version of the WebEx client build, users can log in to
their Cisco WebEx meeting site and go to the Support > Downloads
section. The version of the WebEx client build will be displayed
on the right side of the page under "About Support Center." See
"Software Versions and Fixes" for details.
Cisco recommends that users upgrade to the most current version
of the player that is available from www.webex.com/
downloadplayer.html. If the player is no longer needed, it can be
removed using the "Mac Cisco-WebEx Uninstaller" or "Meeting
Services Removal tool" available at support.webex.com/support/
downloads.html.
Users can manually verify the installed version of the WRF player
to determine whether it is affected by these vulnerabilities. To
do so, an administrator must examine the version numbers of the
installed files and determine whether the version of the file
contains the fixed code. Detailed instructions on how to verify
the version numbers are provided in the following sections.
The following tables provide the first nonvulnerable version of
each object.
Microsoft Windows
+----------------
Two dynamically linked libraries (DLLs) were updated on the
Microsoft Windows platform to address the vulnerabilities that
are described in this advisory. These files are in the folder C:\
Program Files\WebEx\Record Playback or C:\Program Files (x86)\
Webex\Record Player. The version number of a DLL can be obtained
by browsing the Record Playback directory in Windows Explorer,
right-clicking on the file name, and choosing Properties. The
Version or Details tab of the Properties page provides details on
the library version. The following table gives the first fixed
version number for each DLL. If the installed versions are equal
to or greater than the versions provided in the table, the system
is not vulnerable.
+----------------------------------------------------------------------------+
| Library | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 |
| | EP40 | EP26 | EP9 | EP3 | |
|--------------+-------------+------------+----------+----------+------------|
| atas32.dll | Not | 2.6.11.0 | 2.6.21.5 | 2.6.25.0 | 2.6.28.0 |
| | vulnerable | | | | |
|--------------+-------------+------------+----------+----------+------------|
| atdl2006.dll | 2.5.49.4000 | 2.6.1123.1 | 2.6.21.1 | 2.6.20.0 | Not |
| | | | | | vulnerable |
+----------------------------------------------------------------------------+
Mac
+--
A package bundle was updated on the Macintosh platform to
address the vulnerabilities that are described in this advisory.
This file is in each user's home directory, which can be accessed
in ~/Library/Application Support/WebEx Folder/824 for systems
connected to servers running T26 and ~/Library/Application
Support/WebEx Folder/924 for systems connected to servers running
T27. The version can be obtained by browsing to the appropriate
folder in Finder and control-clicking the filename. When the menu
is displayed, select show package contents and then double-click
the Info.plist file. The version number is shown at the bottom of
the displayed table.
+-------------------------------------------------------------------------------+
| Bundle | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 |
| | EP40 | EP26 | EP9 | EP3 | |
|-------------------+-----------+------------+-----------+----------+------------|
| asplayback.bundle | 6.0.49.40 | 6.10.11.25 | 6.10.21.9 | 6.0.25.3 | 5.25.27.28 |
+-------------------------------------------------------------------------------+
Linux
A shared object was updated on the Linux platform to address the
vulnerabilities that are described in this advisory. This file is
in the ~/.webex directory. The version number of the shared
object can be obtained by performing a directory listing with the
ls command. The version number is provided after the .so
extension.
+---------------------------------------------------------------------------+
| Shared | T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 |
| Object | EP40 | EP26 | EP9 | EP3 | |
|------------+-----------+------------+-----------+------------+------------|
| atascli.so | 1.0.26.41 | 1.11.27.15 | 1.0.27.17 | 1.25.27.17 | 1.28.27.17 |
+---------------------------------------------------------------------------+
Vulnerable Products
+------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF file
format is used to store WebEx meeting recordings that have been
recorded on a WebEx meeting site or on the computer of an online
meeting attendee. The players are applications that are used to play
back and edit recording files (files with a .wrf extension). The WRF
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx meeting site (for stream
playback mode). The WRF players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline playback mode). The vulnerabilities cannot be triggered
by users who are attending a WebEx meeting.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could cause the Cisco WRF player application to crash and,
in some cases, allow a remote attacker to execute arbitrary code on
the system with the privileges of the user who is running the WRF
player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
These vulnerabilities are first fixed in the following versions:
* T26 SP49 EP40
* T27 FR20
* T27 SP11 EP23
* T27 SP21 EP9
* T27 SP23
* T27 SP25 EP3
* T27 SP28
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release T27 SP22 EP9 is fixed,
release T27 SP22 EP23 will also have the software fix. End users
will see a version such as "Client build: 27.25.4.11889." This
indicates the server is running software version T27 SP25 EP4.
If a WRF player was automatically installed, it will be automatically
upgraded to the latest, nonvulnerable version when users access a
recording file that is hosted on a WebEx meeting site.
If a WRF player was manually installed, users will need to manually
install a new version of the player after downloading the latest
version from www.webex.com/downloadplayer.html. If the player is no
longer needed, it can be removed using the "Mac Cisco-WebEx
Uninstaller" or "Meeting Services Removal tool" available at
support.webex.com/support/downloads.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
This section does not apply for vulnerabilities in Cisco WebEx
products.
Customers using Third Party Support Organizations
+------------------------------------------------
This section does not apply for vulnerabilities in Cisco WebEx
products.
Customers without Service Contracts
+----------------------------------
This section does not apply for vulnerabilities in Cisco WebEx
products.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to Cisco by TippingPoint. Cisco
would like to thank TippingPoint for reporting these vulnerabilities
to us.
Status of this Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2011-October-26 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOqCUXQXnnBKKRMNARCO+aAP9IbHs1VnWKq0GY3UPgGavVWYYrypo9uR2g
S1eif/eNEQD7BRMCZrBRVyqMy2c0STwOH9IN35fyqGyLtlO/Nxv4geA=
=eg2S
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-190001-0537 | No CVE | Trend Micro Control Manager 'Cas_LogDirectInsert.aspx' Arbitrary account creation vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Control Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.The specific flaw exists within the Cas_LogDirectInsert.aspx http handler, which listens by default on TCP port 443. A specially crafted POST request allows remote attackers to supply XML and schema information which is used within queries to the backend database. By supplying malicious values, an attacker can inject themselves a user account which can be used to execute code via the management console on the service. By default, the Cas_LogDirectInsert.aspx http processor on the TCP 443 port is flawed.
-- Vendor Response:
Trend Micro states:
http://esupport.trendmicro.com/solution/en-us/1058280.aspx
Fix is posted at download center:
tmcm-55-win-en-criticalpatch1422.exe
http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1763&lang_loc=1
This critical patch resolves the following issue(s):
Issue: A vulnerability allows an attacker to create and insert
a user account which can be used to execute codes through
the management console.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution: This critical patch imposes stricter rules for the insertion
of system account relative tables to prevent attackers from
inserting user accounts.
Reference:
http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1422.txt
-- Disclosure Timeline:
2011-04-01 - Vulnerability reported to vendor
2011-07-11 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Andrea Micalizzi aka rgod
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Trend Micro Control Manager "Cas_LogDirectInsert.aspx" XML Processing
Vulnerability
SECUNIA ADVISORY ID:
SA45176
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45176/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45176
RELEASE DATE:
2011-07-13
DISCUSS ADVISORY:
http://secunia.com/advisories/45176/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45176/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45176
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Trend Micro Control Manager,
which can be exploited by malicious people to manipulate certain
data.
The vulnerability is caused due to an error in
Cas_LogDirectInsert.aspx when processing certain XML and schema
information.
The vulnerability is reported in versions 5.0 and 5.5.
SOLUTION:
Apply Critical Patch 1422.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Andrea Micalizzi (rgod) via ZDI.
ORIGINAL ADVISORY:
Trend Micro:
http://esupport.trendmicro.com/solution/en-us/1058280.aspx
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-234/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201112-0059 | CVE-2011-4536 | KingView 'HistoryServer.exe' Heap-based buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in nettransdll.dll in HistorySvr.exe (aka HistoryServer.exe) in WellinTech KingView 6.53 and 65.30.2010.18018 allows remote attackers to execute arbitrary code via a crafted op-code 3 packet. Authentication is not required to exploit this vulnerability. The specific flaw exists within the protocol parsing code inside nettransdll.dll. The parent service is called HistoryServer.exe and listens on port 777. When a packet with op-code 3 is received, the service allocates memory from the heap based on the 10th and 11th bytes of the packet (element count). Packet data is then copied into the allocated buffer based on the first two bytes of the packet (packet size). KingView is a product for building data information service platforms for industrial automation. This vulnerability can be triggered by sending a data message of more than a certain length to the TCP 777 port. KingView is prone to a heap-based buffer-overflow vulnerability because it fails to properly validate user-supplied input. Failed exploit attempts will likely result in denial-of-service conditions.
KingView 65.30.2010.18018 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
KingView HistorySvr Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA47339
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47339/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47339
RELEASE DATE:
2011-12-22
DISCUSS ADVISORY:
http://secunia.com/advisories/47339/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47339/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47339
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in KingView, which can be exploited
by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an unspecified error in the
nettransdll.dll module of the HistorySvr component.
The vulnerability is reported in version 6.53 (65.30.2010.18018).
SOLUTION:
Apply patch.
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Luigi Auriemma via ZDI.
ORIGINAL ADVISORY:
KingView:
http://en.wellintech.com/news/detail.aspx?contentid=166
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-11-355-02.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
- -- Vendor Response:
WellinTech has issued an update to correct this vulnerability. More
details can be found at:
http://www.kingview.com/news/detail.aspx?contentid=587
- -- Disclosure Timeline:
2011-11-09 - Vulnerability reported to vendor
2011-12-22 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* Luigi Auriemma
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJO81sqAAoJEFVtgMGTo1scImgIAKikq6VqLK8P6zI5vIfUX3/I
hJ2Ee4eAEB1P3qsehw3G4ZelP6uJUbxrVAl0UoyFctPQL+Jh+XkKmiJskzzTlvtz
3TfL0RZBgSnHHUnusjxdpDO7kmzIlFIMbWJgQLGaRRVTVXLukSgFws7cdAH1lo4V
c64jAXagVvv9gJUHGUMemqR+tpHxSa7YRdribO/P192cc31z7wh/ybjIP7dCev9O
zpH5sQ1PFgaVb8CMLxMbHiVVzCgbzJ59q/ydoG5TUo2XnDkinthQ3VNoGaeGIKWZ
aLMrG+gREbfsdKBvlgzcAgAjIQHVeK8SiIZBICrVcHYFED5BQtmyKhzUJG+md/E=
=BHoc
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-201203-0282 | CVE-2012-0245 | ABB WebWare Server 'RobNetScanHost.exe' Buffer Overflow Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in RobNetScanHost.exe in ABB Robot Communications Runtime before 5.14.02, as used in ABB Interlink Module, IRC5 OPC Server, PC SDK, PickMaster 3 and 5, RobView 5, RobotStudio, WebWare SDK, and WebWare Server, allow remote attackers to execute arbitrary code via a crafted (1) 0xA or (2) 0xE Netscan packet. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ABB WebWare. Authentication is not required to exploit this vulnerability. The specific flaw exists within RobNetScanHost.exe and its parsing of network packets accepted on port 5512. The parsing of 'Netscan' packets with opcodes 0xE and 0xA are vulnerable to a stack-based buffer overflow with a fixed allocation of 20 bytes. This vulnerability can be exploited to execute arbitrary code in the context of the service process (LocalSystem). ABB WebWare Server is a software product used primarily for production data control. RobNetScanHost.exe provided by ABB WebWare Server has security flaws. ABB WebWare Server is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Failed exploit attempts will likely result in denial-of-service conditions. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm
----------------------------------------------------------------------
TITLE:
ABB Multiple Products RobNetScanHost.exe Buffer Overflow
Vulnerability
SECUNIA ADVISORY ID:
SA48090
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48090/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48090
RELEASE DATE:
2012-02-23
DISCUSS ADVISORY:
http://secunia.com/advisories/48090/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48090/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48090
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple ABB products, which can
be exploited by malicious people to compromise a vulnerable system.
* PickMaster 3 version 3.3 and prior.
* PickMaster 5 version 5.13 and prior.
* WebWare SDK and ABB Interlink Module versions 4.6 through 4.9.
* WebWare Server versions 4.6 through 4.91.
SOLUTION:
Update to a fixed version or apply patch (please see the vendor's
advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma via ZDI.
ORIGINAL ADVISORY:
ABB:
http://www05.abb.com/global/scot/scot348.nsf/veritydisplay/f261be074480dc24c12579a00049ecd5/$file/si10227a1%20vulnerability%20security%20advisory.pdf
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-033/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-12-033 : ABB WebWare RobNetScanHost.exe Remote Code Execution
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-033
February 22, 2012
- -- CVE ID:
- -- CVSS:
10, AV:N/AC:L/Au:N/C:C/I:C/A:C
- -- Affected Vendors:
ABB
- -- Affected Products:
ABB WebWare
- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11594.
- -- Vendor Response:
ABB has issued an update to correct this vulnerability. More details can
be found at:
http://www05.abb.com/global/scot/scot348.nsf/veritydisplay/f261be074480dc24c12579a00049ecd5/$file/si10227a1%20vulnerability%20security%20advisory.pdf
- -- Disclosure Timeline:
2011-10-10 - Vulnerability reported to vendor
2012-02-22 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* Luigi Auriemma
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJPRUiZAAoJEFVtgMGTo1sc9REIAKdxGGjQNRsQBQh7OZ3Bbfz2
vbul36hrqRdCxEmV++F5LcoFSpXmRx7Wjc6FHcUKkGGbRQ7+I9zjAi4CzwubSjCY
zk+G0v324lSwQ7be6bxp5kGl5UTjVDczlfyjG2K2QSPBitz/RpkhpaTDXJcBALLR
lx8KOxgAT9TGEodE5pjG2R2eCeDgrV34q5+xu3hdMQYWgvdYqoL39OHw/7QMjIOT
NO1hYzGpadTcRuXwDzkpsJi+Gx03DinnlJ1VjUaXPfdbnN7IpGoON7yaYkjXDBVf
NHA2pvKBl0mRjevIy/uQqJpsG8KC4eR5pHdl/lTKV61vb45zAyewDo5EM9xl6J0=
=DeOF
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-201109-0173 | CVE-2011-3501 |
Cogent DataHub Integer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201109-0020, VAR-E-201109-0022, VAR-E-201109-0021, VAR-E-201109-0019 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Integer overflow in Cogent DataHub 7.1.1.63 and earlier allows remote attackers to cause a denial of service (crash) via a negative or large Content-Length value. The software incorrectly handles the Content-Length field (-1 or 4294967295) plus one, which can cause integer overflow. Cogent DataHub is software for SCADA and automation. Cogent DataHub has server/service listening ports 4052 and 4053, except that the second port uses SSL, the first one uses plaintext. The \"DH_OneSecondTick\" function has a stack-based unicode buffer overflow that can be triggered by \"domain\", \"report_domain\", \"register_datahub\", \"slave\" and other commands. Cogent DataHub is prone to multiple buffer-overflow and integer-overflow vulnerabilities.
Successfully exploiting these issues may allow attackers to execute arbitrary code within the context of the privileged domain (Dom0). Failed attempts will likely cause denial-of-service conditions.
Cogent DataHub 7.1.1.63 is vulnerable; other versions may also be affected
VAR-201109-0098 | CVE-2011-2412 | HP Business Service Automation Essentials Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in HP Business Service Automation (BSA) Essentials 2.01 allows remote attackers to execute arbitrary code via unknown vectors.
Very few technical details are currently available. We will update this BID as more information emerges. ----------------------------------------------------------------------
SC World Congress, New York, USA, 16 November 2011
Visit the Secunia booth (#203) and discover how you can improve your handling of third party programs:
http://secunia.com/resources/events/sc_2011/
----------------------------------------------------------------------
TITLE:
HP Business Service Automation Essentials Unspecified Vulnerability
SECUNIA ADVISORY ID:
SA46080
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46080/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46080
RELEASE DATE:
2011-09-20
DISCUSS ADVISORY:
http://secunia.com/advisories/46080/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46080/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46080
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in HP Business Service Automation
Essentials, which can be exploited by malicious people to compromise
a vulnerable system.
The vulnerability is caused due to an unspecified error.
The vulnerability is reported in version 2.01.
SOLUTION:
Apply hotfix QCCR1D134337.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HPSBMU02705 SSRT100622:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03014398
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
References: CVE-2011-2412
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. To obtain the hotfix contact the normal HP Services support channel and request hotfix QCCR1D134337.
HISTORY
Version:1 (rev.1) - 19 September 2011
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk53SIAACgkQ4B86/C0qfVn61QCgl92CaAagub2Y/QT1D9RB+5KZ
q0gAoKxgSJKxSKf+z33IXS5ghqxEkrtM
=4J/I
-----END PGP SIGNATURE-----
VAR-201202-0345 | CVE-2012-1289 | SAP NetWeaver Vulnerable to directory traversal |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Multiple directory traversal vulnerabilities in SAP NetWeaver 7.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the logfilename parameter to (1) b2b/admin/log.jsp or (2) b2b/admin/log_view.jsp in the Internet Sales (crm.b2b) component, or (3) ipc/admin/log.jsp or (4) ipc/admin/log_view.jsp in the Application Administration (com.sap.ipc.webapp.ipc) component. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a vulnerability in SAP NetWeaver. Because the input passed to the b2b/admin/log_view.jsp or b2b/admin/log.jsp script in the Internet Sales module via the \"logfilename\" parameter is missing validation before being used to display the file, it can result in arbitrary files being obtained through the directory traversal sequence. information. The SAP NetWeaver com.sap.aii.mdt.amt.web.AMTPageProcessor servlet error can be exploited to leak certain Adapter monitoring information. SAP NetWeaver is prone to multiple input-validation vulnerabilities, including:
1. A cross-site scripting vulnerability
2. Multiple information-disclosure vulnerabilities
Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, and disclose sensitive information. Other attacks are also possible. ----------------------------------------------------------------------
Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March
Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm
----------------------------------------------------------------------
TITLE:
SAP NetWeaver Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA47861
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47861/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47861
RELEASE DATE:
2012-02-21
DISCUSS ADVISORY:
http://secunia.com/advisories/47861/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47861/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47861
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Digital Security Research Group has reported some vulnerabilities in
SAP NetWeaver, which can be exploited by malicious people to conduct
cross-site scripting attacks and by malicious users and malicious
people to disclose sensitive information.
Successful exploitation of vulnerabilities #1 and #2 may require
permission to view logs.
The vulnerabilities are reported in version 7.0. Other versions may
also be affected.
SOLUTION:
Apply SAP Security Notes 1585527 and 1583300.
PROVIDED AND/OR DISCOVERED BY:
Dmitriy Chastukhin, Digital Security Research Group.
ORIGINAL ADVISORY:
Digital Security Research Group:
http://dsecrg.com/pages/vul/show.php?id=412
http://dsecrg.com/pages/vul/show.php?id=413
http://dsecrg.com/pages/vul/show.php?id=414
http://dsecrg.com/pages/vul/show.php?id=415
http://dsecrg.com/pages/vul/show.php?id=416
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201110-0447 | CVE-2011-3315 | plural Cisco Product vulnerable to directory traversal |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in Cisco Unified Communications Manager (CUCM) 5.x and 6.x before 6.1(5)SU2, 7.x before 7.1(5b)SU2, and 8.x before 8.0(3), and Cisco Unified Contact Center Express (aka Unified CCX or UCCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) before 6.0(1)SR1ES8, 7.0(x) before 7.0(2)ES1, 8.0(x) through 8.0(2)SU3, and 8.5(x) before 8.5(1)SU2, allows remote attackers to read arbitrary files via a crafted URL, aka Bug IDs CSCth09343 and CSCts44049. The problem is Bug ID CSCth09343 and CSCts44049 Problem.Expertly crafted by a third party URL Via, arbitrary files may be read. Multiple Cisco products are prone to a directory-traversal vulnerability.
Exploiting this issue will allow an attacker to read arbitrary files from locations outside of the application's current directory. This could help the attacker launch further attacks.
This issue is tracked by Cisco BugID CSCts44049 and CSCth09343.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices such as IP
phones, media processing devices, VoIP gateways, and multimedia
applications.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2011-October-26 | Initial public release. It is
possible for an attacker to use this vector to gain console
access to the vulnerable node as the 'ccxcluster' user, and
subsequently escalate privileges. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Cisco Multiple Products Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA46600
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46600/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46600
RELEASE DATE:
2011-10-28
DISCUSS ADVISORY:
http://secunia.com/advisories/46600/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46600/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46600
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Cisco products, which
can be exploited by malicious people to disclose sensitive
information.
Certain input passed via the URL is not properly verified before
being used.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
r@b13$, Digital Defense.
ORIGINAL ADVISORY:
Cisco:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-cucm
Digital Defense (DDIVRT-2011-35):
http://archives.neohapsis.com/archives/fulldisclosure/2011-10/0894.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Cisco has released free software updates that address this
vulnerability.
There are no workarounds that mitigate this vulnerability. The new
location is:
http://tools.cisco.com/security/center/publicationListing
You can also navigate to this page from the Cisco Products and
Services menu of the Cisco Security Intelligence Operations (SIO)
Portal. Following this transition, new Cisco Security Advisories and
Responses will be published to the new location. Although the URL has
changed, the content of security documents and the vulnerability
policy are not impacted. Cisco will continue to disclose security
vulnerabilities in accordance with the published Security
Vulnerability Policy.
Affected Products
=================
Vulnerable Products
+------------------
The following Cisco UCCX versions are vulnerable:
* Cisco UCCX version 6.0(x)
* Cisco UCCX version 7.0(x)
* Cisco UCCX version 8.0(x)
* Cisco UCCX version 8.5(x)
Note: Cisco UCCX versions prior to 6.0(x) reached end of software
maintenance. Customers running versions prior to 6.0(x) should
contact their Cisco support team for assistance in upgrading to a
supported version of Cisco UCCX.
Details
=======
The Cisco Unified Contact Center Express is a single/two node server,
integrated "contact center in a box" for use in deployments with up to
300 agents until software version 8.0(x) and 400 agents starting at
version 8.5(x). An attacker could
exploit this vulnerability by sending a specially crafted URL to the
affected system.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCts44049 - UCCX vulnerable to directory traversal
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may allow a remote,
unauthenticated attacker to retrieve arbitrary files from the Cisco
Unified Contact Center Express or Cisco Unified IP Interactive Voice
Response filesystem.
Software Versions and Fixes
===========================
Cisco has released free software updates that address this
vulnerability.
Customers should contact Cisco Technical Assistance Center (TAC) for
assistance.
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
As well as any subsequent advisories to determine exposure and a
complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
There are no workarounds for this vulnerability. Mitigations that can
be deployed on Cisco devices within the network are available in the
Cisco Applied Intelligence companion document for this advisory:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20111026-cucm-uccx.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at:
http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by the Vulnerability
Research Team of Digital Defense, Inc.
Status of this Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2011-October-26 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk6oHqAACgkQQXnnBKKRMNBbTQD+N1Zs2nsqqvVjvIvMqD6wvwT2
9AtLDwrIbbHbocikIrkA/1ZWGc4wv6Z3izCnhNBwyusC+9+BUt8nN5w847FvAdm2
=UDZr
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-201107-0116 | CVE-2011-0549 | Symantec Web Gateway of forget.php In SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in forget.php in the management GUI in Symantec Web Gateway 4.5.x allows remote attackers to execute arbitrary SQL commands via the username parameter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the username parameter of POST requests to the forget.php script. Symantec Web Gateway is a Web security gateway hardware appliance. Attackers can obtain sensitive information or manipulate the database through SQL injection attacks.
Exploiting this issue could allow an attacker to compromise the device, access or modify data, or exploit latent vulnerabilities in the underlying database. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Management Interface "username" SQL Injection
Vulnerability
SECUNIA ADVISORY ID:
SA45146
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45146/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45146
RELEASE DATE:
2011-07-09
DISCUSS ADVISORY:
http://secunia.com/advisories/45146/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45146/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45146
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Symantec Web Gateway, which can
be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
The vulnerability is reported in version 4.5.x. Other versions may
also be affected
SOLUTION:
Upgrade to version 5.0.1.
PROVIDED AND/OR DISCOVERED BY:
An anonymous person via ZDI.
ORIGINAL ADVISORY:
Symantec:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20110707_00
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-233/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-- Vendor Response:
Symantec has issued an update to correct this vulnerability. More
details can be found at:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110707_00
-- Disclosure Timeline:
2011-04-01 - Vulnerability reported to vendor
2011-07-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-201402-0038 | CVE-2011-4091 | libnet6 of inc/server.hpp of libobby Vulnerability in server where important information is obtained |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The libobby server in inc/server.hpp in libnet6 (aka net6) before 1.3.14 does not perform authentication before checking the user name, which allows remote attackers to obtain sensitive information such as server-usage patterns by a particular user and color preferences. Net6 is a simple network library. The net6 library performs certain operations before verifying the connection of user authentication information, which may result in the disclosure of part of the information of the connected user. net6 is prone to a session-hijacking vulnerability and an information-disclosure vulnerability.
An attacker can exploit these vulnerabilities to obtain sensitive information, or possibly perform actions with elevated privileges.
net6 1.3.13 is vulnerable; other versions may also be affected.
For more information:
SA46605
SOLUTION:
Apply updated packages via the yum utility ("yum update net6"). ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
net6 Two Weaknesses
SECUNIA ADVISORY ID:
SA46605
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46605/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46605
RELEASE DATE:
2011-10-31
DISCUSS ADVISORY:
http://secunia.com/advisories/46605/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46605/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46605
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Vasiliy Kulikov has reported two weaknesses in net6, which can be
exploited by malicious people to disclose certain information and
conduct session hijacking attacks.
2) It's possible to cause an internal ID counter to overflow, which
can be exploited to e.g. hijack another user's session.
The weaknesses are reported in version 1.3.13.
SOLUTION:
Fixed in the GIT repository.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Vasiliy Kulikov
ORIGINAL ADVISORY:
http://www.openwall.com/lists/oss-security/2011/10/30/3
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
1) An error in the net6 library can be exploited to e.g.
For more information see weakness #1 in:
SA46605
2) An error in the net6 library can be exploited to hijack another
user's session.
For more information see weakness #2 in:
SA46605
SOLUTION:
Restrict access to trusted hosts only
VAR-201105-0193 | CVE-2011-1649 | Cisco Content Delivery System Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Internet Streamer application in Cisco Content Delivery System (CDS) with software 2.5.7, 2.5.8, and 2.5.9 before build 126 allows remote attackers to cause a denial of service (Web Engine crash) via a crafted URL, aka Bug IDs CSCtg67333 and CSCth25341.
An attacker can exploit this issue to crash the webserver, causing denial-of-service conditions.
This issue is fixed in Cisco Content Delivery 2.5.9 build 126. Versions prior to 2.5.7 are not affected.
This issue being tracked by Cisco bug IDs CSCtg67333 and CSCth25341.
Cisco has released free software updates that address this
vulnerability.
Workarounds that mitigate this vulnerability are not available.
Vulnerable Products
+------------------
To determine the software version that is running on a Cisco Content
Delivery Engine, log in to the device and issue the show version
command-line interface (CLI) command to display the system banner. On the same line of output, the
version number will also be provided.
Content Delivery System Software Release 2.5.9 (build b5 Jun 16 2010)
Version: cde200-2.5.9.5
Compiled 22:10:04 Jun 16 2010 by ipvbuild
Compile Time Options: KQ SS
System was restarted on Wed Sep 15 06:50:22 2010.
The system has been up for 1 hour, 25 minutes, 6 seconds.
cdn-cde#
Alternatively, the Content Delivery System Manager home page gives a
brief summary of the software versions in use on all the devices in
the content delivery system network.
To view the software version running on a particular device, choose
Devices > Devices. The Devices Table page displays the software
version for each device listed.
No other Cisco products are currently known to be affected by this
vulnerability. The device will remain operational,
and the Web Engine will restart if the attack stops. Both bugs fixes are required for a full
solution.
Vulnerability Scoring Details
=============================
Cisco has provided a score for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtg67333/CSCth25341 ("Crafted URL may crash webengine in CDS
Internet Streamer")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may cause the Web Engine
of the Cisco Internet Streamer application to crash.
The device will remain operational, and the Web Engine will restart
if the attack stops.
A sustained attack will prevent the distribution of HTML content to
end users.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The recommended release contains other software fixes that are
recommended by Cisco. For further information please consult the
Release Notes for Cisco Internet Streamer CDS 2.5.9 at the following
link:
http://www.cisco.com/en/US/docs/video/cds/cda/is/2_5/release_notes/CDS_RelNotes2_5_9.html#wp100128
+------------------------------------------------------------+
| Cisco Content | | Recommended |
| Delivery System | First Fixed Release | Release |
| Software Release | | |
|------------------+---------------------------+-------------|
| 2.2.x | Not Vulnerable | |
|------------------+---------------------------+-------------|
| 2.3.x | Not Vulnerable | |
|------------------+---------------------------+-------------|
| 2.4.x | Not Vulnerable | |
|------------------+---------------------------+-------------|
| | Releases prior to 2.5.7 | 2.5.9 build |
| 2.5.x | are not affected, first | 126 |
| | fixed in 2.5.9 build 126 | |
+------------------------------------------------------------+
Workarounds
===========
There are no workarounds for the vulnerability documented in this
security advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered when handling customer support
calls.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-spcdn.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-May-25 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: May 25, 2011 Document ID: 112138
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk3dDvAACgkQQXnnBKKRMNDhVQD8CAFWUFBeDwTP/Cx9FZLIZtla
UnpJ3ZyjDOZy25FNYNsA/3J4ic+L+7s6R+Dh8nGs/xIHVOuFJPZklPMRNcuUwfLs
=0iXv
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Alerts when vulnerabilities pose a threat to your infrastructure
The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies.
Watch our quick solution overview:
http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY
----------------------------------------------------------------------
TITLE:
Cisco Content Delivery System Internet Streamer URL Processing Denial
of Service Vulnerability
SECUNIA ADVISORY ID:
SA44727
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44727/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44727
RELEASE DATE:
2011-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/44727/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44727/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44727
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco Content Delivery System,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
SOLUTION:
Update to version 2.5.9 build 126.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-spcdn.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201109-0089 | CVE-2011-2738 | Cisco Unified Service Monitor Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in Cisco Unified Service Monitor before 8.6, as used in Unified Operations Manager before 8.6 and CiscoWorks LAN Management Solution 3.x and 4.x before 4.1; and multiple EMC Ionix products including Application Connectivity Monitor (Ionix ACM) 2.3 and earlier, Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) 3.2.0.2 and earlier, IP Management Suite (Ionix IP) 8.1.1.1 and earlier, and other Ionix products; allow remote attackers to execute arbitrary code via crafted packets to TCP port 9002, aka Bug IDs CSCtn42961 and CSCtn64922, related to a buffer overflow. Cisco Unified Operations Manager and CiscoWorks LAN Management Solution Used in Cisco Unified Service Monitor Contains a vulnerability that allows arbitrary code execution. The problem is Bug ID CSCtn42961 and CSCtn64922 It is a problem.Skillfully crafted by a third party TCP port 9002 Arbitrary code could be executed via packets. Authentication is not required to exploit this vulnerability.The flaw exists within the brstart.exe service which listens by default on TCP port 9002. When handling an add_dm request the process uses a user provided value to allocate a buffer then blindly copies user supplied data into a fixed-length buffer on the heap. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the casuser user. Multiple EMC Ionix applications are prone to a buffer-overflow vulnerability. Successful exploits will result in the complete compromise of affected applications. Failed exploit attempts will result in a denial-of-service condition.
The following applications are affected.
Ionix Application Connectivity Monitor (Ionix ACM) version 2.3 and prior
Ionix Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) version 3.2.0.2 and prior
Ionix IP Management Suite (Ionix IP) version 8.1.1.1 and prior
Ionix IPv6 Management Suite (Ionix IPv6) version 2.0.2 and prior
Ionix MPLS Management Suite (Ionix MPLS) version 4.0.0 and prior
Ionix Multicast Manager (Ionix MCAST) version 2.1 and prior
Ionix Network Protocol Management Suite version (Ionix NPM) 3.1 and prior
Ionix Optical Transport Management Suite version (Ionix OTM) 5.1 and prior
Ionix Server Manager (EISM) version 3.0 and prior
Ionix Service Assurance Management Suite (Ionix SAM) version 8.1.0.6 and prior
Ionix Storage Insight for Availability Suite (Ionix SIA) version 2.3.1 and prior
Ionix VoIP Availability Management Suite (Ionix VoIP AM) version 4.0.0.3 and prior.
Details
=======
CiscoWorks LAN Management Solution is an integrated suite of
management functions that simplifies the configuration,
administration, monitoring, and troubleshooting of a network. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2011-029: Buffer overflow vulnerability in multiple EMC Ionix products. EMC will communicate the fixes for all other affected products as they become available. Regularly check EMC Knowledgebase solution emc274245 for the status of these fixes.
Link to remedies:
Registered EMC Powerlink customers can download software from Powerlink. For EMC Ionix Software, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads E-I
Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045.
Credits:
EMC would like to thank Abdul Aziz Hariri working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue.
For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831.
EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Cisco has released free software updates that address these
vulnerabilities.
There are no workarounds available to mitigate these vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml
Note: CiscoWorks LAN Management Solution is also affected by these
vulnerabilities. The Software
Update page displays the licensing and software version.
They provides a way to continuously monitor active calls supported by
the Cisco Unified Communications System.
Both of these vulnerabilities are documented in Cisco bug ID
CSCtn42961 ( registered customers only) and have been assigned CVE ID
CVE-2011-2738.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtn42961 - Cisco Unified Service Monitor Remote Code Execution
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities could allow an
unauthenticated, remote attacker to execute arbitrary code on
affected servers.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Mitigations that can be deployed on Cisco devices within the network
are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-201100914-cusm-lms.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to Cisco by ZDI and discovered by
AbdulAziz Hariri.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-September-14 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOb9w/QXnnBKKRMNARCBomAP9pCiRwCB8z3oe3IWB2XXNzeaQxAwoq0gQ4
6znwu3lLSAD/Y6o+u8AofSMxkj3THWIdpbjVXKQXMal/BhxDhN5fsI8=
=Ybok
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-201202-0093 | CVE-2012-0314 | Emobile Pocket WiFi GP02 Cross-Site Request Forgery Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities on the eAccess Pocket WiFi (aka GP02) router before 2.00 with firmware 11.203.11.05.168 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) initialize settings or (2) reboot the device. Pocket WiFi (GP02) contains a cross-site request forgery vulnerability. Pocket WiFi (GP02) provided by eAccess Ltd. is a mobile wireless LAN router. Pocket WiFi (GP02) contains a cross-site request forgery vulnerability. Naoto Katsumi of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, settings of Pocket WiFi (GP02) may be initialized, or Pocket WiFi (GP02) may be rebooted.
Successful exploits can result in privileged commands running on the affected devices, including changing settings and rebooting the device. This may lead to further network-based attacks. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Emobile Pocket WiFi GP02 Cross-Site Request Forgery Vulnerability
SECUNIA ADVISORY ID:
SA47795
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47795/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47795
RELEASE DATE:
2012-02-01
DISCUSS ADVISORY:
http://secunia.com/advisories/47795/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47795/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47795
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Emobile Pocket Wifi GP02, which
can be exploited by malicious people to conduct cross-site request
forgery attacks.
The device's web interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify
the requests. This can be exploited to e.g. change settings and
reboot the device by tricking a logged in user into visiting a
malicious web site.
SOLUTION:
Install update. Please see the vendor's link for details.
PROVIDED AND/OR DISCOVERED BY:
JVN credits Naoto Katsumi, LAC Co.
ORIGINAL ADVISORY:
JVN (English):
http://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-000010.html
http://jvn.jp/en/jp/JVN33021167/index.html
JVN (Japanese):
http://jvn.jp/jp/JVN33021167/index.html
Emobile:
http://emobile.jp/topics/info20120201_01.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201112-0150 | CVE-2011-4052 | InduSoft Web Studio 'CEServer' Component Stack Buffer Overflow Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 allows remote attackers to execute arbitrary code via a crafted 0x15 (aka Remove File) operation for a file with a long name. Authentication is not required to exploit this vulnerability.The flaw exists within the CEServer component which is used as a runtime dependency for applications deployed using Indusoft WebStudio. When handling the Remove File operation (0x15) the process blindly copies user supplied data to a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser. InduSoft Web Studio is a powerful and complete graphics control software that includes tools for developing Human Machine Interface (HMI), Management Control, Data Acquisition System (SCADA) and embedded control. This vulnerability exists in the CEServer component. Successful exploitation of the vulnerability can be applied. Failed attacks will likely cause denial-of-service conditions.
InduSoft Web Studio 6.1 and 7.0 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-11-329 : InduSoft WebStudio CEServer Operation 0x15 Remote Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-329
November 16, 2011
- -- CVE ID:
CVE-2011-4052
- -- CVSS:
9, AV:N/AC:L/Au:N/C:P/I:P/A:C
- -- Affected Vendors:
Indusoft
- -- Affected Products:
Indusoft WebStudio
- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11473.
- -- Vendor Response:
Indusoft has issued an update to correct this vulnerability. More
details can be found at:
http://www.indusoft.com/hotfixes/hotfixes.php
- -- Disclosure Timeline:
2011-04-27 - Vulnerability reported to vendor
2011-11-16 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* Luigi Auriemma
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJOw/OyAAoJEFVtgMGTo1sc2YUH+gP/cuGw73puMBaLm0tVCIYX
5/oLkfc95efUB/iDPiz6lwGpuXV7DhS38nDzjwI2StJYMFqqbox1PtBot1eLvXHO
0td+uYQu5IxqJON0GM5IzwUFofsC2NO/go8riPCjNkBlHdJrUoTejKmVqZMRNmB4
ytGkVuASAL6/yA19JXGlTvrf3npIOsWStuhRaOCyAXlQV2M4J8+3CXixTwmuPjeN
bn2IUmW5aXYDpcUpHb7m4FTyH16TGHTt0DmqWgyW5q0pCRp23NKNPdEzBQtA+y2K
Jj3ndSNFLENTWMgwGE5V+r5Lkn83YJ928dFSrSjYUHOH5sgxxgPZxgiPBFkj7os=
=m2zu
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
InduSoft Web Studio CEServer Security Bypass and Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA46871
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46871/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46871
RELEASE DATE:
2011-11-16
DISCUSS ADVISORY:
http://secunia.com/advisories/46871/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46871/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46871
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A security issue and a vulnerability have been reported in InduSoft
Web Studio, which can be exploited by malicious people to bypass
certain security restrictions and compromise a vulnerable system.
1) An error within the remote agent component (CEServer.exe) when
processing incoming requests can be exploited to bypass the
authentication mechanism.
The security issue and the vulnerability are reported in versions
prior to 7.0 Service Pack 1 Patch 1.
SOLUTION:
Apply Service Pack 1 Patch 1.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Luigi Auriemma via ZDI.
ORIGINAL ADVISORY:
InduSoft:
http://www.indusoft.com/hotfixes/hotfixes.php
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-11-319-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201112-0091 | CVE-2011-5001 | Trend Micro Control Manager 'CmdProcessor.exe' Remote code execution vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager 5.5 before Build 1613 allows remote attackers to execute arbitrary code via a crafted IPC packet to TCP port 20101. Authentication is not required to exploit this vulnerability.The specific flaw exists within CmdProcessor.exe service running on TCP port 20101. The vulnerable function is the CGenericScheduler::AddTask function of cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet, controlled data is copied into a 256-byte stack buffer. This can be exploited to execute remote code under the context of the user. Trend Micro Control Manager (TMCM) is a centralized security management console from Trend Micro that enables unified coordination of Trend Micro products and services. Failed attacks will cause denial-of-service conditions. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Trend Micro Control Manager "CGenericScheduler::AddTask()" Buffer
Overflow Vulnerability
SECUNIA ADVISORY ID:
SA47114
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47114/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47114
RELEASE DATE:
2011-12-08
DISCUSS ADVISORY:
http://secunia.com/advisories/47114/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47114/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47114
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Trend Micro Control Manager,
which can be exploited by malicious people to compromise a vulnerable
system.
The vulnerability is caused due to a boundary error within the
"CGenericScheduler::AddTask()" function in
cmdHandlerRedAlertController.dll when handling certain IPC packets.
The vulnerability is reported in version 5.5.
SOLUTION:
Update to version 5.5.0.1613.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma via ZDI.
ORIGINAL ADVISORY:
Trend Micro:
http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1613.txt
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-345/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-11-345 : TrendMicro Control Manager CmdProcessor.exe AddTask
Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-345
December 7, 2011
- -- CVE ID:
- -- CVSS:
9.7, AV:N/AC:L/Au:N/C:C/I:P/A:C
- -- Affected Vendors:
Trend Micro
- -- Affected Products:
Trend Micro Control Manager
- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11469. More
details can be found at:
http://downloadcenter.trendmicro.com/index.php?prodid=7
- -- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-12-07 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* Luigi Auriemma
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJO3+GTAAoJEFVtgMGTo1sc5ccIAJ3q7sFo1wZYonvkXdF9DoQL
VasDMEdu+0W3wy+NllFJAMXGTnxnLlnZ/rpV4be90eEE2m8iQ23SDJLrXR4JsyRN
rN5LEHGJL0Ijyphq4gy7FRNMu6/eoaJSP5TEhnNcGXAvBb4MblyKcIDfmTgn2fhO
QSfM022Xce6Q9pVnfymQLHLnsSt48b7uGJY4G2cGe9Ao0gi3uPyB5qvK6osOTtof
7f9rZ8mNXRGutfNUYWiB0xlOSqJBiufj1ukVHQ4eScBsGHhHeOJNT+kepiUVASum
/m7LC8i6JqA9wpVgDV/Od1fFYzsyTwhYdamlW8ULI/Caj1MYQopEl2Zy3bcbRX8=
=VzVD
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-190001-0882 | No CVE | Multiple cross-site scripting vulnerabilities in vtiger CRM 'index.php' |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
Vtiger CRM is a web-based open source customer relationship management system. There are multiple cross-site scripting vulnerabilities in vtiger CRM. Because the program fails to properly filter user-supplied input, an attacker could exploit this vulnerability to execute arbitrary script code in a trusted user's browser in the affected site context, stealing cookie-based authentication and initiating other attacks. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. vtiger CRM is a free, full-featured, 100% Open Source CRM softwareideal for small and medium businesses, with low-cost product support availableto production users that need reliable support.vtiger CRM suffers from a XSS vulnerability when parsing user input tothe '_operation' and 'search' parameters via GET method in '/modules/mobile/index.php'script. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
vtiger CRM "default_user_name" Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA42304
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42304/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42304
RELEASE DATE:
2010-11-18
DISCUSS ADVISORY:
http://secunia.com/advisories/42304/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42304/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42304
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been discovered in vtiger CRM, which can be
exploited by malicious people to conduct cross-site scripting
attacks.
Input passed via the "default_user_name" parameter to index.php (when
"module" is set to "Users" and "action" is set to "Login") is not
properly sanitised in modules/Users/Login.php before being returned
to the user.
The vulnerability is confirmed in version 5.2.1.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi
ORIGINAL ADVISORY:
Giovanni Pellerano and Alessandro Tanasi:
http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201110-0247 | CVE-2011-3272 | Cisco IOS of IP SLA Service disruption in functionality ( Memory corruption and device reload ) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The IP Service Level Agreement (IP SLA) functionality in Cisco IOS 15.1, and IOS XE 2.1.x through 3.3.x, allows remote attackers to cause a denial of service (memory corruption and device reload) via malformed IP SLA packets, aka Bug ID CSCtk67073. Cisco IOS is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause the affected devices to reload, denying service to legitimate users. Repeat attacks will result in denial-of-service condition.
This issue is tracked by Cisco Bug ID CSCtk67073. Cisco's Internet Operating System (IOS) is a complex operating system optimized for Internet interconnection. The data flow interaction function DLSw can realize the transmission of IBM SNA and network BIOS traffic on the IP network. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Please see the vendor's advisory for a list of affected versions.
SOLUTION:
Update to a fixed version (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipsla.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. The vulnerability is triggered
when malformed UDP packets are sent to a vulnerable device. The
vulnerable UDP port numbers depend on the device configuration.
Default ports are not used for the vulnerable UDP IP SLA operation or
for the UDP responder ports.
Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipsla.shtml.
Note: The September 28, 2011, Cisco IOS Software Security Advisory
bundled publication includes ten Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that
correct the vulnerability or vulnerabilities detailed in the advisory as
well as the Cisco IOS Software releases that correct all vulnerabilities
in the September 2011 Bundled Publication.
Individual publication links are in "Cisco Event Response: Semiannual
Cisco IOS Software Security Advisory Bundled Publication" at the
following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html
Affected Products
=================
Vulnerable Products
+------------------
Cisco devices that are running Cisco IOS Software are vulnerable when
they are configured for IP SLA, either as responders or as
originators of vulnerable IP SLA operations.
To determine the Cisco IOS Software release that is running on a Cisco
product, administrators can log in to the device and issue the "show
version" command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or "Cisco
IOS Software." The image name displays in parentheses, followed by
"Version" and the Cisco IOS Software release name. Other Cisco devices
do not have the "show version" command or may provide different output.
The following example shows output from a device that runs a Cisco
IOS Software image:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in the white paper Cisco IOS and NX-OS
Software Reference Guide available at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
IP SLA is an embedded agent in Cisco IOS Software designed to measure
and monitor common network performance metrics like jitter, latency
(delay), and packet loss.
The vulnerability that is described in this document is triggered by
malformed UDP packets triggered by malformed IP SLA packets sent to
the vulnerable device and port. A vulnerable device can be an IP SLA
responder or the source device of a vulnerable IP SLA operation.
Vulnerable IP SLA Responder Configurations
+-----------------------------------------
A device configured either as an IP SLA general responder or a
permanent IP SLA UDP responder is vulnerable.
The general responder processes IP SLA control protocol packets on
UDP port 1967 and then may dynamically open vulnerable UDP ports
according to the IP SLA operations requested using the control
protocol. The configuration for a general responder is as follows:
ip sla responder
The IP SLA UDP permanent responder is also vulnerable. An example
configuration is as follows:
ip sla responder udp-echo port 300
There is no default UDP port number for the UDP permanent responder
Alternatively, both the general responder and the permanent responder
can be identified with the "show ip sla responder" command. The general
responder is vulnerable when it has been enabled. The permanent
responder is vulnerable only when it has been enabled and the "udpEcho
Responder" is present. In the Following example, the general responder
is not vulnerable because it has not been enabled but the permanent
responder is vulnerable because it has been enabled with a UDP echo
responder:
Router# show ip sla responder
General IP SLA Responder on Control port 1967
General IP SLA Responder is: Disabled
Permanent Port IP SLA Responder
Permanent Port IP SLA Responder is: Enabled
udpEcho Responder:
IP Address Port
0.0.0.0 300
Vulnerable IP SLA Source Device Configurations
+---------------------------------------------
An IP SLA source device is a Cisco IOS device that has at least one
IP SLA operation configured. To be vulnerable a probe originator
needs to have at least one scheduled probe that uses either of the
following IP SLA operations:
* udp-jitter probe
* udp-echo
A vulnerable IP SLA source device configuration includes all the
following commands:
* An "ip sla" global configuration command to define an IP SLA
operation
* Either a "udp-echo" or a "udp-jitter" IP SLA configuration command
* An "ip sla schedule" global configuration command that activates
one of the probes that uses a vulnerable IP SLA operation
The following examples show a source device that is configured for IP
SLA UDP echo and UDP jitter probes:
ip sla 201
udp-echo 192.168.134.21 201
ip sla schedule 201 start-time now
ip sla 301
udp-jitter 192.168.134.121 122
ip sla schedule 301 start-time now
The destination UDP ports for the probes need to be configured. If
the source UDP port is not configured an available port number will
be used when the probe is started. A device that originates a
vulnerable operation will be vulnerable on the source UDP ports of
the probe and a responder will be vulnerable on the destination UDP
port used for the probe.
IP SLA probes can be configured using Simple Network Management
Protocol (SNMP). In that case, by default, the "show running
configuration" command will not include the IP SLA probe
configuration. The "show ip sla configuration" command can be used to
verify whether a probe has been configured either by the command line
or via SNMP.
Router# show ip sla configuration | include operation
Type of operation to perform: udp-jitter
Type of operation to perform: udp-echo
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtk67073 ("IP SLA Memory Corruption Vulnerability")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability described in this
document may result in the reload of a vulnerable device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Additionally, the Cisco IOS Software Checker is available on
the Cisco Security Intelligence Operations (SIO) portal at
http://tools.cisco.com/security/center/selectIOSVersion.x. It provides
several features for checking which Security Advisories affect specified
versions of Cisco IOS Software.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release For This Advisory column. The First Fixed Release for All
Advisories in the September 2011 Bundled Publication column lists the
earliest possible releases that correct all the published
vulnerabilities in the Cisco IOS Software Security Advisory bundled
publication. Cisco recommends upgrading to the latest available
release, where possible.
+------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+-----------------------------------------------|
| Affected | | First Fixed Release for |
| 12.0-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 12.0-based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.1-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 12.1-based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.2-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 12.2-based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.3-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 12.3-based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.4-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 12.4-based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 15.0-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 15.0-based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 15.1-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 15.1EY | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | Vulnerable; | Vulnerable; first fixed in |
| 15.1GC | first fixed in | Release 15.1T |
| | Release 15.1T | |
|------------+------------------+----------------------------|
| 15.1M | Not vulnerable | 15.1(4)M2; Available on |
| | | 30-SEP-11 |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 15.1MR | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | 15.1(2)S | 15.1(2)S2 |
| | | |
| | Cisco IOS XE | 15.1(3)S |
| 15.1S | devices: Please | |
| | see Cisco IOS-XE | Cisco IOS XE devices: |
| | Software | Please see Cisco IOS-XE |
| | Availability | Software Availability |
|------------+------------------+----------------------------|
| | 15.1(1)T3 | 15.1(1)T4; Available on |
| | | 08-DEC-11 |
| 15.1T | 15.1(2)T4 | |
| | | 15.1(2)T4 |
| | 15.1(3)T2 | |
| | | 15.1(3)T2 |
|------------+------------------+----------------------------|
| | Vulnerable; | Vulnerable; first fixed in |
| 15.1XB | first fixed in | Release 15.1T |
| | Release 15.1T | |
|------------+------------------+----------------------------|
| Affected | | First Fixed Release for |
| 15.2-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 15.2-based releases |
+------------------------------------------------------------+
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is affected by the vulnerability disclosed in
this document.
+------------------------------------------------------------+
| Cisco | First Fixed | First Fixed Release for All |
| IOS XE | Release | Advisories in the September |
| Release | | 2011 Bundled Publication |
|---------+-----------------+--------------------------------|
| | Vulnerable; | Vulnerable; migrate to 3.3.2S |
| 2.1.x | migrate to | or later |
| | 3.3.2S or later | |
|---------+-----------------+--------------------------------|
| | Vulnerable; | Vulnerable; migrate to 3.3.2S |
| 2.2.x | migrate to | or later |
| | 3.3.2S or later | |
|---------+-----------------+--------------------------------|
| | Vulnerable; | Vulnerable; migrate to 3.3.2S |
| 2.3.x | migrate to | or later |
| | 3.3.2S or later | |
|---------+-----------------+--------------------------------|
| | Vulnerable; | Vulnerable; migrate to 3.3.2S |
| 2.4.x | migrate to | or later |
| | 3.3.2S or later | |
|---------+-----------------+--------------------------------|
| | Vulnerable; | Vulnerable; migrate to 3.3.2S |
| 2.5.x | migrate to | or later |
| | 3.3.2S or later | |
|---------+-----------------+--------------------------------|
| | Vulnerable; | Vulnerable; migrate to 3.3.2S |
| 2.6.x | migrate to | or later |
| | 3.3.2S or later | |
|---------+-----------------+--------------------------------|
| | Vulnerable; | Vulnerable; migrate to 3.3.2S |
| 3.1.xS | migrate to | or later |
| | 3.3.2S or later | |
|---------+-----------------+--------------------------------|
| | Vulnerable; | |
| 3.1.xSG | migrate to | Vulnerable; migrate to 3.2.0SG |
| | 3.2.0SG or | or later |
| | later | |
|---------+-----------------+--------------------------------|
| | Vulnerable; | Vulnerable; migrate to 3.3.2S |
| 3.2.xS | migrate to | or later |
| | 3.3.2S or later | |
|---------+-----------------+--------------------------------|
| 3.2.xSG | Not vulnerable | Not vulnerable |
|---------+-----------------+--------------------------------|
| 3.3.xS | 3.3.0S | 3.3.2S |
|---------+-----------------+--------------------------------|
| 3.4.xS | Not vulnerable | Not vulnerable |
+------------------------------------------------------------+
For mapping of Cisco IOS XE to Cisco IOS releases, please refer to
the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and
Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
in the September 2011 bundled publication.
Workarounds
===========
There are no workarounds for this vulnerability, but there are
mitigations that can be deployed on a general IP SLA responder to
reduce the exposure to this vulnerability.
General IP SLA Responder Mitigation
+----------------------------------
For devices that are configured as general responders, a mitigation
is to restrict IP SLA control packets on UDP port 1967 that are
addressed to the vulnerable device to permit only trusted probe
originators to open UDP ports that could be exploited. This can be
accomplished using techniques such as Infrastructure Access list or
Control Plane Protection.
For devices configured as general responders, mitigation techniques
that can be deployed on Cisco devices within the network are
available in the Cisco Applied Mitigation Bulletin companion document
for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20110928-ipsla.shtml
IP SLA Permanent Responder Mitigation
+------------------------------------
For the permanent responder, the mitigation is to filter UDP packets
addressed to the configured UDP port of each permanent responder to
permit packets from the IP addresses of trusted devices.
IP SLA Source Devices Mitigation
+-------------------------------
For IP SLA source devices, a mitigation is to allow only UDP packets
from trusted devices (that is, devices that are the target of IP SLA
operations).
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipsla.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-Sep-28 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/ go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk6Cp2MACgkQQXnnBKKRMNBZ6gD/WbLQXIuIcQjySn9TOSycPflx
p7H07864wibshk3qznsA/37viRZKYBrkXc+mgT5C5kIs9Elx3l+L5v0EDJ1K+jZI
=OF08
-----END PGP SIGNATURE-----
VAR-201107-0229 | CVE-2011-2667 | CA Gateway Security and CA Total Defense Used in CA Gateway Security for HTTP of Icihttp.exe Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Icihttp.exe in CA Gateway Security for HTTP, as used in CA Gateway Security 8.1 before 8.1.0.69 and CA Total Defense r12, does not properly parse URLs, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and daemon crash) via a malformed request. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Icihttp.exe module (CA Gateway Security for HTTP), which responds to incoming HTTP requests on port 8080. Due to a flawed copy-loop algorithm in the URL parsing routine, it is possible for a remote unauthenticated user to cause an exploitable heap corruption condition. This could result in the execution of arbitrary code under the context of the Gateway Security service. Computer Associates Total Defense and Gateway Security are prone to a remote code-execution vulnerability.
Successfully exploiting this issue will allow attackers to execute arbitrary code with elevated privileges, completely compromising affected computers.
Total Defense r12 and Gateway Security 8.1 are vulnerable; other versions may also be affected. CA has issued an update that
resolves the vulnerability.
The vulnerability, CVE-2011-2667, occurs due to insufficient bounds
checking that can result in a memory overwrite on the heap. By
sending a malformed request, an attacker can overwrite a sensitive
portion of heap memory, which can potentially result in server
compromise. If the version displayed is less than 8.1.0.69,
the installation is vulnerable.
Solution
Gateway Security r8.1:
Apply fix RO32642
Alternatively, update to Gateway Security 9.0 available from the CA
support site.
(url line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17
7782
Regards,
Kevin Kotas
CA Product Vulnerability Response Team
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQEVAwUBTicU8pI1FvIeMomJAQHDpQgAlZ5TqT9B+I4zd20wzh8GhajqGb8BIuxo
sCToQG5jq+kUX1QMnL+MVv4A0nR2o2P8cgxEhNtpEOyHnTeKvBuT//ALBpQgjYQ3
lMY3tRNrqEo1BAD9x/GqVp/xIBiaqkL80bt0BXmvxxhKblSX30mUA8D+v8P+DPrO
eR+VEB7feWQ9LaqjIeEa5t8P5/TxuA+XNv0EdWtU7OAFc/IzXiu91XF++I+UJs3V
l9Kvdj7x7JXyqZXc3943eUR/zqbxXO2/h/67Gj+N5ub1S4TBkPuoUMcPQ3o3l2WZ
75HcRT6AIHZ6shTbD20TCl1LUs4uKmJYc41kfbCEX3BsU12WbbV+zw==
=w+9B
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
CA Gateway Security URL Parsing Vulnerability
SECUNIA ADVISORY ID:
SA45332
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45332/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45332
RELEASE DATE:
2011-07-22
DISCUSS ADVISORY:
http://secunia.com/advisories/45332/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45332/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45332
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in CA Gateway Security, which can
be exploited by malicious people to compromise a vulnerable system. This can be
exploited to corrupt heap memory via specially crafted HTTP requests
sent to TCP 8080.
The vulnerability is reported in versions prior to 8.1.0.69.
SOLUTION:
Apply patch RO32642.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Andrea Micalizzi aka rgod via ZDI.
ORIGINAL ADVISORY:
CA:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5E404992-6B58-4C44-A29D-027D05B6285D}
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-237/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-- Vendor Response:
CA states:
CA20110720-01: Security Notice for CA Gateway Security and Total
Defense
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7b5E404992-6B58-4C44-A29D-027D05B6285D%7d
-- Disclosure Timeline:
2011-01-21 - Vulnerability reported to vendor
2011-07-20 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Andrea Micalizzi aka rgod
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-201112-0166 | CVE-2011-2461 | Adobe Flex SDK Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Adobe Flex SDK 3.x and 4.x before 4.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to the loading of modules from different domains.
An attacker could exploit this vulnerability to execute arbitrary script code in the context of a web application built using the SDK. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Adobe Flex SDK 4.5.1 and prior versions are affected. Provide your organization, distributed enterprise or managedservice offering with an intuitive, powerful way to rapidly deploy andcentrally manage SonicWall solutions, with SonicWall GMS. Get more valuefrom your firewall, secure remote access, anti-spam, and backup and recoverysolutions with enhanced network security monitoring and robust networksecurity reporting. By deploying GMS in an enterprise, you can minimizeadministrative overhead by streamlining security appliance deploymentand policy management.Dell SonicWALL GMS versions 8.1 and below are compiled witha vulnerable version of Adobe Flex SDK allowing for same-originrequest forgery and cross-site content hijacking.Tested on: SonicWALLMySQL/5.0.96-community-ntApache-Coyote/1.1Apache Tomcat 6.0.41. ----------------------------------------------------------------------
Secunia is hiring!
Find your next job here:
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
Adobe Flex Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA47053
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/47053/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=47053
RELEASE DATE:
2011-12-01
DISCUSS ADVISORY:
http://secunia.com/advisories/47053/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/47053/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=47053
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Adobe Flex, which can be
exploited by malicious people to conduct cross-site scripting
attacks.
Certain unspecified input passed to SWF files developed using the
framework is not properly sanitised before being returned to the
user.
SOLUTION:
Apply patches (please see the vendor's advisory for more
information).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Adobe (APSB11-25):
http://www.adobe.com/support/security/bulletins/apsb11-25.html
http://kb2.adobe.com/cps/915/cpsid_91544.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This is actually a Flex bug. (CVE-2011-2461) which can lead to
Same-Origin Request Forgery
and Cross-Site Content Hijacking.
Although adobe patched this bug, it is possible to exploit it in fully
patched browsers with
the latest version of Adobe Flash Player;
CVE-2011-2461 is best explained by Mindedsecurity at
http://blog.mindedsecurity.com/2015/03/the-old-is-new-again-cve-2011-2461-is.html
This also leads to a Flash XSS in some older browsers.
an attacker will create a malicious HTML page and embed the vulneable flash.
When successfully exploited a Same Origin Request Forgery attack
allows a malicious web site to perform arbitrary requests to the
vulnerable site, and read its response without restrictions.
You can test vulnerable flash files with https://github.com/ikkisoft/ParrotNG/
Vulnerable files:
http://[magento_url]/skin/adminhtml/default/default/media/editor.swf
http://[magento_url]/skin/adminhtml/default/default/media/Uploader.swf
http://[magento_url]/skin/adminhtml/default/default/media/UploaderSingle.swf
VAR-201207-0005 | CVE-2011-2199 | Tftp-hpa FTP Server 'utimeout' option remote buffer overflow vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in tftp-hpa before 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via the utimeout option. Tftpd-hpa is a feature-enhanced TFTP server. There is a buffer overflow in the function that sets the utimeout option in the tftp-hpa daemon. This vulnerability can be exploited remotely because the program receives options from the client settings. tftp-hpa FTP server is prone to a buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to tftp-hpa 5.1 are vulnerable. PRE-CERT Security Advisory
==========================
* Advisory: PRE-SA-2011-05
* Released on: 22 Jun 2011
* Last updated on: 22 Jun 2011
* Affected product: tftp-hpa 0.30 - 5.0
* Impact: buffer overflow
* Origin: remote tftp client
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2011-2199
Summary
-------
The tftp-hpa daemon contains a buffer overflow vulnerability in the
function for setting the utimeout option.
Solution
--------
For a patch, see
http://git.kernel.org/?p=network/tftp/tftp-hpa.git;a=commitdiff;h=f3035c45bc50bb5cac87ca01e7ef6a12485184f8
References
----------
When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:
http://www.pre-cert.de/advisories/PRE-SA-2011-05.txt
Contact
-------
PRE-CERT can be reached under precert@pre-secure.de. For PGP
key information, refer to http://www.pre-cert.de/.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201206-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: tftp-hpa: Remote buffer overflow
Date: June 21, 2012
Bugs: #374001
ID: 201206-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability was found in tftp-hpa, which leads to remote execution
of arbitrary code.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-ftp/tftp-hpa < 5.1 >= 5.1
Description
===========
A vulnerability has been discovered in tftp-hpa. Please review the CVE
identifier referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All tftp-hpa users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/tftp-hpa-5.1"
References
==========
[ 1 ] CVE-2011-2199
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2199
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201206-12.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5