VARIoT IoT vulnerabilities database

Cisco IOS 12.4, 15.0, and 15.1 allows remote attackers to cause a denial of service (device reload) via malformed IPv6 packets, aka Bug ID CSCtj41194. An attacker can exploit this issue to cause the affected devices to reload, denying service to legitimate users. Repeat attacks will result in sustained denial-of-service condition. This issue is tracked by Cisco Bug ID CSCtj41194. Cisco's Internet Operating System (IOS) is a complex operating system optimized for Internet interconnection. The data flow interaction function DLSw can realize the transmission of IBM SNA and network BIOS traffic on the IP network. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Cisco IOS IPv6 Packet Processing Denial of Service Vulnerability SECUNIA ADVISORY ID: SA46199 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46199/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46199 RELEASE DATE: 2011-10-30 DISCUSS ADVISORY: http://secunia.com/advisories/46199/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46199/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46199 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Please see the vendor's advisory for a list of affected versions. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The vulnerability may be triggered when the device processes a malformed IPv6 packet. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6.shtml. Note: The September 28, 2011, Cisco IOS Software Security Advisory bundled publication includes ten Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the September 2011 Bundled Publication. Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html Affected Products ================= This vulnerability affects devices that are running Cisco IOS Software and configured for IPv6 operation. IPv6 is not enabled by default in Cisco IOS Software. Vulnerable Products +------------------ Cisco devices that are running an affected version of Cisco IOS Software and configured for IPv6 operation are vulnerable. A device that is running Cisco IOS Software and that has IPv6 enabled will show some interfaces with assigned IPv6 addresses when the "show ipv6 interface brief" command is executed. The "show ipv6 interface brief" command will produce an error message if the version of Cisco IOS Software in use does not support IPv6, or will not show any interfaces with IPv6 address if IPv6 is disabled. The system is not vulnerable in these scenarios. Sample output of the "show ipv6 interface brief" command on a system that is configured for IPv6 operation follows: router>show ipv6 interface brief FastEthernet0/0 [up/up] FE80::222:90FF:FEB0:1098 2001:DB8:2:93::3 200A:1::1 FastEthernet0/1 [up/up] FE80::222:90FF:FEB0:1099 2001:DB8:2:94::1 Serial0/0/0 [down/down] unassigned Serial0/0/0.4 [down/down] unassigned Serial0/0/0.5 [down/down] unassigned Serial0/0/0.6 [down/down] unassigned Alternatively, the IPv6 protocol is enabled if the interface configuration command "ipv6 address <IPv6 address>" or "ipv6 enable" is present in the configuration. Both may be present, as shown in the vulnerable configuration in the following example shows: interface FastEthernet0/1 ipv6 address 2001:0DB8:C18:1::/64 eui-64 ! interface FastEthernet0/2 ipv6 enable A device that is running Cisco IOS Software and that has IPv6 enabled on a physical or logical interface is vulnerable even if ipv6 unicast-routing is globally disabled (that is, the device is not routing IPv6 packets). To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in the white paper Cisco IOS and NX-OS Software Reference Guide available at http://www.cisco.com/web/about/security/intelligence/ios-ref.html. No other Cisco products are currently known to be affected by this vulnerability. Details ======= IPv6, which was designed by the Internet Engineering Task Force (IETF), is intended to replace the current version, IP Version 4 (IPv4). An attacker could exploit this vulnerability by sending malformed IPv6 packets to physical or logical interfaces that are configured to process IPv6 traffic. Transit traffic cannot trigger this vulnerability. Exploitation could cause an affected system to reload. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtj41194 ("Crafted IPv6 packet causes device reload") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability that is described in this advisory may cause a reload of an affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Additionally, the Cisco IOS Software Checker is available on the Cisco Security Intelligence Operations (SIO) portal at http://tools.cisco.com/security/center/selectIOSVersion.x. It provides several features for checking which Security Advisories affect specified versions of Cisco IOS Software. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release For This Advisory column. The First Fixed Release for All Advisories in the September 2011 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. +------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+-----------------------------------------------| | Affected | | First Fixed Release for | | 12.0-Based | First Fixed | All Advisories in the | | Releases | Release | September 2011 Bundled | | | | Publication | |------------------------------------------------------------| | There are no affected 12.0 based releases | |------------------------------------------------------------| | Affected | | First Fixed Release for | | 12.1-Based | First Fixed | All Advisories in the | | Releases | Release | September 2011 Bundled | | | | Publication | |------------+--------------------+--------------------------| | 12.1E | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SXF | |------------+--------------------+--------------------------| | Affected | | First Fixed Release for | | 12.2-Based | First Fixed | All Advisories in the | | Releases | Release | September 2011 Bundled | | | | Publication | |------------+--------------------+--------------------------| | 12.2 | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2B | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2BC | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2BW | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2BX | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SB | |------------+--------------------+--------------------------| | 12.2BY | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2BZ | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2CX | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2CY | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2CZ | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SB | |------------+--------------------+--------------------------| | 12.2DA | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2DD | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2DX | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2EU | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Releases up to and | | 12.2EW | Not vulnerable | including 12.2(20)EW4 | | | | are not vulnerable. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2EWA | Not vulnerable | the instructions in | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2EX | Not vulnerable | 12.2(55)EX3 | |------------+--------------------+--------------------------| | 12.2EY | Not vulnerable | 12.2(58)EY | |------------+--------------------+--------------------------| | 12.2EZ | Not vulnerable | Vulnerable; migrate to | | | | any release in 15.0SE | |------------+--------------------+--------------------------| | 12.2FX | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SE | |------------+--------------------+--------------------------| | 12.2FY | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2EX | |------------+--------------------+--------------------------| | 12.2FZ | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SE | |------------+--------------------+--------------------------| | 12.2IRA | Not vulnerable | Vulnerable; migrate to | | | | any release in 12.2IRG | |------------+--------------------+--------------------------| | 12.2IRB | Not vulnerable | Vulnerable; migrate to | | | | any release in 12.2IRG | |------------+--------------------+--------------------------| | 12.2IRC | Not vulnerable | Vulnerable; migrate to | | | | any release in 12.2IRG | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IRD | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IRE | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2IRF | Not vulnerable | Vulnerable; migrate to | | | | any release in 12.2IRG | |------------+--------------------+--------------------------| | 12.2IRG | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IXA | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IXB | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IXC | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IXD | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IXE | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IXF | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IXG | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2IXH | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2JA | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2JK | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2MB | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2MC | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2MRA | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SRD | |------------+--------------------+--------------------------| | 12.2MRB | Not vulnerable | 12.2(33)MRB5 | |------------+--------------------+--------------------------| | | | Releases prior to 12.2 | | | | (30)S are vulnerable; | | 12.2S | Not vulnerable | Releases 12.2(30)S and | | | | later are not | | | | vulnerable. First fixed | | | | in Release 12.2SB | |------------+--------------------+--------------------------| | 12.2SB | Not vulnerable | 12.2(31)SB2012.2(33)SB10 | |------------+--------------------+--------------------------| | 12.2SBC | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SB | |------------+--------------------+--------------------------| | 12.2SCA | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SCC | |------------+--------------------+--------------------------| | 12.2SCB | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SCC | |------------+--------------------+--------------------------| | 12.2SCC | Not vulnerable | 12.2(33)SCC7 | |------------+--------------------+--------------------------| | 12.2SCD | Not vulnerable | 12.2(33)SCD6 | |------------+--------------------+--------------------------| | 12.2SCE | Not vulnerable | 12.2(33)SCE112.2(33)SCE2 | |------------+--------------------+--------------------------| | 12.2SCF | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2SE | Not vulnerable | 12.2(55)SE312.2(58)SE | |------------+--------------------+--------------------------| | 12.2SEA | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SE | |------------+--------------------+--------------------------| | 12.2SEB | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SE | |------------+--------------------+--------------------------| | 12.2SEC | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SE | |------------+--------------------+--------------------------| | 12.2SED | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SE | |------------+--------------------+--------------------------| | 12.2SEE | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SE | |------------+--------------------+--------------------------| | 12.2SEF | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SE | |------------+--------------------+--------------------------| | | | Releases prior to 12.2 | | | | (25)SEG4 are vulnerable; | | 12.2SEG | Not vulnerable | Releases 12.2(25)SEG4 | | | | and later are not | | | | vulnerable. First fixed | | | | in Release 12.2EX | |------------+--------------------+--------------------------| | | | Releases prior to 12.2 | | | | (53)SG4 are vulnerable; | | 12.2SG | Not vulnerable | Releases 12.2(53)SG4 and | | | | later are not | | | | vulnerable. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2SGA | Not vulnerable | the instructions in | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2SL | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2SM | Not vulnerable | the instructions in | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2SO | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2SQ | Not vulnerable | 12.2(50)SQ3 | |------------+--------------------+--------------------------| | 12.2SRA | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SRD | |------------+--------------------+--------------------------| | 12.2SRB | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SRD | |------------+--------------------+--------------------------| | 12.2SRC | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SRD | |------------+--------------------+--------------------------| | 12.2SRD | Not vulnerable | 12.2(33)SRD6 | |------------+--------------------+--------------------------| | 12.2SRE | Not vulnerable | 12.2(33)SRE4 | |------------+--------------------+--------------------------| | 12.2STE | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2SU | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | | | Releases prior to 12.2 | | | | (29a)SV are vulnerable; | | 12.2SV | Not vulnerable | Releases 12.2(29a)SV and | | | | later are not | | | | vulnerable. Migrate to | | | | any release in 12.2SVD | |------------+--------------------+--------------------------| | 12.2SVA | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2SVC | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2SVD | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2SVE | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2SW | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2SX | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SXF | |------------+--------------------+--------------------------| | 12.2SXA | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SXF | |------------+--------------------+--------------------------| | 12.2SXB | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SXF | |------------+--------------------+--------------------------| | 12.2SXD | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SXF | |------------+--------------------+--------------------------| | 12.2SXE | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SXF | |------------+--------------------+--------------------------| | 12.2SXF | Not vulnerable | 12.2(18)SXF17b | |------------+--------------------+--------------------------| | 12.2SXH | Not vulnerable | 12.2(33)SXH8a | |------------+--------------------+--------------------------| | 12.2SXI | Not vulnerable | 12.2(33)SXI6 | |------------+--------------------+--------------------------| | 12.2SXJ | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2SY | Not vulnerable | 12.2(50)SY | |------------+--------------------+--------------------------| | 12.2SZ | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SB | |------------+--------------------+--------------------------| | 12.2T | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2TPC | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2XA | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XB | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2XC | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XD | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XE | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XF | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XG | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XH | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XI | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XJ | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XK | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XL | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XM | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XN | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | See Cisco IOS-XE | See Cisco IOS-XE | | 12.2XNA | Software | Software Availability | | | Availability | | |------------+--------------------+--------------------------| | | See Cisco IOS-XE | See Cisco IOS-XE | | 12.2XNB | Software | Software Availability | | | Availability | | |------------+--------------------+--------------------------| | | See Cisco IOS-XE | See Cisco IOS-XE | | 12.2XNC | Software | Software Availability | | | Availability | | |------------+--------------------+--------------------------| | | See Cisco IOS-XE | See Cisco IOS-XE | | 12.2XND | Software | Software Availability | | | Availability | | |------------+--------------------+--------------------------| | | See Cisco IOS-XE | See Cisco IOS-XE | | 12.2XNE | Software | Software Availability | | | Availability | | |------------+--------------------+--------------------------| | | See Cisco IOS-XE | See Cisco IOS-XE | | 12.2XNF | Software | Software Availability | | | Availability | | |------------+--------------------+--------------------------| | | | Releases prior to 12.2 | | | | (54)XO are vulnerable; | | 12.2XO | Not vulnerable | Releases 12.2(54)XO and | | | | later are not | | | | vulnerable. | |------------+--------------------+--------------------------| | 12.2XQ | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XR | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XS | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XT | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XU | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XV | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2XW | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2YA | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2YB | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2YC | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2YD | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2YE | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YF | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YG | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YH | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YJ | Not vulnerable | the instructions in | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2YK | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YL | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2YM | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YN | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2YO | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2YP | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YQ | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YR | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YS | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YT | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YU | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YV | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YW | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YX | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YY | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2YZ | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2ZA | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SXF | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2ZB | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2ZC | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2ZD | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2ZE | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2ZF | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2ZG | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2ZH | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4 | |------------+--------------------+--------------------------| | 12.2ZJ | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2ZL | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.2ZP | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.2ZU | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.2SXH | |------------+--------------------+--------------------------| | 12.2ZX | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2ZY | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.2ZYA | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | Affected | | First Fixed Release for | | 12.3-Based | First Fixed | All Advisories in the | | Releases | Release | September 2011 Bundled | | | | Publication | |------------------------------------------------------------| | There are no affected 12.3 based releases | |------------------------------------------------------------| | Affected | | First Fixed Release for | | 12.4-Based | First Fixed | All Advisories in the | | Releases | Release | September 2011 Bundled | | | | Publication | |------------+--------------------+--------------------------| | 12.4 | Not vulnerable | 12.4(25f) | |------------+--------------------+--------------------------| | 12.4GC | 12.4(24)GC4 | 12.4(24)GC4 | |------------+--------------------+--------------------------| | 12.4JA | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JAX | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JDA | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JDC | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JHA | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JHB | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JHC | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JK | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JL | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JMA | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4JMB | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; migrate to | | | | any release in 12.4JA | | 12.4JX | Not vulnerable | | | | | Releases up to and | | | | including 12.4(21a)JX | | | | are not vulnerable. | |------------+--------------------+--------------------------| | 12.4JY | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4MD | Not vulnerable | 12.4(24)MD6 on | | | | 28-Oct-2011 | |------------+--------------------+--------------------------| | 12.4MDA | Not vulnerable | 12.4(24)MDA7 | |------------+--------------------+--------------------------| | 12.4MDB | Not vulnerable | 12.4(24)MDB3 | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.4MR | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.4MRA | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.4MRB | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4SW | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | Only 12.4(24)T | | | | through 12.4(24)T4 | 12.4(24)T6 | | 12.4T | are affected; | | | | first fixed in | 12.4(15)T16 | | | 12.4(24)T3c and | | | | 12.4(24)T5 | | |------------+--------------------+--------------------------| | 12.4XA | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4XB | Not vulnerable | 12.4(2)XB12 | |------------+--------------------+--------------------------| | 12.4XC | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4XD | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4XE | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4XF | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4XG | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4XJ | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4XK | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.4XL | Not vulnerable | the instructions in | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.4XM | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.4XN | Not vulnerable | the instructions in | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.4XP | Not vulnerable | the instructions in | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 12.4XQ | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4XR | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4XT | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4XV | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | 12.4XW | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4XY | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4XZ | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | 12.4YA | Not vulnerable | Vulnerable; First fixed | | | | in Release 12.4T | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.4YB | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.4YD | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; fixed in | | | | 12.4(22)YE6 on | | 12.4YE | Not vulnerable | 30-Sept-2011; 12.4(24) | | | | YE7 available on | | | | 17-Oct-2011 | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 12.4YG | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | Affected | | First Fixed Release for | | 15.0-Based | First Fixed | All Advisories in the | | Releases | Release | September 2011 Bundled | | | | Publication | |------------+--------------------+--------------------------| | 15.0M | 15.0(1)M5 | 15.0(1)M7 | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 15.0MR | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 15.0MRA | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | Not vulnerable | 15.0(1)S4 | | | | | | 15.0S | Cisco IOS XE | Cisco IOS XE devices: | | | devices: see Cisco | see Cisco IOS-XE | | | IOS-XE Software | Software Availability | | | Availability | | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 15.0SA | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 15.0SE | Not vulnerable | Not vulnerable | |------------+--------------------+--------------------------| | | Cisco IOS XE | Cisco IOS XE devices: | | 15.0SG | devices: see Cisco | see Cisco IOS-XE | | | IOS-XE Software | Software Availability | | | Availability | | |------------+--------------------+--------------------------| | | Vulnerable; First | Vulnerable; First fixed | | 15.0XA | fixed in Release | in Release 15.1T | | | 15.1T | | |------------+--------------------+--------------------------| | | Cisco IOS XE | | | | devices: Please | Cisco IOS XE devices: | | 15.0XO | see Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+--------------------+--------------------------| | Affected | | First Fixed Release for | | 15.1-Based | First Fixed | All Advisories in the | | Releases | Release | September 2011 Bundled | | | | Publication | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 15.1EY | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | 15.1GC | Not vulnerable | Vulnerable; First fixed | | | | in Release 15.1T | |------------+--------------------+--------------------------| | 15.1M | Not vulnerable | 15.1(4)M2; Available on | | | | 30-SEP-11 | |------------+--------------------+--------------------------| | | | Vulnerable; contact your | | | | support organization per | | 15.1MR | Not vulnerable | the instructions in the | | | | Obtaining Fixed Software | | | | section of this | | | | advisory. | |------------+--------------------+--------------------------| | | Not vulnerable | 15.1(2)S2 | | | | | | | Cisco IOS XE | 15.1(3)S | | 15.1S | devices: See Cisco | | | | IOS-XE Software | Cisco IOS XE devices: | | | Availability | See Cisco IOS-XE | | | | Software Availability | |------------+--------------------+--------------------------| | | 15.1(1)T3 | | | | | 15.1(2)T4 15.1(1)T4 on | | 15.1T | 15.1(2)T3 | 8-Dec-2011 | | | | | | | 15.1(3)T1 | | |------------+--------------------+--------------------------| | | Vulnerable; First | Vulnerable; First fixed | | 15.1XB | fixed in Release | in Release 15.1T | | | 15.1T | | |------------+--------------------+--------------------------| | Affected | | First Fixed Release for | | 15.2-Based | First Fixed | All Advisories in the | | Releases | Release | September 2011 Bundled | | | | Publication | |------------------------------------------------------------| | There are no affected 15.2 based releases | +------------------------------------------------------------+ Cisco IOS XE Software +-------------------- +------------------------------------------------------------+ | Cisco | First | First Fixed Release for All | | IOS XE | Fixed | Advisories in the September 2011 | | Release | Release | Bundled Publication | |----------+------------+------------------------------------| | 2.1.x | Not | Vulnerable; migrate to 3.3.2S or | | | vulnerable | later | |----------+------------+------------------------------------| | 2.2.x | Not | Vulnerable; migrate to 3.3.2S or | | | vulnerable | later | |----------+------------+------------------------------------| | 2.3.x | Not | Vulnerable; migrate to 3.3.2S or | | | vulnerable | later | |----------+------------+------------------------------------| | 2.4.x | Not | Vulnerable; migrate to 3.3.2S or | | | vulnerable | later | |----------+------------+------------------------------------| | 2.5.x | Not | Vulnerable; migrate to 3.3.2S or | | | vulnerable | later | |----------+------------+------------------------------------| | 2.6.x | Not | Vulnerable; migrate to 3.3.2S or | | | vulnerable | later | |----------+------------+------------------------------------| | 3.1.xS | Not | Vulnerable; migrate to 3.3.2S or | | | vulnerable | later | |----------+------------+------------------------------------| | 3.1.xSG | Not | Vulnerable; migrate to 3.2.0SG or | | | vulnerable | later | |----------+------------+------------------------------------| | 3.2.xS | Not | Vulnerable; migrate to 3.3.2S or | | | vulnerable | later | |----------+------------+------------------------------------| | 3.2.xSG | Not | Not vulnerable | | | vulnerable | | |----------+------------+------------------------------------| | 3.3.xS | Not | 3.3.2S | | | vulnerable | | |----------+------------+------------------------------------| | 3.4.xS | Not | Not vulnerable | | | vulnerable | | +------------------------------------------------------------+ For mapping of Cisco IOS XE to Cisco IOS releases, please refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities in the September 2011 bundled publication. Workarounds =========== There are no workarounds for this vulnerability if IPv6 configuration is required. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-September-28 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk6Cp2UACgkQQXnnBKKRMNDOnwD/dwZvi6wHRpTsYyfLbLrCfyOs 8+WevPYlJBddySoqwHYA/14o6NuZ2rculYMYCusovUgM/SZf3N+euXWs897W6V5M =uQiZ -----END PGP SIGNATURE-----

Unspecified vulnerability in Cisco IOS 12.2SRE before 12.2(33)SRE4, 15.0, and 15.1, and IOS XE 2.1.x through 3.3.x, when an MPLS domain is configured, allows remote attackers to cause a denial of service (device crash) via a crafted IPv6 packet, related to an expired MPLS TTL, aka Bug ID CSCto07919. The problem is Bug ID CSCto07919 It is a problem.Skillfully crafted by a third party IPv6 Service disruption via packets ( Device crash ) There is a possibility of being put into a state. Cisco IOS is prone to multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to cause an affected device to reload, denying service to legitimate users. These issues are being tracked by Cisco Bug IDs: CSCto07919 CSCtj30155. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Cisco IOS MPLS IPv6 and ICMPv6 Packet Processing Two Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA46145 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46145/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46145 RELEASE DATE: 2011-10-31 DISCUSS ADVISORY: http://secunia.com/advisories/46145/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46145/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46145 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Please see the vendor's advisory for a list of affected versions. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. For more information: SA46145 The vulnerabilities are reported in versions 2.1.x through 2.6.x and 3.2.xS. These vulnerabilities are: * Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload * ICMPv6 Packet May Cause MPLS-Configured Device to Reload Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml. Note: The September 28, 2011, Cisco IOS Software Security Advisory bundled publication includes ten Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the September 2011 Bundled Publication. Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html Affected Products ================= Vulnerable Products +------------------ Cisco IOS Software or Cisco IOS XE Software devices (hereafter both referenced as Cisco IOS Software in this document) that are running vulnerable versions of Cisco IOS Software and configured for MPLS are affected by two vulnerabilities related to IPv6 traffic that traverses an MPLS domain. The two vulnerabilities are independent of each other. Note: IPv6 does not need to be configured on the affected devices themselves. The vulnerabilities do require the MPLS label switched packets to have specific IPv6 payloads to be exploited. To determine whether a device is configured for MPLS, log in to the device and issue the command-line interface (CLI) command "show mpls interface". If the IP state is "Yes", the device is vulnerable. The following example shows a device that has MPLS configured on interface Ethernet0/0: Router#show mpls interface Interface IP Tunnel BGP Static Operational Ethernet0/0 Yes (ldp) No No No Yes Router# The following two examples show responses from a device with MPLS forwarding disabled. The first example shows a return of no interfaces: router#show mpls interface Interface IP Tunnel BGP Static Operational routers# In the second example, the device provides a message indicating that MPLS forwarding is not configured: router#show mpls interface no MPLS apps enabled or MPLS not enabled on any interfaces router# To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in the white paper Cisco IOS and NX-OS Software Reference Guide at http://www.cisco.com/web/about/security/intelligence/ios-ref.html. Products Confirmed Not Vulnerable +-------------------------------- Devices that are not configured for MPLS are not vulnerable. Details ======= The packet handling nodes in an MPLS network are called provider routers (P routers) and provider edge routers (PE routers) and are configured with MPLS. Both P and PE routers are vulnerable to both the vulnerabilities disclosed in this advisory. In networks that have MPLS enabled and could carry MPLS label switched packets with IPv6 payloads, the device may crash when processing MPLS label switched packets with specific IPv6 payloads. Typical deployment scenarios that would be affected by either vulnerability would be Cisco IPv6 Provider Edge Router (6PE) or IPv6 VPN Provider Edge Router (6VPE). The crafted packet used to exploit this vulnerability would be silently discarded in Cisco IOS Software if received on an interface where the packet did not have an MPLS label. This vulnerability is documented in Cisco bug ID CSCto07919 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-3274. The packet used to exploit this vulnerability would not affect Cisco IOS Software if received on an interface where the packet did not have an MPLS label. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCto07919 ("Crafted IPv6 packet may cause MPLS configured device to reload") CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtj30155 ("ICMPv6 packet may cause MPLS configured device to reload") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may cause the device to reload. Repeated exploitation could result in a sustained denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Additionally, the Cisco IOS Software Checker is available on the Cisco Security Intelligence Operations (SIO) portal at http://tools.cisco.com/security/center/selectIOSVersion.x. It provides several features for checking which Security Advisories affect specified versions of Cisco IOS Software. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release For This Advisory column. The First Fixed Release for All Advisories in the September 2011 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. +------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+-----------------------------------------------| | Affected | | First Fixed Release | | 12.0-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------------------------------------------------------| | There are no affected 12.0-based releases | |------------------------------------------------------------| | Affected | | First Fixed Release | | 12.1-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------+-----------------------+-----------------------| | 12.1E | Not vulnerable | 12.2(18)SXF17b | |------------+-----------------------+-----------------------| | Affected | | First Fixed Release | | 12.2-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------+-----------------------+-----------------------| | 12.2 | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2B | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2BC | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2BW | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2BX | Not vulnerable | fixed in Release | | | | 12.2SB | |------------+-----------------------+-----------------------| | 12.2BY | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2BZ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2CX | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2CY | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2CZ | Not vulnerable | fixed in Release | | | | 12.2SB | |------------+-----------------------+-----------------------| | 12.2DA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2DD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2DX | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2EU | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Releases up to and | | 12.2EW | Not vulnerable | including 12.2(20)EW4 | | | | are not vulnerable. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2EWA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2EX | Not vulnerable | 12.2(55)EX3 | |------------+-----------------------+-----------------------| | 12.2EY | Not vulnerable | 12.2(58)EY | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2EZ | Not vulnerable | to any release in | | | | 15.0SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2FX | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2FY | Not vulnerable | fixed in Release | | | | 12.2EX | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2FZ | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2IRA | Not vulnerable | to any release in | | | | 12.2IRG | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2IRB | Not vulnerable | to any release in | | | | 12.2IRG | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2IRC | Not vulnerable | to any release in | | | | 12.2IRG | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IRD | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IRE | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2IRF | Not vulnerable | to any release in | | | | 12.2IRG | |------------+-----------------------+-----------------------| | 12.2IRG | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXB | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXC | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXD | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXE | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXF | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXG | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXH | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2JA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2JK | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2MB | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2MC | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2MRA | Not vulnerable | fixed in Release | | | | 12.2SRD | |------------+-----------------------+-----------------------| | 12.2MRB | Not vulnerable | 12.2(33)MRB5 | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(30)S are | | | | vulnerable; Releases | | 12.2S | Not vulnerable | 12.2(30)S and later | | | | are not vulnerable. | | | | First fixed in | | | | Release 12.2SB | |------------+-----------------------+-----------------------| | | | 12.2(31)SB20 | | 12.2SB | Not vulnerable | | | | | 12.2(33)SB10 | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SBC | Not vulnerable | fixed in Release | | | | 12.2SB | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SCA | Not vulnerable | fixed in Release | | | | 12.2SCC | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SCB | Not vulnerable | fixed in Release | | | | 12.2SCC | |------------+-----------------------+-----------------------| | 12.2SCC | Not vulnerable | 12.2(33)SCC7 | |------------+-----------------------+-----------------------| | 12.2SCD | Not vulnerable | 12.2(33)SCD6 | |------------+-----------------------+-----------------------| | | | 12.2(33)SCE1 | | 12.2SCE | Not vulnerable | | | | | 12.2(33)SCE2 | |------------+-----------------------+-----------------------| | 12.2SCF | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | 12.2(55)SE3 | | 12.2SE | Not vulnerable | | | | | 12.2(58)SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEA | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEB | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEC | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SED | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEE | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEF | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(25)SEG4 are | | | | vulnerable; Releases | | 12.2SEG | Not vulnerable | 12.2(25)SEG4 and | | | | later are not | | | | vulnerable. First | | | | fixed in Release | | | | 12.2EX | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(53)SG4 are | | 12.2SG | Not vulnerable | vulnerable; Releases | | | | 12.2(53)SG4 and later | | | | are not vulnerable. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2SGA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2SL | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2SM | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2SO | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SQ | Not vulnerable | 12.2(50)SQ3 | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SRA | Not vulnerable | fixed in Release | | | | 12.2SRD | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SRB | Not vulnerable | fixed in Release | | | | 12.2SRD | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SRC | Not vulnerable | fixed in Release | | | | 12.2SRD | |------------+-----------------------+-----------------------| | 12.2SRD | Not vulnerable | 12.2(33)SRD6 | |------------+-----------------------+-----------------------| | 12.2SRE | 12.2(33)SRE4 | 12.2(33)SRE4 | |------------+-----------------------+-----------------------| | 12.2STE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SU | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(29a)SV are | | | | vulnerable; Releases | | 12.2SV | Not vulnerable | 12.2(29a)SV and later | | | | are not vulnerable. | | | | Migrate to any | | | | release in 12.2SVD | |------------+-----------------------+-----------------------| | 12.2SVA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SVC | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SVD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SVE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2SW | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SX | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SXA | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SXB | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SXD | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SXE | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | 12.2SXF | Not vulnerable | 12.2(18)SXF17b | |------------+-----------------------+-----------------------| | 12.2SXH | Not vulnerable | 12.2(33)SXH8a | |------------+-----------------------+-----------------------| | 12.2SXI | Not vulnerable | 12.2(33)SXI6 | |------------+-----------------------+-----------------------| | 12.2SXJ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SY | Not vulnerable | 12.2(50)SY | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SZ | Not vulnerable | fixed in Release | | | | 12.2SB | |------------+-----------------------+-----------------------| | 12.2T | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2TPC | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2XA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XB | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2XC | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XF | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XG | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XH | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XI | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XJ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XK | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XL | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XM | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XN | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XNA | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XNB | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XNC | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XND | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XNE | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XNF | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(54)XO are | | 12.2XO | Not vulnerable | vulnerable; Releases | | | | 12.2(54)XO and later | | | | are not vulnerable. | |------------+-----------------------+-----------------------| | 12.2XQ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XR | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XS | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XT | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XU | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XV | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XW | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YA | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2YB | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YC | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YF | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YG | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YH | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YJ | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2YK | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YL | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2YM | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YN | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2YO | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YP | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YQ | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YR | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YS | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YT | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YU | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YV | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YW | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YX | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YY | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YZ | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2ZA | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2ZB | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2ZC | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2ZD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2ZE | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2ZF | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2ZG | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2ZH | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2ZJ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2ZL | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2ZP | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2ZU | Not vulnerable | fixed in Release | | | | 12.2SXH | |------------+-----------------------+-----------------------| | 12.2ZX | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2ZY | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2ZYA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | Affected | | First Fixed Release | | 12.3-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------------------------------------------------------| | There are no affected 12.3-based releases | |------------------------------------------------------------| | Affected | | First Fixed Release | | 12.4-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------------------------------------------------------| | There are no affected 12.4-based releases | |------------------------------------------------------------| | Affected | | First Fixed Release | | 15.0-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------+-----------------------+-----------------------| | 15.0M | 15.0(1)M7 | 15.0(1)M7 | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 15.0MR | instructions in the | instructions in the | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 15.0MRA | instructions in the | instructions in the | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | 15.0S | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 15.0SA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 15.0SE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 15.0SG | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | | Vulnerable; first | Vulnerable; first | | 15.0XA | fixed in Release | fixed in Release | | | 15.1T | 15.1T | |------------+-----------------------+-----------------------| | 15.0XO | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | Affected | | First Fixed Release | | 15.1-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 15.1EY | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; first | Vulnerable; first | | 15.1GC | fixed in Release | fixed in Release | | | 15.1T | 15.1T | |------------+-----------------------+-----------------------| | 15.1M | 15.1(4)M1 | 15.1(4)M2; Available | | | | on 30-SEP-11 | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 15.1MR | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 15.1S | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | | 15.1(1)T4; Available | | | | on 09-DEC-11 | 15.1(2)T4 | | 15.1T | | | | | 15.1(2)T4 | 15.1(1)T4 on | | | | 8-Dec-2011 | | | 15.1(3)T2 | | |------------+-----------------------+-----------------------| | | Vulnerable; first | Vulnerable; first | | 15.1XB | fixed in Release | fixed in Release | | | 15.1T | 15.1T | |------------+-----------------------+-----------------------| | Affected | | First Fixed Release | | 15.2-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------------------------------------------------------| | There are no affected 15.2-based releases | +------------------------------------------------------------+ Cisco IOS XE Software +-------------------- Cisco IOS XE Software is affected by the vulnerability disclosed in this document. +------------------------------------------------------------+ | Cisco | First Fixed | First Fixed Release for All | | IOS XE | Release For | Advisories in the September | | Release | This Advisory | 2011 Bundled Publication | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.1.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.2.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.3.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.4.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.5.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.6.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | 3.1.xS | 3.1.4S | Vulnerable; migrate to 3.3.2S | | | | or later | |----------+----------------+--------------------------------| | 3.1.xSG | Not vulnerable | Vulnerable; migrate to 3.2.0SG | | | | or later | |----------+----------------+--------------------------------| | | Vulnerable; | | | 3.2.xS | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | 3.2.xSG | Not vulnerable | Not vulnerable | |----------+----------------+--------------------------------| | 3.3.xS | 3.3.2S | 3.3.2S | |----------+----------------+--------------------------------| | 3.4.xS | Not vulnerable | Not vulnerable | +------------------------------------------------------------+ For mapping of Cisco IOS XE to Cisco IOS releases, please refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by the vulnerability disclosed in this document. Cisco IOS XR Software is not affected by any of the vulnerabilities in the September 2011 bundled publication. Workarounds =========== For both vulnerabilities the following workaround applies: Disabling MPLS TTL Propagation +----------------------------- Disabling MPLS TTL propagation will prevent exploitation of these vulnerabilities. MPLS TTL propagation will have to be disabled on all PE routers in the MPLS domain. To disable MPLS TTL propagation, enter the global configuration command "no mpls ip propagate-ttl". If only "no mpls ip propagate-ttl forward" is configured, the vulnerabilities could still be exploited from within the MPLS domain. For more information about the MPLS TTL propagation command, refer to the configuration guide at: http://www.cisco.com/en/US/docs/ios/mpls/command/reference/mp_m1.html#wp1013846 Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/ tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered when handling customer support calls. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-September-28 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk6Cp2QACgkQQXnnBKKRMNBQSAD9F2jD01t7WK98WW1TcHuB0ORh ttZaRD2ayENEbxklbQgA/j6rRzsG/jk1QW1pJjZme3WKwdvNLy9BzRPTsONBz5Cv =kk0N -----END PGP SIGNATURE-----

The web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote authenticated users to execute arbitrary commands via crafted parameters to web forms, aka Bug ID CSCtq65681. The attacker can obtain root privileges. An authenticated attacker can exploit this issue to execute arbitrary commands with root-level privileges on the underlying operating system. This issue is being tracked by Cisco bug ID CSCtq65681. The following devices are affected: Cisco SA520 Cisco SA520W Cisco SA540. An attacker must have valid credentials for an affected device to exploit one vulnerability; exploitation of the other does not require authentication. Both vulnerabilities can be exploited over the network. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110720-sa500.shtml Affected Products ================= Vulnerable Products +------------------ These vulnerabilities affect the following devices running a software version prior to the first fixed release documented in the Software Versions and Fixes section of this advisory: * Cisco SA520 * Cisco SA520W * Cisco SA540 There are multiple methods to determine the version of system software that is running on a device. At the device web login screen, the system software version is displayed under the "Security Appliance Configuration Utility" heading. Administrators can also log in to a device through the web management interface and navigate to Administration > Firmware & Configuration > Network. The Primary Firmware field appears below Status Information. The number directly beside the Primary Firmware field is the system software version. Alternately, after logging in to the device, administrators can click on the About link on top right side of the screen. The system software version will be displayed below the "Security Appliance Configuration Utility" heading. An example of the system firmware version is 2.1.18. Products Confirmed Not Vulnerable +--------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. This vulnerability is documented in Cisco bug ID CSCtq65681 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-2547 Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtq65669 - SQL injection vulnerability CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtq65681 - Privilege escalation vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the SQL injection vulnerability could allow the retrieval of usernames and passwords. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt And any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. These vulnerabilities have been corrected in software versions 2.1.19 and later. If administrators of SA 500 Series Security Appliances have configured the Check for New Firmware notification under Administration > Firmware & Configuration > Network, a message regarding new firmware that is available on Cisco.com will be displayed at the next log in to the appliance. Note: the SA 500 will not perform an automatic upgrade to version 2.1.19. The upgrade must be performed by an administrator. The latest software for SA 500 Series Security Appliances can be downloaded at: http://www.cisco.com/cisco/software/navigator.html?mdfid=282414017 Workarounds =========== The following mitigations help limit the exposure to these vulnerabilities. * Disable Remote Management Caution: Do not disable remote management if administrators manage devices via the WAN connection. This action will result in a loss of management connectivity to the device. Several features also require remote management to be enabled, including SSL VPN access and the Cisco Quick Virtual Private Network (QVPN) Utility. Remote Management is disabled by default. Administrators can disable this feature by choosing Network Management > Remote Management. Change the setting for this field to Disabled. Disabling remote management limits exposure because the vulnerabilities can then be exploited from the inter-LAN network only. Disabling remote management limits the exposure as the vulnerabilities can then only be exploited from the inter LAN network. * Limit Remote Management Access to Specific IP Addresses If remote management is required, secure the device so that it can be accessed by certain IP addresses only, rather than the default setting of All IP Addresses. After choosing Network Management > Remote Management, an administrator can change the Remote IP Address field to ensure that only devices with specified IP addresses can access the device. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com If the information is not clear, please contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. Small Business Support Center contacts are as follows. +1 866 606 1866 (toll free from within North America) +1 408 418 1866 (toll call from anywhere in the world) Customers should have their product serial number available. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html for additional support contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were reported to Cisco by Michal Sajdak of Securitum, Poland. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110720-sa500.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2011-July-20 | Initial public release. | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iF4EAREIAAYFAk4m4k8ACgkQQXnnBKKRMNDzJgD+MwAQlnCeOSxzAq20X7iFbKvP tRwD9b1YmA4CFNcFLJkA/i25Tf/onaCHv4x79F0XDt2ZaCSpdEIp17oYfzFajYXl =aaaj -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Cisco SA 500 Series Web Management Interface Two Vulnerabilities SECUNIA ADVISORY ID: SA45355 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45355/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45355 RELEASE DATE: 2011-07-22 DISCUSS ADVISORY: http://secunia.com/advisories/45355/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45355/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45355 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Cisco SA 500 Series Security Appliances, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct SQL injection attacks. 1) Certain input passed to the login form is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Certain unspecified input passed to the web management interface is not properly sanitised before being used. This can be exploited to inject and execute arbitrary shell commands. PROVIDED AND/OR DISCOVERED BY: The vendor credits Michal Sajdak, Securitum. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110720-sa500.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 attempts to validate signed DLLs by checking the certificate subject, not the signature, which allows man-in-the-middle attackers to execute arbitrary code via HTTP header data referencing a DLL that was signed with a crafted certificate. Citrix Access Gateway is a universal SSL VPN device. Attackers may exploit these issues by enticing an unsuspecting victim to view a malicious webpage. Citrix Access Gateway Plug-in versions prior to 8.1-67.7, 9.0-70.5, and 9.1-96.4 are vulnerable; other versions may also be affected

Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 allows remote attackers to execute arbitrary code via crafted HTTP header data. Citrix Access Gateway is a universal SSL VPN device. Attackers may exploit these issues by enticing an unsuspecting victim to view a malicious webpage. Citrix Access Gateway Plug-in versions prior to 8.1-67.7, 9.0-70.5, and 9.1-96.4 are vulnerable; other versions may also be affected

Stack-based buffer overflow in CFS.c in ConfigServer Security & Firewall (CSF) before 5.43, when running on a DirectAdmin server, allows local users to cause a denial of service (crash) via a long string in an admin.list file. ConfigServer Firewall is prone to a buffer-overflow vulnerability. Attackers can exploit this issue to execute arbitrary code within the context of the application using the vulnerable control. Failed exploit attempts will result in a denial-of-service condition

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack. Attacks on this vulnerability 2013 From 2016 Observed in year. This vulnerability "Detour" It is called an attack. Vendors have confirmed this vulnerability SAP Security Note 1445998 It is released as.By a third party HTTP Or HTTPS Arbitrary code may be executed via a request. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAP Netweaver Invoker Servlet has a security vulnerability that allows an attacker to call any servlet even if it is declared in a web.xml file. This includes any servlet classes available in the application classloader, such as those in the WEB-INF\\classes, WEB-INF\\lib, and WEB-INF\\additinal-lib application directories. Multiple servlets included with Java applications are not designed for direct client access, but instead interact inside the application, thus causing arbitrary calls to be performed and invisible operations on the SAP server. An attacker may leverage this issue to execute arbitrary script code within the context of the affected application

Multiple cross-site scripting (XSS) vulnerabilities in GoAhead Webserver 2.18 allow remote attackers to inject arbitrary web script or HTML via (1) the group parameter to goform/AddGroup, related to addgroup.asp; (2) the url parameter to goform/AddAccessLimit, related to addlimit.asp; or the (3) user (aka User ID) or (4) group parameter to goform/AddUser, related to adduser.asp. GoAhead Webserver contains multiple cross-site scripting vulnerabilities. GoAhead Webserver for, POST There is a problem with request processing and multiple cross-site scripting vulnerabilities exist.Arbitrary scripts may be executed on the user's web browser. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. GoAhead WebServer 2.18 is vulnerable; other versions may also be affected. GoAhead WebServer is a small and exquisite embedded Web server of American Embedthis Company, which supports embedding in various devices and applications. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: GoAhead WebServer Multiple Script Insertion Vulnerabilities SECUNIA ADVISORY ID: SA46894 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46894/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46894 RELEASE DATE: 2011-11-18 DISCUSS ADVISORY: http://secunia.com/advisories/46894/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46894/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46894 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been discovered in GoAhead WebServer, which can be exploited by malicious people to conduct script insertion attacks. 1) Input passed via the "group" POST parameter to goform/AddGroup (when "ok" is set to "OK") when adding a group is not properly sanitised before being used. 2) Input passed via the "url" POST parameter to goform/AddAccessLimit (when "ok" is set to "OK") when adding an access limit is not properly sanitised before being used. 3) Input passed via the "user" POST parameter to goform/AddUser (when "ok" is set to "OK") when adding a user is not properly sanitised before being used. The vulnerabilities are confirmed in version 2.1.8. SOLUTION: Update to version 2.5. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Silent Dream ORIGINAL ADVISORY: http://www.kb.cert.org/vuls/id/384427 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Schneider Electric Quantum Ethernet Module, as used in the Quantum 140NOE771* and 140CPU65* modules, the Premium TSXETY* and TSXP57* modules, the M340 BMXNOE01* and BMXP3420* modules, and the STB DIO STBNIC2212 and STBNIP2* modules, uses hardcoded passwords for the (1) AUTCSE, (2) AUT_CSE, (3) fdrusers, (4) ftpuser, (5) loader, (6) nic2212, (7) nimrohs2212, (8) nip2212, (9) noe77111_v500, (10) ntpupdate, (11) pcfactory, (12) sysdiag, (13) target, (14) test, (15) USER, and (16) webserver accounts, which makes it easier for remote attackers to obtain access via the (a) TELNET, (b) Windriver Debug, or (c) FTP port. Schneider Electric Modicon Quantum is an automated control platform with a full range of complete processors for complex process control and infrastructure. Schneider Electric Modicon Quantum has several security vulnerabilities, including: (1) Communication between Unity software and PLC without authentication, allowing attackers to perform denial of service and remote code execution attacks. (2) There is a backdoor account that allows access to the system with user or administrator privileges. (3) The HTTP server has a buffer overflow, and the remote attacker can exploit the vulnerability for the denial of service attack. (4) There is a buffer overflow in the FTP server, and a remote attacker can exploit the vulnerability for a denial of service attack. (5) There is also a cross-site scripting attack. The firmware provided by Schneider Schneider Electric Quantum Ethernet Module has a hard-coded problem. Attackers can exploit this issue to gain access to the Telnet port service, Windriver Debug port service, and FTP service. Attackers can exploit this vulnerability to execute arbitrary code within the context of the vulnerable device. 1) Certain unspecified input is not properly sanitised before being returned to the user. SOLUTION: Filter malicious characters and character sequences in a proxy. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Ruben Santamarta via Digital Bond\x92s SCADA Security Scientific Symposium (S4). ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Ethernet Modules Undocumented Account Security Issues SECUNIA ADVISORY ID: SA47019 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47019/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 RELEASE DATE: 2011-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/47019/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47019/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Ruben Santamarta has reported some security issues in multiple Schneider Electric modules, which can be exploited by malicious people to bypass certain security restrictions. modify HTTP passwords and upload malicious firmware. Please see the ICS-CERT's advisory for a list of affected products and versions. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Ruben Santamarta ORIGINAL ADVISORY: Ruben Santamarta: http://reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple HTC Android devices including Desire HD FRG83D and GRI40, Glacier FRG83, Droid Incredible FRF91, Thunderbolt 4G FRG83D, Sensation Z710e GRI40, Sensation 4G GRI40, Desire S GRI40, EVO 3D GRI40, and EVO 4G GRI40 allow remote attackers to obtain 802.1X Wi-Fi credentials and SSID via a crafted application that uses the android.permission.ACCESS_WIFI_STATE permission to call the toString method on the WifiConfiguration class. A user's 802.1X WiFi credentials and SSID information may be exposed to any application with basic WiFi permissions on certain HTC builds of Android. HTC Made Android On the device, Wi-Fi There is a vulnerability in which authentication information is leaked. HTC Made Android The device has a problem managing authentication information, Wi-Fi There is a vulnerability in which authentication information is leaked.Configured for the product by a remote third party Wi-Fi Authentication information may be obtained. If the same application also has android.permission.INTERNET permission, the application can collect this information and send it to the server on the remote Internet. Multiple HTC devices are prone to an information-disclosure vulnerability. An attacker can exploit this issue by enticing an unsuspecting victim to install a malicious application with 'android.permission.ACCESS_WIFI_STATE' and 'android.permission.INTERNET' permissions on the device running Android. Remote attackers can exploit this issue to gain access to sensitive information. This may aid in further attacks.   This exploit exposes enterprise-privileged credentials in a manner that allows targeted exploitation. -------------------------------------------------------------------------------- Affected Vendors: -------------------------------------------------------------------------------- HTC -------------------------------------------------------------------------------- Affected Versions: -------------------------------------------------------------------------------- We have verified the following devices as having this issue (there may be others including some non-HTC phones): Desire HD  (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40 Glacier - Version FRG83 Droid Incredible - Version FRF91 Thunderbolt 4G - Version FRG83D Sensation Z710e - Version GRI40 Sensation 4G - Version GRI40 Desire S - Version GRI40 EVO 3D - Version GRI40 EVO 4G - Version GRI40 -------------------------------------------------------------------------------- Non-Affected Versions: -------------------------------------------------------------------------------- myTouch3g  (Appears to run either unmodified, or only lightly modified Android build) Nexus One  (Runs unmodified Android build) -------------------------------------------------------------------------------- Severity -------------------------------------------------------------------------------- Critical -------------------------------------------------------------------------------- See also -------------------------------------------------------------------------------- CVE ID: CVE-2011-4872 -------------------------------------------------------------------------------- Timeline: -------------------------------------------------------------------------------- - 2012-02-01: Public disclosure - 2012-01-31: Submit final public disclosure doc to HTC Global for feedback - 2012-01-31: HTC publishes information via their web site - 2012-01-20: Public disclosure ? postponed - 2012-01-19: Discussion with HTC Global on their time schedule - 2012-01-05: Conference call with HTC Global - 2012-01-02: Public disclosure ? postponed - 2011-12-05: Discussed public disclosure time frames with HTC and Google - 2011-10-11: Updated all individuals and groups that are aware of the issue - 2011-10-11: Follow-up conference call with HTC Global and Google - 2011-09-19: Updated all individuals and groups that were aware of the issue - 2011-09-19: Conference call with HTC Global and Google - 2011-09-08: HTC and Google verified exploit - 2011-09-07: Notified key government agencies and CERT under non-public disclosure - 2011-09-07: Initial email and phone call with HTC Global and Google -------------------------------------------------------------------------------- Vulnerability Details: -------------------------------------------------------------------------------- There is an issue in certain HTC builds of Android that can expose the user's 802.1X password to any program with the "android.permission.ACCESS_WIFI_STATE" permission. In addition, if the SSID is an identifiable SSID ("Sample University" or "Enterprise XYZ"), this issue exposes enterprise-privileged credentials in a manner that allows targeted exploitation. The resulting output will look something like this: * ID: 2 SSID: "ct" BSSID: null PRIO: 16 KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN AuthAlgorithms: PairwiseCiphers: CCMP GroupCiphers: WEP40 WEP104 TKIP CCMP PSK: eap: PEAP phase2: auth=MSCHAPV2 identity: [Your User Name] anonymous_identity: password: client_cert: private_key: ca_cert: keystore://CACERT_ct On most Android devices, the password field is either left blank, or simply populated with a "*" to indicate that a password is present. However, on affected HTC devices, the password field contains the actual user password in clear text. This is sample output from a Sprint EVO running Android 2.3.3: * ID: 0 SSID: "wpa2eap" BSSID: null PRIO: 21 KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN AuthAlgorithms: PairwiseCiphers: CCMP GroupCiphers: WEP40 WEP104 TKIP CCMP PSK: eap: TTLS phase2: auth=PAP identity: test anonymous_identity: password: test client_cert: private_key: ca_cert: keystore://CACERT_wpa2eap -------------------------------------------------------------------------------- Vendor Response -------------------------------------------------------------------------------- Google and HTC have been very responsive and good to work with on this issue.   Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phone and side-loads for all non-supported phone. Customer with affected versions can find information from HTC about updating their phone at: http://www.htc.com/www/help/ Google has also done a code scan of every application currently in the Android Market and there are no applications currently exploiting this vulnerability. -------------------------------------------------------------------------------- Credit -------------------------------------------------------------------------------- Chris Hessing from The Open1X Group (http://www.open1x.org) who is currently working on Android, iOS, Windows, Mac OSX, and Linux 802.1X tools for Cloudpath Networks (http://www.cloudpath.net/) discovered this password exploit. -------------------------------------------------------------------------------- Contact Information -------------------------------------------------------------------------------- Chris Hessing      Senior Engineer, Cloudpath Networks (chris.hessing@cloudpath.net)      Chief Architect, Open1X Group (chris@open1x.org) Bret Jordan CISSP      Senior Security Architect, Open1X Group (jordan@open1x.org) -------------------------------------------------------------------------------- About -------------------------------------------------------------------------------- Cloudpath Networks Cloudpath Networks provides software solutions that allow diverse environments to operate WPA2-Enterprise and 802.1X networks in a scalable, sustainable manner.ˇ From Bring Your Own Device (BYOD) in enterprise to student-owned devices in education, Cloudpath's XpressConnect Wizard has been proven to provide unmatched simplicity on millions of devices around the globe. XpressConnect is an automated, self-service wizard for connecting users to WPA2-Enterprise and 802.1X across a wide range of device types and authentication methods, including credential-based (PEAP and TTLS) and certificate-based (TLS).ˇ For certificate-based environments, XpressConnect?s integration technology seamlessly connects to existing Microsoft CA servers to extend automated certificate issuance to non-domain devices, including iOS (iPhone, iPad, iPod Touch), Android, Windows, Mac OS X, and Linux. The Open1X Group The Open1X Group is a strategic research and development group established in 2001 to support the creation and adoption of secure authentication systems over traditionally insecure network connection. The Open1X Group performs active and ongoing research and analysis in to the IEEE 802.1X protocol, the IETF EAP Methods, emerging authentication technologies, and various cryptographic implementations.   The Open1X Group has had the support of major Universities, enterprise companies, major Hi-Tech companies, and non-profit organizations.   The Open1X Group also performs on-going analysis of business and academic interests in to secure authentication and single sign-on systems, and Government and non-Government regulations and mandates for compliance in secure authentication. The Open1X Group leverages a distributed team of security architects, engineers, and research scientists with specializations in 802.1X, gird and high performance computing, wireless networking, federated authentication, black box testing, cryptography, large enterprise and University deployment experiences, and global project development. The Open1X Group is a pioneer in the secure authentication space with the first major wide spread 802.1X federated deployment back in 1999/2000, and the development of a fully featured 802.1X supplicant, XSupplicant. Bret Jordan CISSP Sr Security Architect PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." . The vulnerability is caused due to an unspecified error and can be exploited by an application system administrator to gain super user privileges. The vulnerability is reported in versions 6.0, 6.5, and 6.6. SOLUTION: Apply patches (please see the vendor's advisory for details). ---------------------------------------------------------------------- SC Magazine awards the Secunia CSI a 5-Star rating Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296 ---------------------------------------------------------------------- TITLE: HTC Products Wi-Fi Credentials Disclosure Weakness SECUNIA ADVISORY ID: SA47837 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47837/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47837 RELEASE DATE: 2012-02-02 DISCUSS ADVISORY: http://secunia.com/advisories/47837/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47837/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47837 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Open1X Group has reported a weakness in multiple HTC products, which can be exploited by malicious people to disclose potentially sensitive information. The weakness is caused due to the "WifiConfiguration::toString()" method returning Wi-Fi credentials of stored networks in clear text. Successful exploitation requires that a malicious application is installed with "android.permission.ACCESS_WIFI_STATE" permissions. PROVIDED AND/OR DISCOVERED BY: Chris Hessing, Open1X Group. ORIGINAL ADVISORY: HTC: http://www.htc.com/www/help/ Open1X Group: http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.html US-CERT VU#763355: http://www.kb.cert.org/vuls/id/763355 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in HP Network Automation 7.5x, 7.6x, 9.0, and 9.10 allows remote attackers to execute arbitrary code via unknown vectors. HP Network Automation is an automated network configuration management tool. Successful exploits will completely compromise the affected computer. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03171149Version: 1 HPSBMU02738 SSRT100748 rev.1 - HP Network Automation Running on Linux, Solaris, and Windows, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. References: CVE-2011-4790 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The patch is available here: http://support.openview.hp.com/selfsolve/patches 1. Apply patch 2 or subsequent (Network Automation 09.10.02, NA_00015) HISTORY Version:1 (rev.1) - 30 January 2012 Initial Release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk8nCGgACgkQ4B86/C0qfVlPxACgsMH5juKyYCBrEcdQvg5pegIv KlgAnikcp/UVeiF9+ihcbJVw9ph2GJoy =R+6J -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: HP Network Automation Unspecified Security Bypass Vulnerability SECUNIA ADVISORY ID: SA47738 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47738/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47738 RELEASE DATE: 2012-01-31 DISCUSS ADVISORY: http://secunia.com/advisories/47738/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47738/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47738 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in HP Network Automation, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Update to version 9.10 and apply patch 2 or subsequent (Network Automation 09.10.02, NA_00015). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HPSBMU02738 SSRT100748: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03171149 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Hitachi JP1/Performance Management has security vulnerabilities that allow attackers to conduct cross-site scripting attacks. Part of the input passed to the WEB console lacks filtering before returning to the user, allowing the attacker to build a malicious link, convincing the user to parse, executing arbitrary script code on the target user's browser, obtaining sensitive information or hijacking the user's session. This may help the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Hitachi JP1/Performance Management Web Console Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA45208 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45208/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45208 RELEASE DATE: 2011-07-15 DISCUSS ADVISORY: http://secunia.com/advisories/45208/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45208/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45208 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Hitachi JP1/Performance Management, which can be exploited by malicious people to conduct cross-site scripting attacks. Please see the vendor's advisory for the list of affected products. SOLUTION: Apply patches. Please see the vendor's advisory for more details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HS11-014: http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-014/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS 12.4MDA before 12.4(24)MDA5 on the Cisco Content Services Gateway - Second Generation (CSG2) allows remote attackers to cause a denial of service (device reload) via crafted ICMP packets, aka Bug ID CSCtl79577. This issue is being tracked by Cisco Bug ID CSCtl79577. An unauthenticated, remote attacker could exploit this vulnerability by sending a series of crafted ICMP packets to an affected device. Exploitation could cause the device to reload. There are no workarounds available to mitigate exploitation of this vulnerability other than blocking ICMP traffic destined to the affected device. Determining Cisco CSG Software Versions To determine the version of Cisco IOS Software that is running on the Cisco CSG2, issue the "show module" command from Cisco IOS Software on the switch on which the Cisco CSG2 module is installed to identify what modules and sub-modules are installed on the system. --- ----- -------------------------------------- ------------------ ----------- 1 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL JAF1226ARQS 2 1 SAMI Module (csgk9) WS-SVC-SAMI-BB-K9 SAD113906P1 4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL1127T6XY Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 001e.be6e.a018 to 001e.be6e.a01b 5.6 8.5(2) 12.2(33)SRC5 Ok 2 001d.45f8.f3dc to 001d.45f8.f3e3 2.1 8.7(0.22)FW1 12.4(2010040 Ok 4 001c.587a.ef20 to 001c.587a.ef4f 2.6 12.2(14r)S5 12.2(33)SRC5 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 1 Policy Feature Card 3 WS-F6K-PFC3BXL JAF1226BNQM 1.8 Ok 1 MSFC3 Daughterboard WS-SUP720 JAF1226BNMC 3.1 Ok 2 SAMI Daughterboard 1 SAMI-DC-BB SAD114400L9 1.1 Other 2 SAMI Daughterboard 2 SAMI-DC-BB SAD114207FU 1.1 Other 4 Centralized Forwarding Card WS-F6700-CFC SAL1029VGFK 2.0 Ok Mod Online Diag Status ---- ------------------- 1 Pass 2 Pass 4 Pass C7600# After locating the correct slot, issue the "session slot <module number> processor <3-9>" command to open a console connection to the respective Cisco Content Services Gateway: Second Generation. For example: session slot 2 processor 3. The number 3 is the control processor (CP) number for the CSG2. Note: Other SAMI-based applications are not affected. The Cisco Gateway GPRS Support Node (GGSN), the Cisco Mobile Wireless Home Agent (HA), the Cisco Wireless Security Gateway (WSG), the Cisco Broadband Wireless Gateway and Cisco IP Transfer Point (ITP), and the Cisco Long Term Evolution (LTE) Gateway are not affected. The Cisco 7600 Series Router is not affected by this vulnerability, only the Cisco CSG (2nd generation) module is affected. No other Cisco products are currently known to be affected by this vulnerability. Details ======= The Cisco Content Services Gateway: Second Generation provides intelligent network capabilities such as flexible policy management and billing based on deep-packet inspection, as well as subscriber and application awareness capabilities that enable mobile operators to quickly and easily offer value-added, differentiated services over their mobile data networks. Note: The Cisco Gateway GPRS Support Node (GGSN), the Cisco Mobile Wireless Home Agent (HA), the Cisco Wireless Security Gateway (WSG), the Cisco Broadband Wireless Gateway and Cisco IP Transfer Point (ITP), and the Cisco Long Term Evolution (LTE) Gateway are not affected. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtl79577 - Crafted ICMP Packets may cause CSG2 to reload CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerability at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +---------------------------------------+ | Major | Availability of Repaired | | Release | Releases | |------------+--------------------------| | Affected | | | 12.x-Based | First Fixed Release | | Releases | | |------------+--------------------------| | 12.0 - | 12.0 through 12.3 based | | 12.3 | releases are not | | | affected | |------------+--------------------------| | Affected | | | 12.4-Based | First Fixed Release | | Releases | | |------------+--------------------------| | 12.4MD | Not vulnerable | |------------+--------------------------| | | All 12.4MDA releases | | 12.4MDA | prior to 12.4(24)MDA5 | | | are affected. First | | | fixed in 12.4(24)MDA5 | |------------+--------------------------| | 12.4MDB | Not vulnerable | |------------+--------------------------| | Affected | | | 15.X-Based | First Fixed Release | | Releases | | |------------+--------------------------| | 15.0 - | 15.0 through 15.1 based | | 15.1 | releases are not | | | affected | +---------------------------------------+ Workarounds =========== There are no available workarounds to mitigate this vulnerability other than applying infrastructure access control lists (iACLs) on the Cisco 7600 router to block ICMP traffic destined to the IP address of the Cisco CSG. Administrators can construct an iACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. An iACL workaround cannot provide complete protection against these vulnerabilities when the attack originates from a trusted source address. The iACL policy denies unauthorized ICMP packet types, including echo request, echo-reply, host-unreachable, traceroute, packet-too-big, time-exceeded, and unreachable, that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices, and the host at 192.168.100.1 is considered a trusted source that requires access to the affected devices. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic. Whenever possible, infrastructure address space should be distinct from the address space used for user and services segments. Using this addressing methodology will assist with the construction and deployment of iACLs. Additional information about iACLs is in Protecting Your Core: Infrastructure Protection Access Control Lists. ip access-list extended Infrastructure-ACL-Policy ! !-- Include explicit permit statements for trusted sources !-- that require access on the vulnerable protocol ! permit icmp host 192.168.100.1 192.168.60.0 0.0.0.255 echo permit icmp host 192.168.100.1 192.168.60.0 0.0.0.255 echo-reply permit icmp host 192.168.100.1 192.168.60.0 0.0.0.255 host-unreachable permit icmp host 192.168.100.1 192.168.60.0 0.0.0.255 traceroute permit icmp host 192.168.100.1 192.168.60.0 0.0.0.255 packet-too-big permit icmp host 192.168.100.1 192.168.60.0 0.0.0.255 time-exceeded permit icmp host 192.168.100.1 192.168.60.0 0.0.0.255 unreachable ! !-- The following vulnerability-specific access control entries !-- (ACEs) can aid in identification of attacks ! deny icmp any 192.168.60.0 0.0.0.255 echo deny icmp any 192.168.60.0 0.0.0.255 echo-reply deny icmp any 192.168.60.0 0.0.0.255 host-unreachable deny icmp any 192.168.60.0 0.0.0.255 traceroute deny icmp any 192.168.60.0 0.0.0.255 packet-too-big deny icmp any 192.168.60.0 0.0.0.255 time-exceeded deny icmp any 192.168.60.0 0.0.0.255 unreachable ! !-- Explicit deny ACE for traffic sent to addresses configured within !-- the infrastructure address space ! deny ip any 192.168.60.0 0.0.0.255 ! !-- Permit or deny all other Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations ! !-- Apply iACL to interfaces in the ingress direction ! interface GigabitEthernet0/0 ip access-group Infrastructure-ACL-Policy in Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20110706-csg.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110706-csg.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-July-06 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOFH2OQXnnBKKRMNARCAqmAP9fvGEVMGbceYlLdKOUdF56bWsbDLEerSIM MASXq1IfLwD/VVBOZhprC1czwhOPulRma0Iw5Y2rfcErfqQdBhZiTCw= =cKiB -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Cisco Content Services Gateway ICMP Messages Denial of Service Vulnerability SECUNIA ADVISORY ID: SA45148 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45148/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45148 RELEASE DATE: 2011-07-08 DISCUSS ADVISORY: http://secunia.com/advisories/45148/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45148/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45148 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Content Services Gateway (CSG2), which can be exploited by malicious people to cause a DoS (Denial of Service). Please see the vendor's advisory for a list of affected IOS Software. SOLUTION: Apply fixes (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110706-csg.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the Violations Table in the management GUI in the MX Management Server in Imperva SecureSphere Web Application Firewall (WAF) 9.0 allows remote attackers to inject arbitrary web script or HTML via the username field. Imperva SecureSphere Web Application Firewall is prone to an HTML-injection vulnerability prone to an because they fail to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks. SecureSphere Web Application Firewall 9.0 is vulnerable. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: SecureSphere Web Application Firewall Username Script Insertion Vulnerability SECUNIA ADVISORY ID: SA48086 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48086/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48086 RELEASE DATE: 2012-02-17 DISCUSS ADVISORY: http://secunia.com/advisories/48086/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48086/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48086 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Roger Wemyss has reported a vulnerability in SecureSphere Web Application Firewall, which can be exploited by malicious people to conduct script insertion attacks. Certain input passed to a web server protected by SecureSphere is not properly sanitised before being displayed to the user. The vulnerability is reported in version 9.0. SOLUTION: Update to version 9.0 Patch 1. PROVIDED AND/OR DISCOVERED BY: Roger Wemyss, Dell SecureWorks ORIGINAL ADVISORY: SecureSphere: http://www.imperva.com/resources/adc/adc_advisories_response_secureworks_CVE-2011-4887.html Dell SecureWorks: http://www.secureworks.com/research/advisories/SWRX-2012-002/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . This fixes a vulnerability, which can be exploited by malicious people to compromise an application using the library. For more information see vulnerability #6 in: SA47816 SOLUTION: Apply updated packages

ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. ClearSCADA has a security authentication bypass vulnerability that allows an attacker to exploit sensitive information or perform unauthorized operations. Control Microsystems ClearSCADA is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization. Versions prior to ClearSCADA 2010 R1.1 are vulnerable. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Serck SCX ClearSCADA Web Interface Authentication Bypass Vulnerability SECUNIA ADVISORY ID: SA45913 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45913/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45913 RELEASE DATE: 2011-09-06 DISCUSS ADVISORY: http://secunia.com/advisories/45913/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45913/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45913 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Serck SCX, which can be exploited by malicious people to bypass certain security restrictions. For more information: SA45854 The vulnerability is reported in the following products. * Serck SCX version 67 R4.5 * Serck SCX version 68 R3.9 SOLUTION: Update to a fixed version. Contact the vendor for further information. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Jeremy Brown. ORIGINAL ADVISORY: ICS-CERT (ICSA-11-173-01): http://www.us-cert.gov/control_systems/pdf/ICSA-11-173-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in the web interface in HomeSeer HS2 2.5.0.20 allows remote attackers to access arbitrary files via unspecified vectors. HomeSeer HS2 home automation software web interface contains multiple vulnerabilities. An attacker can request a WEB page like http://ipaddress/example<script>alert(document.cookie)</script> to store JavaScript in In the log view page. Viewing the log file by the administrator can cause JavaScript to execute in the target browser. A successful CSRFG attack allows an attacker to run commands as an administrator user. An HTML-injection vulnerability. 2. A cross-site request-forgery vulnerability. 3. A directory-traversal vulnerability. Attackers can exploit these issues to perform certain actions in the context of an authorized user's session, run arbitrary HTML and script code, and transfer files outside of the web directory. Other attacks may also be possible. HomeSeer HS2 2.5.0.20 is vulnerable; prior versions may also be affected. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: HomeSeer HS2 Cross-Site Request Forgery and Script Insertion Vulnerabilities SECUNIA ADVISORY ID: SA47191 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47191/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47191 RELEASE DATE: 2011-12-09 DISCUSS ADVISORY: http://secunia.com/advisories/47191/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47191/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47191 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been discovered in HomeSeer HS2, which can be exploited by malicious people to conduct cross-site request forgery and script insertion attacks. 1) Input passed via the URL is not properly sanitised before being used. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. execute commands on a system by tricking a user into visiting a malicious web site. The vulnerabilities are confirmed in version 2.5.0.23. SOLUTION: Filter malicious characters and character sequences in a proxy. Do not browse untrusted websites or follow untrusted links while logged in to the application. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Silent Dream ORIGINAL ADVISORY: US-CERT (VU#796883): http://www.kb.cert.org/vuls/id/796883 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ovbbccb.exe 6.20.50.0 and other versions in HP OpenView Performance Agent 4.70 and 5.0; and Operations Agent 11.0, 8.60.005, 8.60.006, 8.60.007, 8.60.008, 8.60.501, and 8.53; allows remote attackers to delete arbitrary files via a full pathname in the File field in a Register command. HP Operations Manager is prone to an arbitrary-file-deletion vulnerability. An attacker can exploit this issue to delete arbitrary files on an affected computer. Successful exploits will result in a denial-of-service condition or the corruption of applications running on the affected computer. References: CVE-2011-2608, SA45079, SA44321 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Performance Agent v5.0, and v4.70 running on AIX, HP-UX, Linux, Solaris, and Windows; Operations Agent v11.0, v8.60.0xx, v8.60.5xx running on AIX, HP-UX, Linux, Solaris, and Windows. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-2608 (AV:N/AC:L/Au:N/C:P/I:C/A:C) 9.7 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Abdul-Aziz Hariri coordinating with Secunia for reporting this vulnerability to security-alert@hp.com RESOLUTION HP has provided the following resolve this vulnerability. Please contact your HP Software support channel to request the hotfixes below. For Performance Agent v5.0 and v4.7 please request this hotfix from support: Performance Agent/OVPA_C.05.00.100_ALL/ Security issue, no details available For Operations Agent v11.0 please install the latest patch v11.01.003 For Operations Agent v8.60.005, c8.60.006, v8.60.007, v8.60.008 please request hotfix from support: LCore/Lcore_06.20/ Security issue, no details available For Operations Agent v8.60.501 please request hotfix from support: LCore/Lcore_06.21.501/ Security issue, no details available For Operations Agent v8.53 request hotfix from support: LCore/Lcore_06.20/ Security issue, no details available HISTORY Version:1 (rev.1) - 18 July 2011 Initial Release Version:2 (rev.2) - 27 July 2011 Re-release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk4xmnYACgkQ4B86/C0qfVmjYgCfecas6Z8B7Yz0lE914CADLCWl JHwAnipHP6J3ehLiL9oLhQ4gsvWD+8Ua =V0C9 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Frost & Sullivan 2011 Report: Secunia Vulnerability Research \"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. Read the report here: http://secunia.com/products/corporate/vim/fs_request_2011/ ---------------------------------------------------------------------- TITLE: HP Operations Manager OV Communication Broker Arbitrary File Deletion SECUNIA ADVISORY ID: SA45079 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45079/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45079 RELEASE DATE: 2011-06-28 DISCUSS ADVISORY: http://secunia.com/advisories/45079/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45079/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45079 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered a vulnerability in HP Operations Manager, which can be exploited by malicious people to delete files on a vulnerable system. The vulnerability is caused due to the OV Communications Broker service (ovbbccb.exe) deleting a file specified in a received "Register" request. SOLUTION: Restrict access to the OV Communication Broker service. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: Luigi Auriemma: http://aluigi.altervista.org/adv/ovbbccb_1-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in an unspecified third-party component in the Batch module for Schneider Electric CitectSCADA before 7.20 and Mitsubishi MX4 SCADA before 7.20 allows local users to execute arbitrary code via a long string in a login sequence. CitectSCADA is software for providing monitoring and control functions in the Data Acquisition and Monitoring System (SCADA). A buffer overflow vulnerability exists in CitectSCADA and Mitsubishi MX4 SCADA version 7.10. This vulnerability affects the Batch server module, which can be exploited by an attacker to run arbitrary code in the context of an application, and a failed attack attempt will result in a denial of service. CitectSCADA is an industrial control software used by Mitsubishi MX4 and Schneider Electric. Careful construction of string data can execute arbitrary code in the application context. CitectSCADA and Mitsubishi MX4 SCADA are prone to a buffer-overflow vulnerability that affects the Batch server module. Failed exploit attempts will result in a denial-of-service condition. The following versions are vulnerable: CitectSCADA 7.10 and prior Mitsubishi MX4 SCADA 7.10 and prior. Citectscada is prone to a local security vulnerability. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Schneider Electric CitectSCADA Batch Server Login Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA46779 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46779/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46779 RELEASE DATE: 2011-11-09 DISCUSS ADVISORY: http://secunia.com/advisories/46779/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46779/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46779 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Schneider Electric CitectSCADA, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code. SOLUTION: Update to a fixed version. Please contact the vendor for details. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Kuang-Chun Hung, Taiwan\x92s Information and Communication Security Technology Center (ICST). ORIGINAL ADVISORY: CitectSCADA: http://www.citect.com/citectscada-batch ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The application bundles a vulnerable version of CitectSCADA

Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 8 and 9 before 9.0.1.262, and RoboHelp Server 8 and 9, allows remote attackers to inject arbitrary web script or HTML via the URI, related to template_stock/whutils.js. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Adobe RoboHelp Unspecified Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA45586 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45586/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45586 RELEASE DATE: 2011-08-11 DISCUSS ADVISORY: http://secunia.com/advisories/45586/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45586/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45586 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Adobe RoboHelp, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. SOLUTION: Apply update (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Roberto Suggi Liverani, Security-Assessment.com. ORIGINAL ADVISORY: APSB11-23: http://www.adobe.com/support/security/bulletins/apsb11-23.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA11-222A Adobe Updates for Multiple Vulnerabilities Original release date: August 10, 2011 Last revised: -- Source: US-CERT Systems Affected * Shockwave Player 11.6.0.626 and earlier versions for Windows and Macintosh * Flash Media Server 4.0.2 and earlier versions for Windows and Linux * Flash Media Server 3.5.6 and earlier versions for Windows and Linux * Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems * Adobe Flash Player 10.3.185.25 and earlier versions for Android * Adobe AIR 2.7 and earlier versions for Windows, Macintosh, and Android * Adobe Photoshop CS5 and CS5.1 and earlier versions for Windows and Macintosh * RoboHelp 9 (versions 9.0.1.232 and earlier), RoboHelp 8, RoboHelp Server 9, and RoboHelp Server 8 for Windows Overview There are multiple vulnerabilities in Adobe Shockwave Player, Flash Media Server, Flash Player, Photoshop CS5, and RoboHelp. Adobe has released updates to address these vulnerabilities. I. Description Adobe security bulletins APSB11-19, APSB11-20, APSB11-21, APSB11-22, and APSB11-23 describe multiple vulnerabilities in Adobe Shockwave Player, Flash Media Server, Flash Player, Photoshop CS5, and RoboHelp. An attacker may use these vulnerabilities to run malicious code or cause a denial of service on an affected system. Adobe has released updates to address these vulnerabilities. II. Impact These vulnerabilities could allow an attacker to run malicious code on the affected system or cause a denial of service. III. Solution Users of these Adobe products should review the relevant Adobe security bulletins and follow the recommendations in the "Solution" section. APSB11-19: Security update available for Adobe Shockwave Player APSB11-20: Security update available for Adobe Flash Media Server APSB11-21: Security update available for Adobe Flash Player APSB11-22: Security update available for Adobe Photoshop CS5 APSB11-23: Security updates available for RoboHelp IV. References * Security update available for Adobe Shockwave Player - <http://www.adobe.com/support/security/bulletins/apsb11-19.html> * Security update available for Adobe Flash Media Server - <http://www.adobe.com/support/security/bulletins/apsb11-20.html> * Security update available for Adobe Flash Player - <http://www.adobe.com/support/security/bulletins/apsb11-21.html> * Security update available for Adobe Photoshop CS5 - <http://www.adobe.com/support/security/bulletins/apsb11-22.html> * Security updates available for RoboHelp - <http://www.adobe.com/support/security/bulletins/apsb11-23.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA11-222A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA11-222A Feedback VU#628023" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2011 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History August 10, 2011: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTkKXaz6pPKYJORa3AQL/lQgAgO8eDjAJt7tFpd9jW8YY0yf92QY84f2r TQcMgYyxhyyuA0joIWQ7k6BkszfNns03tr6k9ay2r2e3dICUhtgugh20yeoyV6ua gwII/qNhPoVPlt3z3yJR4BQzhlyAYMlG4CKJWxX84Hkpq9FeQYDRO6Ni8WF2wiUC eeT7feK10Q+3w0UZinW11Cz6GISqQeb8E0YVX7lNH8svA/Du9UdOFnRgbWeBRtM9 4Fj+eRVdYqxpxy7z85EPIGwrKIop/D/HXaaNpXbkru1iXkLvAbBi2hpd4aeaQHva wpaAuNYwv5WxbdmcarXuJqs3a0v9+Mwd39bf8OxqUXLUX8h4LyGWJA== =QDsc -----END PGP SIGNATURE-----

The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets. The Linux kernel is prone to a security weakness related to TCP sequence number generation. Attackers can exploit this issue to inject arbitrary packets into TCP sessions using brute force attack, to perform unauthorized actions. Attackers can cause a denial-of-service condition by injecting a SYN or RST packet into the TCP session, which terminates the established connection. Other attacks such as man-in-the-middle attacks are also possible. The NFSv4 implementation is one of the distributed file system protocols. (CVE-2011-2695) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. ========================================================================== Ubuntu Security Notice USN-1241-1 October 25, 2011 linux-fsl-imx51 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.04 LTS Summary: Several security issues were fixed in the kernel. Software Description: - linux-fsl-imx51: Linux kernel for IMX51 Details: It was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573) Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. (CVE-2011-1576) Timo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776) Dan Rosenberg discovered that the IPv4 diagnostic routines did not correctly validate certain requests. (CVE-2011-2213) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Robert Swiecki discovered that mapping extensions were incorrectly handled. (CVE-2011-2496) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the wireless stack incorrectly verified SSID lengths. (CVE-2011-2517) Ben Pfaff discovered that Classless Queuing Disciplines (qdiscs) were being incorrectly handled. (CVE-2011-2525) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. (CVE-2011-2695) Herbert Xu discovered that certain fields were incorrectly handled when Generic Receive Offload (CVE-2011-2723) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Vasiliy Kulikov discovered that the Comedi driver did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-2909) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Yogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. (CVE-2011-3363) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.04 LTS: linux-image-2.6.31-611-imx51 2.6.31-611.29 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04135307 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04135307 Version: 1 HPSBGN02970 rev.1 - HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-03-10 Last Updated: 2014-03-10 Potential Security Impact: Multiple remote vulnerabilities affecting confidentiality, integrity and availability Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential vulnerabilities have been identified with HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability. References: CVE-2010-4008 CVE-2010-4494 CVE-2011-2182 CVE-2011-2213 CVE-2011-2492 CVE-2011-2518 CVE-2011-2689 CVE-2011-2723 CVE-2011-3188 CVE-2011-4077 CVE-2011-4110 CVE-2012-0058 CVE-2012-0879 CVE-2012-1088 CVE-2012-1179 CVE-2012-2137 CVE-2012-2313 CVE-2012-2372 CVE-2012-2373 CVE-2012-2375 CVE-2012-2383 CVE-2012-2384 CVE-2013-6205 CVE-2013-6206 SSRT101443 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Rapid Deployment Pack (RDP) -- All versions HP Insight Control Server Deployment -- All versions BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-6205 (AV:L/AC:M/Au:S/C:P/I:P/A:P) 4.1 CVE-2013-6206 (AV:N/AC:L/Au:N/C:C/I:P/A:P) 9.0 CVE-2010-4008 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2010-4494 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-2182 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 7.2 CVE-2011-2213 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2011-2492 (AV:L/AC:M/Au:N/C:P/I:N/A:N) 1.9 CVE-2011-2518 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2011-2689 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2011-2723 (AV:A/AC:M/Au:N/C:N/I:N/A:C) 5.7 CVE-2011-3188 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2011-4077 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2011-4110 (AV:L/AC:L/Au:N/C:N/I:N/A:P) 2.1 CVE-2012-0058 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2012-0879 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2012-1088 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3 CVE-2012-1179 (AV:A/AC:M/Au:S/C:N/I:N/A:C) 5.2 CVE-2012-2137 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2012-2313 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1.2 CVE-2012-2372 (AV:L/AC:M/Au:S/C:N/I:N/A:C) 4.4 CVE-2012-2373 (AV:L/AC:H/Au:N/C:N/I:N/A:C) 4.0 CVE-2012-2375 (AV:A/AC:H/Au:N/C:N/I:N/A:C) 4.6 CVE-2012-2383 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2012-2384 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP recommends that HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment should only be run on private secure networks to prevent the risk of security compromise. HISTORY Version:1 (rev.1) - 10 March 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2012:0010-01 Product: Red Hat Enterprise MRG for RHEL-6 Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0010.html Issue date: 2012-01-10 CVE Names: CVE-2011-1162 CVE-2011-2494 CVE-2011-2723 CVE-2011-2898 CVE-2011-3188 CVE-2011-3191 CVE-2011-3353 CVE-2011-3359 CVE-2011-3363 CVE-2011-3637 CVE-2011-4081 CVE-2011-4110 CVE-2011-4132 CVE-2011-4326 ===================================================================== 1. Summary: Updated kernel-rt packages that fix several security issues and two bugs are now available for Red Hat Enterprise MRG 2.0. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: MRG Realtime for RHEL 6 Server v.2 - noarch, x86_64 3. Description: The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A malicious CIFS (Common Internet File System) server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important) * The way fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on were handled could allow a remote attacker to cause a denial of service. (CVE-2011-4326, Important) * GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate) * IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate) * A flaw in the FUSE (Filesystem in Userspace) implementation could allow a local user in the fuse group who has access to mount a FUSE file system to cause a denial of service. (CVE-2011-3353, Moderate) * A flaw in the b43 driver. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially-crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate) * A flaw in the way CIFS shares with DFS referrals at their root were handled could allow an attacker on the local network, who is able to deploy a malicious CIFS server, to create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate) * A flaw in the m_stop() implementation could allow a local, unprivileged user to trigger a denial of service. (CVE-2011-3637, Moderate) * Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-4081, Moderate) * A flaw in the key management facility could allow a local, unprivileged user to cause a denial of service via the keyctl utility. (CVE-2011-4110, Moderate) * A flaw in the Journaling Block Device (JBD) could allow a local attacker to crash the system by mounting a specially-crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate) * A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low) * I/O statistics from the taskstats subsystem could be read without any restrictions, which could allow a local, unprivileged user to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low) * Flaws in tpacket_rcv() and packet_recvmsg() could allow a local, unprivileged user to leak information to user-space. (CVE-2011-2898, Low) Red Hat would like to thank Darren Lavender for reporting CVE-2011-3191; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363; Nick Bowler for reporting CVE-2011-4081; Peter Huewe for reporting CVE-2011-1162; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494. This update also fixes the following bugs: * Previously, a mismatch in the build-id of the kernel-rt and the one in the related debuginfo package caused failures in SystemTap and perf. (BZ#768413) * IBM x3650m3 systems were not able to boot the MRG Realtime kernel because they require a pmcraid driver that was not available. The pmcraid driver is included in this update. (BZ#753992) Users should upgrade to these updated packages, which correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 716842 - CVE-2011-2494 kernel: taskstats io infoleak 726552 - CVE-2011-2723 kernel: gro: only reset frag0 when skb can be pulled 728023 - CVE-2011-2898 kernel: af_packet: infoleak 732629 - CVE-2011-1162 kernel: tpm: infoleak 732658 - CVE-2011-3188 kernel: net: improve sequence number generation 732869 - CVE-2011-3191 kernel: cifs: signedness issue in CIFSFindNext() 736761 - CVE-2011-3353 kernel: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message 738202 - CVE-2011-3359 kernel: b43: allocate receive buffers big enough for max frame len + offset 738291 - CVE-2011-3363 kernel: cifs: always do is_path_accessible check in cifs_mount 747848 - CVE-2011-3637 kernel: proc: fix oops on invalid /proc/<pid>/maps access 749475 - CVE-2011-4081 kernel: crypto: ghash: null pointer deref if no key is set 751297 - CVE-2011-4110 kernel: keys: NULL pointer deref in the user-defined key type 753341 - CVE-2011-4132 kernel: jbd/jbd2: invalid value of first log block leads to oops 755584 - CVE-2011-4326 kernel: wrong headroom check in udp6_ufo_fragment() 6. Package List: MRG Realtime for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/kernel-rt-2.6.33.9-rt31.79.el6rt.src.rpm noarch: kernel-rt-doc-2.6.33.9-rt31.79.el6rt.noarch.rpm kernel-rt-firmware-2.6.33.9-rt31.79.el6rt.noarch.rpm x86_64: kernel-rt-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-debug-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-debug-debuginfo-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-debug-devel-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-debuginfo-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-debuginfo-common-x86_64-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-devel-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-trace-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-trace-debuginfo-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-trace-devel-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-vanilla-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-vanilla-debuginfo-2.6.33.9-rt31.79.el6rt.x86_64.rpm kernel-rt-vanilla-devel-2.6.33.9-rt31.79.el6rt.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-1162.html https://www.redhat.com/security/data/cve/CVE-2011-2494.html https://www.redhat.com/security/data/cve/CVE-2011-2723.html https://www.redhat.com/security/data/cve/CVE-2011-2898.html https://www.redhat.com/security/data/cve/CVE-2011-3188.html https://www.redhat.com/security/data/cve/CVE-2011-3191.html https://www.redhat.com/security/data/cve/CVE-2011-3353.html https://www.redhat.com/security/data/cve/CVE-2011-3359.html https://www.redhat.com/security/data/cve/CVE-2011-3363.html https://www.redhat.com/security/data/cve/CVE-2011-3637.html https://www.redhat.com/security/data/cve/CVE-2011-4081.html https://www.redhat.com/security/data/cve/CVE-2011-4110.html https://www.redhat.com/security/data/cve/CVE-2011-4132.html https://www.redhat.com/security/data/cve/CVE-2011-4326.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPDJ6FXlSAg2UNWIIRAsrYAKCLerKtJ4QtRBX9XbrUMn6hOusSYACcDy1x DrRqrqyb3B96r051baGDAZU= =M480 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce