VARIoT IoT vulnerabilities database

A vulnerability in SMART-SSL Accelerator functionality for Cisco Wide Area Application Services (WAAS) 6.2.1, 6.2.1a, and 6.2.3a could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition where the WAN optimization could stop functioning while the process restarts. The vulnerability is due to a Secure Sockets Layer/Transport Layer Security (SSL/TLS) alert being incorrectly handled when in a specific SSL/TLS connection state. An attacker could exploit this vulnerability by establishing a SMART-SSL connection through the targeted device. The attacker would then send a crafted stream of SSL/TLS traffic. An exploit could allow the attacker to cause a DoS condition where WAN optimization could stop processing traffic for a short period of time. Cisco Bug IDs: CSCvb71133. Vendors have confirmed this vulnerability Bug ID CSCvb71133 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. This software is mainly used in the link environment with small bandwidth and large delay

A vulnerability in the ImageID parameter of Cisco Unity Connection 10.5(2) could allow an unauthenticated, remote attacker to access files in arbitrary locations on the filesystem of an affected device. The issue is due to improper sanitization of user-supplied input in HTTP POST parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. Cisco Bug IDs: CSCvd90118. Cisco Unity Connection Contains a path traversal vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvd90118 It is released as.Information may be obtained. Attackers can exploit this issue to gain unauthorized access to the affected application. This may aid in further attacks. The platform can use voice commands to make calls or listen to messages "hands-free". The 'ImageID' parameter in Cisco UC version 10.5(2) has an unauthorized access vulnerability. The vulnerability stems from the fact that the program does not properly filter the input submitted by the user in the HTTP POST parameter

Multiple cross-site scripting (XSS) vulnerabilities in Proxmox Mail Gateway prior to hotfix 4.0-8-097d26a9 allow remote attackers to inject arbitrary web script or HTML via multiple parameters, related to /users/index.htm, /quarantine/spam/manage.htm, /quarantine/spam/whitelist.htm, /queues/mail/index/, /system/ssh.htm, /queues/mail/?domain=, and /quarantine/virus/manage.htm. Proxmox Mail Gateway Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Proxmox Mail Gateway is an email gateway product of Austrian company Proxmox Server Solutions. The product protects email from viruses, phishing and Trojans

Open redirect vulnerability in Proxmox Mail Gateway prior to hotfix 4.0-8-097d26a9 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter. Proxmox Mail Gateway is an email gateway product of Austrian company Proxmox Server Solutions. The product protects email from viruses, phishing and Trojans

An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network. Schneider Electric Wonderware Historian is a set of industrial data management software from Schneider Electric that combines high-speed data acquisition storage systems with traditional relational database management systems. A local attacker could exploit the vulnerability to access sensitive information and cause a denial of service

A Code Injection issue was discovered in CyberVision Kaa IoT Platform, Version 0.7.4. An insufficient-encapsulation vulnerability has been identified, which may allow remote code execution. It can build a complete end-to-end IoT solution

A Use of Client-Side Authentication issue was discovered in Advantech B+B SmartWorx MESR901 firmware versions 1.5.2 and prior. The web interface uses JavaScript to check client authentication and redirect unauthorized users. Attackers may intercept requests and bypass authentication to access restricted web pages. Advantech B+B SmartWorx MESR901 There are authentication vulnerabilities in the firmware.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Advantech B + B SmartWorx MESR901 is a Modbus gateway. Advantech B + B SmartWorx MESR901 has an authentication bypass vulnerability. An attacker could exploit the vulnerability for authentication and perform unauthorized operations, leading to further attacks. Advantech B+B SmartWorx MESR901 is prone to an authentication-bypass vulnerability. This may lead to further attacks. MESR901 1.5.2 and prior are vulnerable. Advantech B+B SmartWorx MESR901 is a serial gateway device of China Advantech Company. A security vulnerability exists in Advantech B+B SmartWorx MESR901 firmware 1.5.2 and earlier

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT). These functions use multiple ports to listen for administrative commands. Intel According to the document AMT Port as web interface for 16992 and 16993 Is used. Also other ports 16994 When 16995 Or 623 When 664 May be used. Intel Documents https://software.intel.com/sites/default/files/article/393789/amt-9-start-here-guide.pdf port 16994 When 16995 https://www.symantec.com/connect/articles/why-must-intel-amt-be-configured-and-what-required Supporting these remote management functions Intel Management Engine In the remote ( Not authenticated ) There is a vulnerability that allows remote management functions to be accessed by a third party. Intel Is a security advisory for this vulnerability (INTEL-SA-00075) And guide for mitigation (INTEL-SA-00075 Mitigation Guide) Offers. Security advisory (INTEL-SA-00075) https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr Mitigation guide (INTEL-SA-00075 Mitigation Guide) https://downloadcenter.intel.com/download/26754 Also, OEM This product may have this remote management function enabled.A remote attacker may gain access to the remote management functions of the system. Intel AMT has a remote authentication bypass vulnerability. Unauthorized users only need to send an empty user_response value to bypass the Intel AMT Web authentication system and use the Keyboard Video Mouse (KVM) feature to remotely control the system for malicious operations. Multiple Intel products are prone to a privilege-escalation vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03754en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03754en_us Version: 1 HPESBHF03754 rev.1 - HPE ML10 Gen 9 Server using Intel Xeon E3-1200 v5 Processor, Remote Access Restriction Bypass NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2017-05-26 Last Updated: 2017-05-26 Potential Security Impact: Remote: Access Restriction Bypass Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HPE ML10 Gen 9 Server using Intel Xeon E3-1200 v5 Processor. The vulnerability could be remotely exploited to allow access restriction bypass. Do not attempt to upgrade the ME FW without following the instructions detailed in the Resolution section. Refer to the "Platform Specific Information" section in the Resolution for more specific information on upgrades for specific ProLiant servers. References: - CVE-2017-5689 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE ProLiant ML10 Gen9 E3-1225 v5 3.3GHz 4-core 8GB-R 1TB Non-hot Plug 4LFF SATA 300W AP Svr/Promo Gen9 - HPE ProLiant ML10 Gen9 E3-1225 v5 4GB-R 1TB Non-hot Plug 4LFF SATA 300W Svr/S-Buy Gen9 - HPE ProLiant ML10 Gen9 E3-1225 v5 8GB-R 1TB Non-hot Plug 4LFF SATA 300W Perf Svr Gen9 - HPE ProLiant ML10 Gen9 E3-1225 v5 8GB-R 2TB Non-hot Plug 4LFF SATA 300W Svr/GO Gen9 - HPE ProLiant ML10 Gen9 E3-1225 v5 8GB-R 2TB Non-hot Plug 4LFF SATA 300W Svr/TV Gen9 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2017-5689 8.1 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has provided the following resolution for this issue: **Note:** Only the ProLiant Gen9 server detailed in the impacted product information above can be upgraded using the procedure described in this document. Before beginning the upgrade process, the server must have Intel Xeon E3-1200 v5 processors installed. See below for further instructions. Upgrade to the latest System ROM available for the platform prior to upgrading the ME is required. System ROM will need 1.06 version or later to support this ME firmware. The system ROM toolkit and firmware image can be found at: * BIOS 1.06 (Windows) <http://h20564.www2.hpe.com/hpsc/swd/public/detail?sp4ts.oid=1008772176&swIte Id=MTX_0a1076f4bf0444a090b09eeb62&swEnvOid=4168#tab1> * BIOS 1.06 (Linux 6) <http://h20564.www2.hpe.com/hpsc/swd/public/detail?sp4ts.oid=1008772176&swIte Id=MTX_14bacf35f0844bb696ef65799b&swEnvOid=4103> * BIOS 1.06 (Linux 7) <http://h20564.www2.hpe.com/hpsc/swd/public/detail?sp4ts.oid=1008772176&swIte Id=MTX_14bacf35f0844bb696ef65799b&swEnvOid=4176> The ME toolkit and firmware image can be found at: * ME 11.6.27.3264 (Windows) <http://h20564.www2.hpe.com/hpsc/swd/public/detail?sp4ts.oid=1008772176&swIte Id=MTX_359491d72fe04c0f9461fd657d&swEnvOid=4168> * ME 11.6.27.3264 (UEFI) <http://h20564.www2.hpe.com/hpsc/swd/public/detail?sp4ts.oid=1008772176&swIte Id=MTX_67a275408a9b45aba72ad7cbc1&swEnvOid=4168> HISTORY Version:1 (rev.1) - 26 May 2017 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJZKGjXAAoJELXhAxt7SZaiu3AH/2a97Qx1mBghXloDAR4pCdWE qiQUvMYft5zk2UmRgQpg5jOjDMSBQFTPtPvV9vBYxhj0Or49wAyTDcw1JeG8I8hI Bs9XDJXOQXvhTjdJakpG/+PIPsoMwJhNoH9H4/rWn0iUJb3wjTDEoHboNfSRZh0j mRlEpDmc12sDSlalJ3LymcXt/Zn/62t1VErmQp3QSdlCjsSxttoUvVzz6u2plKQ0 tJqa8m76wP2fzmIcEpr4DqHkSmAqAyAQEPiVjmdDYYaIN1pi1GKkcIu4WbI7x2xY Tjy4CXRHSy357ePv3zqwMYfl4nbQe+1Fk4zSNf1i18LQ9kLWp6mSPqLMV7kOnko= =DPhQ -----END PGP SIGNATURE-----

360fly 4K cameras allow unauthenticated Wi-Fi password changes and complete access with REST by using the Bluetooth Low Energy pairing procedure, which is available at any time and does not require a password. This affects firmware 2.1.4. Exploitation can use the 360fly Android or iOS application, or the BlueZ gatttool program. 360fly 4K The camera contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. 360Fly is a famous camera manufacturer. 360fly 4K is a 360-degree camera capable of recording 4k images. There is a security vulnerability in the 360fly 4K camera, which stems from the fact that the program does not set a password

An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious component to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-36000515. References: B-RB#117131. An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks. This issue is tracked by Android Bug ID-A-36000515. Broadcom: Information Leak from Host to Dongle via "wldev_ioctl" CVE-2017-0633 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On Android devices, the "bcmdhd" driver is used in order to communicate with the Wi-Fi SoC (also referred to as "dongle"). Along with the regular flow of frames transferred between the host and the dongle, the two communicate with one another via a set of "ioctls" which can be issued to read or write dongle configuration from the host. This information is exchanged using the SDIO "control" channel (SDPCM_CONTROL_CHANNEL) rather than the regular "data" and "glom" channels (which are used to transfer frames). When the "bcmdhd" driver wishes to send a ioctl to the dongle, it does so by calling "wldev_ioctl". This function has the following signature: s32 wldev_ioctl(struct net_device *dev, u32 cmd, void *arg, u32 len, u32 set) Where "arg" is a pointer to the argument supplied to the ioctl call, and "len" indicates the length of this argument. This function transfers the supplied buffer over SDIO to the dongle, where it is handled by the dongle's ioctl handler function. The "bcmdhd" driver issues many such ioctls, either when accessing iovars, or when reading and writing configuration used by the dongle. However, in all of these cases, "bcmdhd" neglects to clear the unused memory in the supplied argument buffer before calling "wldev_ioctl". As a result, the buffers transferred via the ioctl calls contain uninitialised memory, including pointers and other information processed by the driver. To demonstrate this issue, I've located the needed symbols on the Nexus 6P (NUF26K, BCM4358 version 7.112.201.1). The dongle's ioctl handler is at located at ROM address 0x19734, and the pointer to the registered ioctl handler is located in RAM address 0x214BF0. By patching the RAM address to point to a newly allocated code stub, we are able to intercept the ioctl handler on the dongle. I've written a small code stub which instruments the ioctl handler in order to dump the contents of the buffers passed in by the host. Here's a small sample of these log dumps: (1237) ioctl - code: 262, length: 512 (1238) 0 : 6f737361 (1239) 4 : 65725f63 (1240) 8 : 65695f71 ... (1404) 148 : ffffffc0 (1405) 152 : 00cdd204 (1406) 156 : ffffffc0 (1407) 160 : 5bd4b6f0 (1408) 164 : ffffffc0 (1409) 168 : 003ee868 (1410) 172 : ffffffc0 (1411) 176 : 5bd4b7e0 (1412) 180 : ffffffc0 (1413) 184 : 5bd4b810 (1414) 188 : ffffffc0 (1415) 192 : 5bd4b790 (1416) 196 : ffffffc0 As can be seen in the log above, the buffer contains multiple pointers from the host's kernel. This issue can be addressed by clearing the unused memory in the passed in argument buffers prior to calling "wldev_ioctl". This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: laginimaineb

An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399756. References: QC-CR#1093232. Multiple Google Devices are prone to an information disclosure vulnerability. An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks

An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35214296. References: QC-CR#1086833. An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks. This issue is tracked by Android Bug ID-A-35214296

An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34230377. References: QC-CR#1086833. An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks

An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34327795. References: QC-CR#2005832. An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks. This issue is tracked by Android Bug ID-A-34327795

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in overflowing the stack set up and allow an attacker to control the $ra register stored on the stack. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "goahead" is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_00420F38 in IDA pro is identified to be receiving the values sent in the POST request. The POST parameter "gateway" allows to overflow the stack and control the $ra register after 1546 characters. The value from this post parameter is then copied on the stack at address 0x00421348 as shown below. This allows an attacker to provide the payload of his/her choice and finally take control of the device. Securifi Almond , Almond+ , Almond 2015 The device firmware contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Securifi Almond is a wireless router with a touch screen

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of executing various actions on the web management interface. It seems that the device does not implement any Origin header check which allows an attacker who can trick a user to navigate to an attacker's webpage to exploit this issue and brute force the password for the web management interface. It also allows an attacker to then execute any other actions which include management if rules, sensors attached to the devices using the websocket requests. Securifi Almond , Almond+ , Almond 2015 An information disclosure vulnerability exists in the device firmware.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Securifi Almond is a wireless router with a touch screen. The vulnerability stems from the fact that the program does not check the Origin field in the request header. An attacker could exploit this vulnerability to brute force passwords and perform arbitrary operations

A vulnerability in MikroTik Version 6.38.5 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of UDP packets on port 500 (used for L2TP over IPsec), preventing the affected router from accepting new connections; all devices will be disconnected from the router and all logs removed automatically. MikroTik RouterOS Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. MikroTikRouterBoard is a router management panel from MikroTik, Republic of Latvia. A remote denial of service vulnerability exists in the networkstack in MikroTikRouterBoard 6.38.5. MikroTik is a routing operating system based on Linux kernel developed by Latvian MikroTik Company. This system turns a PC computer into a professional router

The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. Linux Kernel is prone to multiple security-bypass vulnerabilities. Attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2017:1616-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2017:1616 Issue date: 2017-06-28 CVE Names: CVE-2017-1000364 CVE-2017-2583 CVE-2017-6214 CVE-2017-7477 CVE-2017-7645 CVE-2017-7895 ===================================================================== 1. Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Realtime (v. 7) - noarch, x86_64 Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364, Important) * A flaw was found in the way Linux kernel allocates heap memory to build the scattergather list from a fragment list(skb_shinfo(skb)->frag_list) in the socket buffer(skb_buff). The heap overflow occurred if 'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST' feature are both used together. A remote user or process could use this flaw to potentially escalate their privilege on a system. (CVE-2017-7477, Important) * The NFS2/3 RPC client could send long arguments to the NFS server. These encoded arguments are stored in an array of memory pages, and accessed using pointer variables. Arbitrarily long arguments could make these pointers point outside the array and cause an out-of-bounds memory access. A remote user or program could use this flaw to crash the kernel, resulting in denial of service. (CVE-2017-7895, Important) * Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. The error could occur while loading values into the SS register in long mode. A user or process inside a guest could use this flaw to crash the guest, resulting in DoS or potentially escalate their privileges inside the guest. (CVE-2017-2583, Moderate) * A flaw was found in the Linux kernel's handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality could allow a remote attacker to force the kernel to enter a condition in which it could loop indefinitely. (CVE-2017-6214, Moderate) Red Hat would like to thank Qualys Research Labs for reporting CVE-2017-1000364; Ari Kauppi for reporting CVE-2017-7895; and Xiaohan Zhang (Huawei Inc.) for reporting CVE-2017-2583. Bug Fix(es): * The kernel-rt packages have been upgraded to the 3.10.0-514.25.2 source tree, which provides a number of bug fixes over the previous version. (BZ#1452742) * Previously, a local lock acquisition around the ip_send_unicast_reply() function was incorrectly terminated. Consequently, a list corruption occurred that led to a kernel panic. This update adds locking functions around calls to ip_send_unicast_reply(). As a result, neither list corruption nor kernel panic occur under the described circumstances. (BZ#1455239) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1414735 - CVE-2017-2583 Kernel: Kvm: vmx/svm potential privilege escalation inside guest 1426542 - CVE-2017-6214 kernel: ipv4/tcp: Infinite loop in tcp_splice_read() 1443615 - CVE-2017-7645 kernel: nfsd: Incorrect handling of long RPC replies 1445207 - CVE-2017-7477 kernel: net: Heap overflow in skb_to_sgvec in macsec.c 1446103 - CVE-2017-7895 kernel: NFSv3 server does not properly handle payload bounds checking of WRITE requests 1452742 - kernel-rt: update to the RHEL7.3.z batch#6 source tree 1455239 - net: add back the missing serialization in ip_send_unicast_reply() [RT 7.3.z] 1461333 - CVE-2017-1000364 kernel: heap/stack gap jumping via unbounded stack allocations 6. Package List: Red Hat Enterprise Linux for Real Time for NFV (v. 7): Source: kernel-rt-3.10.0-514.26.1.rt56.442.el7.src.rpm noarch: kernel-rt-doc-3.10.0-514.26.1.rt56.442.el7.noarch.rpm x86_64: kernel-rt-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debug-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debug-devel-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debug-kvm-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debug-kvm-debuginfo-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debuginfo-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-devel-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-kvm-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-kvm-debuginfo-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-trace-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-trace-devel-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-trace-kvm-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-trace-kvm-debuginfo-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm Red Hat Enterprise Linux Realtime (v. 7): Source: kernel-rt-3.10.0-514.26.1.rt56.442.el7.src.rpm noarch: kernel-rt-doc-3.10.0-514.26.1.rt56.442.el7.noarch.rpm x86_64: kernel-rt-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debug-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debug-devel-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debuginfo-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-devel-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-trace-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm kernel-rt-trace-devel-3.10.0-514.26.1.rt56.442.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-1000364 https://access.redhat.com/security/cve/CVE-2017-2583 https://access.redhat.com/security/cve/CVE-2017-6214 https://access.redhat.com/security/cve/CVE-2017-7477 https://access.redhat.com/security/cve/CVE-2017-7645 https://access.redhat.com/security/cve/CVE-2017-7895 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZU/mtXlSAg2UNWIIRAhYIAJ42qRehY60kmV2FptsmEemr0sL35ACdG4mg VHOx6LYlrjxRBjx/wWE9z2A= =sI9J -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 6.2) - x86_64 3. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. Bug Fix(es): * Previously, while the MAP_GROWSDOWN flag was set, writing to the memory which was mapped with the mmap system call failed with the SIGBUS signal. This update fixes memory management in the Linux kernel by backporting an upstream patch that enlarges the stack guard page gap. (BZ#1474720) 4. CVE-2017-0605 A buffer overflow flaw was discovered in the trace subsystem. CVE-2017-7487 Li Qiang reported a reference counter leak in the ipxitf_ioctl function which may result into a use-after-free vulnerability, triggerable when a IPX interface is configured. CVE-2017-7645 Tuomas Haanpaa and Matti Kamunen from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations are vulnerable to an out-of-bounds memory access issue while processing arbitrarily long arguments sent by NFSv2/NFSv3 PRC clients, leading to a denial of service. A remote attacker with write access to a NFS mount can take advantage of this flaw to read chunks of arbitrary memory from both kernel-space and user-space. CVE-2017-8064 Arnd Bergmann found that the DVB-USB core misused the device logging system, resulting in a use-after-free vulnerability, with unknown security impact. CVE-2017-8924 Johan Hovold found that the io_ti USB serial driver could leak sensitive information if a malicious USB device was connected. CVE-2017-8925 Johan Hovold found a reference counter leak in the omninet USB serial driver, resulting in a use-after-free vulnerability. This can be triggered by a local user permitted to open tty devices. CVE-2017-9074 Andrey Konovalov reported that the IPv6 fragmentation implementation could read beyond the end of a packet buffer. CVE-2017-9075 Andrey Konovalov reported that the SCTP/IPv6 implementation wrongly initialised address lists on connected sockets, resulting in a use-after-free vulnerability, a similar issue to CVE-2017-8890. This can be triggered by any local user. CVE-2017-9076 / CVE-2017-9077 Cong Wang found that the TCP/IPv6 and DCCP/IPv6 implementations wrongly initialised address lists on connected sockets, a similar issue to CVE-2017-9075. CVE-2017-9242 Andrey Konovalov reported a packet buffer overrun in the IPv6 implementation. The default stack gap protection is set to 256 pages and can be configured via the stack_guard_gap kernel parameter on the kernel command line. Further details can be found at https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 4.9.30-2+deb9u1 or earlier versions before the stretch release. Bug Fix(es): * When upgrading to kernel with the fix for stack guard flaw, a crash could occur in Java Virtual Machine (JVM) environments, which attempted to implement their own stack guard page. With this update, the underlying source code has been fixed to consider the PROT_NONE mapping as a part of the stack, and the crash in JVM no longer occurs under the described circumstances. (BZ#1466815) 4. 5.9 server) - i386, ia64, noarch, x86_64 3. (BZ#1472671) 4

Samsung SmartTV is a smart TV from South Korea's Samsung that integrates web content, apps, AllShare content, search functions and traditional TV channel lists into one user interface. Samsung SmartTVWi-FiDirect has a privilege escalation vulnerability that allows an attacker to emulate a trusted device when connected via Wi-Fi Direct, without the need for authentication to gain unrestricted access.

A Weak Cryptography for Passwords issue was discovered in General Electric (GE) Multilin SR 750 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 760 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 469 Motor Protection Relay, firmware versions prior to Version 5.23; SR 489 Generator Protection Relay, firmware versions prior to Version 4.06; SR 745 Transformer Protection Relay, firmware versions prior to Version 5.23; SR 369 Motor Protection Relay, all firmware versions; Multilin Universal Relay, firmware Version 6.0 and prior versions; and Multilin URplus (D90, C90, B95), all versions. Ciphertext versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Ciphertext of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands. plural General Electric (GE) The product contains cryptographic vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The GE Multilin SR Relay Protector has an unauthorized access vulnerability that allows an attacker to gain access to a user password from a front panel or Modbus command and gain unauthorized access to GE MultilinSR Series Relay Protector products. GE 750 Feeder Protection Relay and others are relay products of General Electric (GE) of the United States. Security vulnerabilities exist in several GE products due to weak passwords used by programs. An attacker could exploit this vulnerability to gain access to the system