VARIoT IoT vulnerabilities database

An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32709702. References: QC-CR#518731. Google Android is prone to multiple information-disclosure vulnerabilities. An attacker can exploit these issues to obtain potentially sensitive information. Information obtained may aid in further attacks. These issues are being tracked by Android Bug IDs A-32709702 and A-32720522

An information disclosure vulnerability in the Qualcomm camera driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Low because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-32873615. References: QC-CR#1093693. GoogleNexus is a high-end mobile phone series powered by Google\342\200\231s original Android system. An attacker could exploit this vulnerability to obtain potentially sensitive information. Google Nexus is prone to an information-disclosure vulnerability. Information obtained may aid in further attacks

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. Apache Struts2 Contains a vulnerability that allows the execution of arbitrary code. Apache Struts2 In Jakarta Multipart parser A vulnerability exists in the execution of arbitrary code that could allow the execution of arbitrary code. The attack code for this vulnerability has been released.By processing a request crafted by a remote third party, arbitrary code could be executed with the privileges of the application. Apache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03723en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03723en_us Version: 1 HPESBHF03723 rev.1 - HPE Aruba ClearPass Policy Manager, using Apache Struts, Remote Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2017-03-29 Last Updated: 2017-03-29 Potential Security Impact: Remote: Code Execution Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HPE Aruba ClearPass Policy Manager. **Note:** The ClearPass Policy Manager administrative Web interface is affected by the vulnerability. ClearPass Guest, Insight, and Graphite are NOT impacted. - Aruba ClearPass Policy Manager All versions prior to 6.6.5 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2017-5638 9.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L 9.7 (AV:N/AC:L/Au:N/C:C/I:C/A:P) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE Aruba has provided hotfixes for ClearPass 6.6.5, 6.6.4, and 6.5.7. Use one of the following methods to install the appropriate hotfix: Install the Hotfix Online Using the Software Updates Portal: 1. Open ClearPass Policy Manager and go to Administration - Agents and Software Updates - Software Updates. 2. In the Firmware and Patch Updates area, find the "ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638" or "ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638" patch and click the Download button in its row. 3. Click Install. 4. When the installation is complete and the status is shown as "Needs Restart", proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. Installing the hotfix Offline Using the Patch File from support.arubanetworks.com: 1. Download the "ClearPass 6.5.7 Hotfix Patch for CVE-2017-5638" or "ClearPass 6.6.4 Hotfix Patch for CVE-2017-5638" patch from the Support site. 2. Open the ClearPass Policy Manager Admin UI and go to Administration - Agents and Software Updates - Software Updates. 3. At the bottom of the Firmware and Patch Updates area, click Import Updates and browse to the downloaded patch file. The name and description once imported may differ from the name and remark on the support site as these were adjusted after posting. This is purely a cosmetic discrepancy. 4. Click Install. 5. When the installation is complete and the status is shown as Needs Restart, proceed to restart ClearPass. After reboot, the status for the patch will be shown as Installed. The ClearPass Policy Manager version number will not change. Workarounds - ----------- Restrict access to the Policy Manager Admin Web Interface. This can be accomplished by navigating to Administration - Server Manager - Server Configuration - Server-Name - Network - Restrict Access and only allowing non-public or network management networks. **Note:** Please contact HPE Technical Support if any assistance is needed acquiring the software updates. HISTORY Version:1 (rev.1) - 29 March 2017 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJY3BR/AAoJELXhAxt7SZaiMW8H/0+jWL4Evk+KeqP7aYk1msGp 9ih3F2680VrHVsUbSzul3+svnaWTJUgRe7fUTvsh/Q6bx/Eo86yo8iXGjmzETLtY cTuQrHLySo55Pwua9+89V4e13QkRvQ/UmQPYDMPEk9L7wwU9OF0oCpXHQBuWnw07 mKLZ12HaZqM8vJXgwgJFH77Mf3r5TkGFHsrZ0M+2vvxioJIEfmWV/x4eqtvIy6zS C6CX1M9x4xD442XcFfnH0BHA9RL6LOeYngTPYR7IIycvzpqd8kOWunjs38+IJpFR g49ho/NddeZfDKdJcIdfJ+0f3x2h7FPiVadXu1PzdCckhFHkHmrSlVcRbQZ+1R8= =8ljI -----END PGP SIGNATURE-----

DBL Technology (DBL Technology Co., Ltd.) is a communication equipment manufacturer located in Shenzhen. Its main products include GSM voice gateways, IP telephone gateways, enterprise-level softswitches, etc., which are mostly used by telephone companies and VoIP service providers. The DBL Technology GSM voice gateway has a root permission backdoor vulnerability. The backdoor exists in the Telnet service of the device, allowing an attacker to use a vulnerability in its authentication mechanism to obtain a shell with root privileges.

Multiple buffer overflows in the ctl_put* functions in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allow remote authenticated users to have unspecified impact via a long variable. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. NTP (Network Time Protocol, Network Time Protocol) is a protocol for synchronizing computer clocks over a network. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] ntp (SSA:2017-112-02) New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/ntp-4.2.8p10-i586-1_slack14.2.txz: Upgraded. In addition to bug fixes and enhancements, this release fixes security issues of medium and low severity: Denial of Service via Malformed Config (Medium) Authenticated DoS via Malicious Config Option (Medium) Potential Overflows in ctl_put() functions (Medium) Buffer Overflow in ntpq when fetching reslist from a malicious ntpd (Medium) 0rigin DoS (Medium) Buffer Overflow in DPTS Clock (Low) Improper use of snprintf() in mx4200_send() (Low) The following issues do not apply to Linux systems: Privileged execution of User Library code (WINDOWS PPSAPI ONLY) (Low) Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low) Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low) For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6455 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6452 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6459 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p10-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p10-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p10-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p10-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p10-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p10-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p10-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p10-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p10-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p10-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/ntp-4.2.8p10-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/ntp-4.2.8p10-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p10-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p10-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 package: e3e18355dbb881f31030c325d396691f ntp-4.2.8p10-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 7ca81f398c6f3fc306cf5e0ce4821ff7 ntp-4.2.8p10-x86_64-1_slack13.0.txz Slackware 13.1 package: bb14e63e0ea28856fb14816848fad378 ntp-4.2.8p10-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 77bee4e0b7d7bae54c431210ba7b20f8 ntp-4.2.8p10-x86_64-1_slack13.1.txz Slackware 13.37 package: 4424d362ec1dcb75d35560cc25f291b8 ntp-4.2.8p10-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 94bea621e2bad59b80553a9516c4ddb6 ntp-4.2.8p10-x86_64-1_slack13.37.txz Slackware 14.0 package: b9edb40c9e94a8248b57f96a0f7d0f49 ntp-4.2.8p10-i486-1_slack14.0.txz Slackware x86_64 14.0 package: d8a52549c46ca33833f68d7b063ab1f2 ntp-4.2.8p10-x86_64-1_slack14.0.txz Slackware 14.1 package: b36dd3b339aff2718dbd541a9f44b0a4 ntp-4.2.8p10-i486-1_slack14.1.txz Slackware x86_64 14.1 package: b55bc11c2aa8d0378005af5dbb105119 ntp-4.2.8p10-x86_64-1_slack14.1.txz Slackware 14.2 package: 1e625a8f4732aa776992210eaac05f04 ntp-4.2.8p10-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 22f25f35765d0cb3ece21e5db79091cd ntp-4.2.8p10-x86_64-1_slack14.2.txz Slackware -current package: 78de6454532d6c7d52242eadab528d64 n/ntp-4.2.8p10-i586-1.txz Slackware x86_64 -current package: 0522a4270909826999d07567e9a9de56 n/ntp-4.2.8p10-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg ntp-4.2.8p10-i586-1_slack14.2.txz Then, restart the NTP daemon: # sh /etc/rc.d/rc.ntpd restart NOTE: On Slackware -current, first install the new etc package, and then be sure to move the .new config files and rc.ntpd script into place before restarting! +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlj7hzYACgkQakRjwEAQIjNVhACdF5bLXhg1/7iHS02DHm90m59w Iv8AnR5vpRBWUQDw3267R3QPXEkAnI3f =0ZW2 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-09-25-1 macOS High Sierra 10.13 macOS High Sierra 10.13 is now available and addresses the following: Application Firewall Available for: OS X Lion v10.8 and later Impact: A previously denied application firewall setting may take effect after upgrading Description: An upgrade issue existed in the handling of firewall settings. This issue was addressed through improved handling of firewall settings during upgrades. CVE-2017-7084: an anonymous researcher AppSandbox Available for: OS X Lion v10.8 and later Impact: An application may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7074: Daniel Jalkut of Red Sweater Software Captive Network Assistant Available for: OS X Lion v10.8 and later Impact: A local user may unknowingly send a password unencrypted over the network Description: The security state of the captive portal browser was not obvious. This issue was addressed with improved visibility of the captive portal browser security state. CVE-2017-7143: an anonymous researcher CFNetwork Proxies Available for: OS X Lion v10.8 and later Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-2017-7083: Abhinav Bansal of Zscaler Inc. CoreAudio Available for: OS X Lion v10.8 and later Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed by updating to Opus version 1.1.4. CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend Micro Directory Utility Available for: OS X Lion v10.8 and later Impact: A local attacker may be able to determine the Apple ID of the owner of the computer Description: A permissions issue existed in the handling of the Apple ID. This issue was addressed with improved access controls. CVE-2017-7138: an anonymous researcher file Available for: OS X Lion v10.8 and later Impact: Multiple issues in file Description: Multiple issues were addressed by updating to version 5.30. CVE-2017-7121: found by OSS-Fuzz CVE-2017-7122: found by OSS-Fuzz CVE-2017-7123: found by OSS-Fuzz CVE-2017-7124: found by OSS-Fuzz CVE-2017-7125: found by OSS-Fuzz CVE-2017-7126: found by OSS-Fuzz Heimdal Available for: OS X Lion v10.8 and later Impact: An attacker in a privileged network position may be able to impersonate a service Description: A validation issue existed in the handling of the KDC- REP service name. This issue was addressed through improved validation. CVE-2017-11103: Jeffrey Altman, Viktor Duchovni, and Nico Williams IOFireWireFamily Available for: OS X Lion v10.8 and later Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7077: Brandon Azad IOFireWireFamily Available for: OS X Lion v10.8 and later Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2017-7119: Xiaolong Bai, Min (Spark) Zheng of Alibaba Inc., Benjamin Gnahm (@mitp0sh) of PDX Kernel Available for: OS X Lion v10.8 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7114: Alex Plaskett of MWR InfoSecurity libc Available for: OS X Lion v10.8 and later Impact: A remote attacker may be able to cause a denial-of-service Description: A resource exhaustion issue in glob() was addressed through an improved algorithm. CVE-2017-7086: Russ Cox of Google libc Available for: OS X Lion v10.8 and later Impact: An application may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2017-1000373 libexpat Available for: OS X Lion v10.8 and later Impact: Multiple issues in expat Description: Multiple issues were addressed by updating to version 2.2.1 CVE-2016-9063 CVE-2017-9233 Mail Available for: OS X Lion v10.8 and later Impact: The sender of an email may be able to determine the IP address of the recipient Description: Turning off "Load remote content in messages" did not apply to all mailboxes. This issue was addressed with improved setting propagation. CVE-2017-7141: an anonymous researcher Mail Drafts Available for: OS X Lion v10.8 and later Impact: An attacker with a privileged network position may be able to intercept mail contents Description: An encryption issue existed in the handling of mail drafts. This issue was addressed with improved handling of mail drafts meant to be sent encrypted. CVE-2017-7078: an anonymous researcher, an anonymous researcher, an anonymous researcher ntp Available for: OS X Lion v10.8 and later Impact: Multiple issues in ntp Description: Multiple issues were addressed by updating to version 4.2.8p10 CVE-2017-6451: Cure53 CVE-2017-6452: Cure53 CVE-2017-6455: Cure53 CVE-2017-6458: Cure53 CVE-2017-6459: Cure53 CVE-2017-6460: Cure53 CVE-2017-6462: Cure53 CVE-2017-6463: Cure53 CVE-2017-6464: Cure53 CVE-2016-9042: Matthew Van Gundy of Cisco Screen Lock Available for: OS X Lion v10.8 and later Impact: Application Firewall prompts may appear over Login Window Description: A window management issue was addressed through improved state management. CVE-2017-7082: Tim Kingman Security Available for: OS X Lion v10.8 and later Impact: A revoked certificate may be trusted Description: A certificate validation issue existed in the handling of revocation data. This issue was addressed through improved validation. CVE-2017-7080: Sven Driemecker of adesso mobile solutions gmbh, Rune Darrud (@theflyingcorpse) of BA|rum kommune, an anonymous researcher, an anonymous researcher SQLite Available for: OS X Lion v10.8 and later Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating to version 3.19.3. CVE-2017-10989: found by OSS-Fuzz CVE-2017-7128: found by OSS-Fuzz CVE-2017-7129: found by OSS-Fuzz CVE-2017-7130: found by OSS-Fuzz SQLite Available for: OS X Lion v10.8 and later Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-7127: an anonymous researcher WebKit Available for: OS X Lion v10.8 and later Impact: A malicious website may be able to track users in Safari private browsing mode Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions. CVE-2017-7144: an anonymous researcher zlib Available for: OS X Lion v10.8 and later Impact: Multiple issues in zlib Description: Multiple issues were addressed by updating to version 1.2.11. CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 Additional recognition Security We would like to acknowledge Abhinav Bansal of Zscaler, Inc. for their assistance. Installation note: macOS 10.13 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJZyUQfAAoJEIOj74w0bLRGmSEP/0wgqASRSNneoBx/AMLk0Qac mZhI8HuyJRTFwCOT7P7vkZTmoxtyOOdh4XaInvKMsW5I2G64YEmW86pcofHwdOTz TSWIAdus34xErUZ13rMzfg8Z3XAberG1E31QU2y2EXenpJSZIL8nzLgt8ySPVyzu PrQJxGxCMq1WAOSemGe+4rK2rMwpw5UDZyTbNPDi6lfKz0ZmtfvBzrgBq2xhA9iF /2NVs5rRog38N6F6xR6GNqi0dVoZmh1umQINh9nzTn8crbSuI3ixRtQYxstxU91/ 0wrgV03YF297n6bwVhawEDPU8obZzFgQRiKOjghE6h4YBVccWxMI9n42PwVc+G/Z X48wuSavpOEV6WEC+hWtALl/W73uH3jF2iK8rPBcDENheRlFi/y5+XeOK8TGJftS 6raj+IgbgERaY3uXcRoi0mLflpzxvGBYlTiJRRj7H7HFZO6v14hYyEMVrWmhFUiZ Xgy/qxHdWd/NW4AZz8Ke+ZMaJr21DozzI8ejug9shD7O/N31ZNq2qsNmxEweCPvt yMauTPAUutApHTEUXfwCdOy+ZGgTtWDnOC+g3ezkAOdigvjFcwlFH0Sbjxnhxbbp LVLz7tHwyKa5Xcwet0ZRH3WCHBsTzzkpsgxoyEMabE2KGS461uZw20t2uZozNsV0 bniy26PJZ5xGrFOSZYUa =wBKW -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-3349-1 July 05, 2017 ntp vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.04 - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in NTP. Software Description: - ntp: Network Time Protocol daemon and utility programs Details: Yihan Lian discovered that NTP incorrectly handled certain large request data values. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-2519) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed addresses when performing rate limiting. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426) Matthew Van Gundy discovered that NTP incorrectly handled certain crafted broadcast mode packets. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428) Miroslav Lichvar discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7429) Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly handled origin timestamps of zero. A remote attacker could possibly use this issue to bypass the origin timestamp protection mechanism. This issue only affected Ubuntu 16.10. (CVE-2016-7431) Brian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly performed initial sync calculations. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7433) Magnus Stubman discovered that NTP incorrectly handled certain mrulist queries. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7434) Matthew Van Gund discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04. (CVE-2016-9042) Matthew Van Gundy discovered that NTP incorrectly handled certain control mode packets. A remote attacker could use this issue to set or unset traps. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9310) Matthew Van Gundy discovered that NTP incorrectly handled the trap service. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9311) It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6458) It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-6460) It was discovered that the NTP legacy DPTS refclock driver incorrectly handled the /dev/datum device. A local attacker could possibly use this issue to cause a denial of service. (CVE-2017-6462) It was discovered that NTP incorrectly handled certain invalid settings in a :config directive. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6463) It was discovered that NTP incorrectly handled certain invalid mode configuration directives. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6464) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.04: ntp 1:4.2.8p9+dfsg-2ubuntu1.1 Ubuntu 16.10: ntp 1:4.2.8p8+dfsg-1ubuntu2.1 Ubuntu 16.04 LTS: ntp 1:4.2.8p4+dfsg-3ubuntu5.5 Ubuntu 14.04 LTS: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.11 In general, a standard system update will make all the necessary changes. References: https://www.ubuntu.com/usn/usn-3349-1 CVE-2016-2519, CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434, CVE-2016-9042, CVE-2016-9310, CVE-2016-9311, CVE-2017-6458, CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464 Package Information: https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p9+dfsg-2ubuntu1.1 https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p8+dfsg-1ubuntu2.1 https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg-3ubuntu5.5 https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu2.14.04.11

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-33979145. References: QC-CR#1105085. Google Android is prone to multiple privilege-escalation vulnerabilities. These issues are being tracked by Android Bug IDs A-32940193, A-33979145 and A-32835279

Reset to default settings may occur in Lenovo ThinkServer TSM RD350, RD450, RD550, RD650, TD350 during a prolonged broadcast storm in TSM versions earlier than 3.77. Lenovo ThinkServer System Manager (TSM) Baseboard Management Controller (BMC) for ThinkServer RD350, etc. is a controller embedded in the hardware devices of ThinkServer RD350 and other servers from China Lenovo to manage and monitor server status. A security vulnerability exists in versions of TSM prior to 3.77 in several Lenovo ThinkServer systems. The following products are affected: Lenovo ThinkServer RD350; ThinkServer RD450; ThinkServer RD550; ThinkServer RD650; ThinkServer TD350

An issue was discovered on Dahua DHI-HCVR7216A-S3 3.210.0001.10 build 2016-06-06 devices. The Dahua DVR Protocol, which operates on TCP Port 37777, is an unencrypted, binary protocol. Performing a Man-in-the-Middle attack allows both sniffing and injections of packets, which allows creation of fully privileged new users, in addition to capture of sensitive information. Dahua DHI-HCVR7216A-S3 is a network hard disk recorder product of Dahua Company of China. A man-in-the-middle attack vulnerability exists in DahuaDHI-HCVR7216A-S3V3.210.0001.10build2016-06-06. Devices using the following software and firmware are affected: 3.210.0001.10 build: 2016-6-6 version of NVR firmware, 2.400.0000.28.R build 2016-3-29 version of Camera firmware, Android-based gDSS software, 1.16.1 Build Date 2017-01-19 version of SmartPSS software

An information disclosure vulnerability in the BlackBerry Workspaces Server could result in an attacker gaining access to source code for server-side applications by crafting a request for specific files. xComfortEthernetCommunicationInterface (ECI) is a building automation system. An information disclosure vulnerability exists in EatonxComfortEthernetCommunicationInterface (ECI) version 1.07 and earlier, which allows remote attackers to access backup files and system logs when they are not authenticated. Eaton xComfort Ethernet Communication Interface is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. Eaton xComfort Ethernet Communication Interface 1.07 and prior versions are vulnerable

The boot loaders in Honor 5A smart phones with software Versions earlier than CAM-TL00C01B193,Versions earlier than CAM-TL00HC00B193,Versions earlier than CAM-UL00C00B193 have a buffer overflow vulnerability. An attacker with the root privilege of an Android system may trick a user into installing a malicious APP. The APP can modify specific data to cause buffer overflow in the next system reboot, causing continuous system reboot or arbitrary code execution. Honor 5A Smartphone software contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei Glory 5ASmartPhone is a smartphone from China's Huawei company. A buffer overflow vulnerability exists in Huawei Glory 5ABootloader. An attacker can exploit this issue to crash the affected application; denying service to legitimate or execute arbitrary code

SuricataIDS is a network intrusion detection system, intrusion prevention system and network security monitoring engine. There is a security bypass vulnerability in SuricataIDS. Because of logical flaws, an attacker can exploit a vulnerability to bypass security.

The Netgear DGN2201 is a popular wireless router device. A remote command execution vulnerability exists in NetgearDGN2201dnslookup.cgi that could allow an attacker to gain administrator privileges.

All versions of VAMPSET software produced by Schneider Electric, prior to V2.2.189, are susceptible to a memory corruption vulnerability when a corrupted vf2 file is used. This vulnerability causes the software to halt or not start when trying to open the corrupted file. This vulnerability occurs when fill settings are intentionally malformed and is opened in a standalone state, without connection to a protection relay. This attack is not considered to be remotely exploitable. This vulnerability has no effect on the operation of the protection relay to which VAMPSET is connected. As Windows operating system remains operational and VAMPSET responds, it is able to be shut down through its normal closing protocol. Schneider Electric VAMPSET Software contains a buffer error vulnerability.Denial of service (DoS) May be in a state. Schneider Electric VAMPSET is a software company from Schneider Electric, France, deployed in the energy industry to configure and maintain multiple relays and arc monitors. An attacker could exploit this vulnerability to execute arbitrary code in the context of the user running the affected application. Lead to a denial of service condition. Failed exploit attempts will likely cause denial-of-service conditions

An information disclosure vulnerability in the Qualcomm video driver. Product: Android. Versions: Android kernel. Android ID: A-32577085. References: QC-CR#1103689. This vulnerability Android ID: A-32577085 and Qualcomm QC-CR#1103689 It is published asInformation may be obtained. GooglePixel/PixelXL is a smartphone from Google Inc. in the United States. An attacker could exploit this vulnerability to obtain potentially sensitive information that could lead to further attacks. Google Pixel/Pixel XL are prone to an information-disclosure vulnerability. Information obtained may aid in further attacks

HTTP header injection vulnerability in TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier may allow a remote attackers to display false information. Multiple network camera products provided by I-O DATA DEVICE, INC. contain a HTTP header injection vulnerability. Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Forged information may be displayed on the logged-in user's web browser by exploiting HTTP response splitting. I-ODATATS-WLC2 and so on are all network cameras from I-ODATADEVICE, Japan. Remote attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions or to insert a crafted HTTP header into an HTTP response that could cause a web page redirection to a possible malicious website. IO DATA TS-WLC2 etc

TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. Multiple network camera products provided by I-O DATA DEVICE, INC. contain an OS command injection vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. A remote unauthenticated attacker may execute an arbitrary OS command on the product. I-ODATATS-WLC2 and so on are all network cameras from I-ODATADEVICE, Japan. Remote attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions or to insert a crafted HTTP header into an HTTP response that could cause a web page redirection to a possible malicious website. IO DATA TS-WLC2 etc

Buffer overflow in TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. Multiple network camera products provided by I-O DATA DEVICE, INC. contain a Buffer overflow vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A remote unauthenticated attacker may execute an arbitrary OS command on the product. I-ODATATS-WLC2 and so on are all network cameras from I-ODATADEVICE, Japan. Remote attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions or to insert a crafted HTTP header into an HTTP response that could cause a web page redirection to a possible malicious website. IO DATA TS-WLC2 etc

A vulnerability in the HTTP web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system. More Information: CSCuw63001 CSCuw63003. Known Affected Releases: 2.2(2). Known Fixed Releases: 3.1(0.0). An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID's CSCuw63001 and CSCuw63003. Cisco Prime Infrastructure (PI) is a set of Cisco (Cisco) wireless management solutions through Cisco Prime LAN Management Solution (LMS) and Cisco Prime Network Control System (NCS) technology

Siemens SINUMERIK Integrate Operate Clients between 2.0.3.00.016 (including) and 2.0.6 (excluding) and between 3.0.4.00.032 (including) and 3.0.6 (excluding) contain a vulnerability that could allow an attacker to read and manipulate data in TLS sessions while performing a man-in-the-middle (MITM) attack. Siemens SINUMERIK Integrate Operate Clients is a standard human interface system client for SINUMERIK digital control from Siemens AG. There is a middleman security bypass vulnerability in Siemens SINUMERIK Integrate Operate Clients. Multiple Siemens Products are prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to bypass certain security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks

A vulnerability in the Stream Control Transmission Protocol (SCTP) decoder of the Cisco NetFlow Generation Appliance (NGA) with software before 1.1(1a) could allow an unauthenticated, remote attacker to cause the device to hang or unexpectedly reload, causing a denial of service (DoS) condition. The vulnerability is due to incomplete validation of SCTP packets being monitored on the NGA data ports. An attacker could exploit this vulnerability by sending malformed SCTP packets on a network that is monitored by an NGA data port. SCTP packets addressed to the IP address of the NGA itself will not trigger this vulnerability. An exploit could allow the attacker to cause the appliance to become unresponsive or reload, causing a DoS condition. User interaction could be needed to recover the device using the reboot command from the CLI. The following Cisco NetFlow Generation Appliances are vulnerable: NGA 3140, NGA 3240, NGA 3340. Cisco Bug IDs: CSCvc83320. Vendors have confirmed this vulnerability Bug ID CSCvc83320 It is released as.Remote attacker could disrupt service operation ( Device hang or reload ) There is a possibility of being put into a state. Attackers can exploit this issue to reload the affected device, denying service to legitimate users. Cisco NetFlow Generation Appliance (NGA) is a set of scalable solutions for data center traffic visibility from Cisco. The solution provides features such as traffic analysis and other demand management. Stream Control Transmission Protocol (SCTP) decoder is one of the stream control transmission protocol decoders. A denial of service vulnerability exists in the SCTP decoder in Cisco NGA versions 3140, 3240, and 3340