VARIoT IoT vulnerabilities database

Buffer overflow in Advantech WebAccess before 8.1_20160519 allows local users to cause a denial of service via a crafted DLL file. Advantech WebAccess (formerly known as BroadWin WebAccess) is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A buffer overflow vulnerability exists in versions prior to Advantech WebAccess 8.1_20160519. An attacker could exploit this vulnerability to insert and execute arbitrary code with a specially crafted DLL file. Advantech WebAccess is prone to the following security vulnerabilities: 1. Unsafe ActiveX control local security vulnerability 2. A local buffer-overflow vulnerability Local attackers can exploit these issues to perform unauthorized actions and crash the affected application; denying service to legitimate users. Due to the nature of these issues, code-execution may be possible but this has not been confirmed

Cross-site scripting (XSS) vulnerability in the Schneider Electric PowerLogic PM8ECC module before 2.651 for PowerMeter 800 devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Schneider Electric PowerLogic PM8ECC is a communication module for Schneider Electric in France for the 800 series of meters. A remote attacker can use this vulnerability to inject arbitrary JavaScript code by sending a specially crafted URL request. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to Schneider ElectricPowerLogic PM8ECC 2.651 are affected

The General Packet Radio Switching Tunneling Protocol 1 (aka GTPv1) implementation on Cisco ASR 5000 Packet Data Network Gateway devices before 19.4 allows remote attackers to cause a denial of service (Session Manager process restart) via a crafted GTPv1 packet, aka Bug ID CSCuz46198. Vendors have confirmed this vulnerability Bug ID CSCuz46198 It is released as.Skillfully crafted by a third party GTPv1 Service disruption via packets ( Restart the Session Manager process ) There is a possibility of being put into a state. The Cisco ASR5000 Series is a 5000 series wireless controller product from Cisco. PacketDataNetworkGateway (aka PGW) is one of the packet data gateways. A security vulnerability exists in the implementation of the GeneralPacketRadioSwitchingTunnelingProtocolVersion1 (GTPv1) implementation of the Cisco ASR5000 SeriesPGW using software prior to 19.4. This issue is being tracked by Cisco Bug ID CSCuz46198

SQL injection vulnerability in the SQL database in Cisco Prime Collaboration Deployment before 11.5.1 allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCuy92549. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is being tracked by Cisco Bug ID CSCuy92549

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. Apache Commons FileUpload provided by the Apache Software Foundation contains a flaw when processing multi-part requests, which may lead to a denial-of-service (DoS). TERASOLUNA FW(Struts1) Team of NTT DATA Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Processing a specially crafted request may result in the server's CPU resources to be exhausted. Apache Commons FileUpload is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the application to become unresponsive; resulting in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324759 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05324759 Version: 2 HPSBUX03665 rev.2 - HP-UX Tomcat-based Servlet Engine, Remote Denial of Service (DoS) and URL Redirection NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-11-09 Last Updated: 2016-11-08 Potential Security Impact: Remote: Denial of Service (DoS), URL Redirection Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in the HP-UX Tomcat-based Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and URL Redirection. References: - PSRT110272 - CVE-2016-3092 - Remote denial of Service (DoS) - CVE-2016-5388 - Remote URL Redirection - PSRT110255 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HP-UX Tomcat-based Servlet v.7.x Engine B.11.31 - Tomcat 7 prior to D.7.0.70.01 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2016-3092 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) CVE-2016-5388 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has provided the following software update to resolve the vulnerabilities in HP-UX Apache Tomcat 7 Servlet Engine: * Tomcat 7.0.70.01 for HP-UX Release B.11.31 (IPF and PA-RISC) + 64 bit Depot: HP_UX_11.31_HPUXWS24ATW-B501-11-31-64.depot + 32 bit Depot: HP_UX_11.31_HPUXWS24ATW-B501-11-31-32.depot * **Note:** The depot file can be found here: + <https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumb r=HPUXWSATW501> **MANUAL ACTIONS: Yes - Update** Download and install the software update **PRODUCT SPECIFIC INFORMATION** HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HPE and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: * <https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumb r=B6834AA> The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.31 IA/PA =================== hpuxws22TOMCAT.TOMCAT hpuxws22TOMCAT.TOMCAT2 action: install revision D.7.0.70.01 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 4 November 2016 Initial release Version:2 (rev.2) - 8 November 2016 Removed extraneous text from background section Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. It is based on JBoss Application Server 7 and incorporates multiple open-source projects to provide a complete Java EE platform solution. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server security and enhancement update Advisory ID: RHSA-2017:0457-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0457.html Issue date: 2017-03-07 CVE Names: CVE-2016-0762 CVE-2016-1240 CVE-2016-3092 CVE-2016-5018 CVE-2016-6325 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735 CVE-2016-8745 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements. Security Fix(es): * It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735) * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816) * A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745) * The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762) * It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018) * It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794) * It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796) * It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797) The CVE-2016-6325 issue was discovered by Red Hat Product Security. Enhancement(s): * This enhancement update adds the Red Hat JBoss Web Server 3.1.0. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement. 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 1367447 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation 1376712 - CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation 1390493 - CVE-2016-6797 tomcat: unrestricted access to global resources 1390515 - CVE-2016-6796 tomcat: security manager bypass via JSP Servlet config parameters 1390520 - CVE-2016-6794 tomcat: system property disclosure 1390525 - CVE-2016-5018 tomcat: security manager bypass via IntrospectHelper utility function 1390526 - CVE-2016-0762 tomcat: timing attack in Realm implementation 1397484 - CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests 1397485 - CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener 1403824 - CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing 5. References: https://access.redhat.com/security/cve/CVE-2016-0762 https://access.redhat.com/security/cve/CVE-2016-1240 https://access.redhat.com/security/cve/CVE-2016-3092 https://access.redhat.com/security/cve/CVE-2016-5018 https://access.redhat.com/security/cve/CVE-2016-6325 https://access.redhat.com/security/cve/CVE-2016-6794 https://access.redhat.com/security/cve/CVE-2016-6796 https://access.redhat.com/security/cve/CVE-2016-6797 https://access.redhat.com/security/cve/CVE-2016-6816 https://access.redhat.com/security/cve/CVE-2016-8735 https://access.redhat.com/security/cve/CVE-2016-8745 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.1.0 https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.1_Release_Notes/index.html https://access.redhat.com/security/vulnerabilities/httpoxy https://access.redhat.com/solutions/2435491 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYvwzSXlSAg2UNWIIRAtstAKC5zAokXNBQnXe+hb9GvSKpngKrSQCgqXa2 zb+BJhQtiHDygDSa59EWVvE= =ZskZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . A remote attacker can take advantage of this flaw by sending file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests. Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification and is therefore also vulnerable to the denial of service vulnerability. For the stable distribution (jessie), this problem has been fixed in version 7.0.56-3+deb8u3. For the testing distribution (stretch), this problem has been fixed in version 7.0.70-1. For the unstable distribution (sid), this problem has been fixed in version 7.0.70-1. We recommend that you upgrade your tomcat7 packages. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It contains security fixes for the Tomcat 7 component. Only users of the Tomcat 7 component in JBoss Web Server need to apply the fixes delivered in this release. Security Fix(es): * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-3092) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2016-0706) 4. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5346 https://access.redhat.com/security/cve/CVE-2015-5351 https://access.redhat.com/security/cve/CVE-2016-0706 https://access.redhat.com/security/cve/CVE-2016-0714 https://access.redhat.com/security/cve/CVE-2016-0763 https://access.redhat.com/security/cve/CVE-2016-3092 Security Impact: https://access.redhat.com/security/updates/classification/#important 8

Apple AirPort Base Station Firmware before 7.6.7 and 7.7.x before 7.7.7 misparses DNS data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Apple AirPort Base Station is a Wi-Fi base station product from Apple Inc. of the United States. The product supports streaming music and wireless printing. The vulnerability results from a program that fails to resolve DNS data correctly. Failed exploit attempts may result in a denial-of-service condition. This issue was addressed through improved bounds checking. CVE-2015-7029 : Alexandre Helie Installation note for Firmware version 7.6.7 and 7.7.7 Firmware version 7.6.7 and 7.7.7 is installed on AirPort Express, AirPort Extreme and AirPort Time Capsule with 802.11n and AirPort Extreme and AirPort Time Capsule base stations with 802.11ac using AirPort Utility for Mac or iOS. Use AirPort Utility 6.3.1 or later on OS X, or AirPort Utility 1.3.1 or later on iOS to upgrade to Firmware version 7.6.7 and 7.7.7. AirPort Utility for Mac is a free download from http://www.apple.com/support/downloads/ and AirPort Utility for iOS is a free download from the App Store. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXaEXFAAoJEIOj74w0bLRGGtsQAJNPs0WhD2J6HC1VOtiswx/D zyLyMKtkLc0NSbaIZtEOtvnEnJa2cEmkpZBkiGJ+Jjf6CnNKiC/+SXaETDldyL2j 6IFyuUFoSIv2ZsGU4xZVdpQJXGV7N7Az79nBQEPjWLqP/mDKx5b7KoysCQko1xPz mOvse17fCK7cwUjLFb0K1AHjq+1moNimUF/QEgfTZNnQp6zcHZ/ultZWYXVIhjYf Ev10eGVSC33joiqDSNW7a64PDz8KFBSs7zu96oH4S5M7xyY43izF/i81vAaF8Xgh W5kvI5U7omoUvNydVahsoN5o8IcDBjzEHxt2rE9lQustJUcyf15Yg9Z0uYwgXxk+ oLQwpD85vpyQrTneFHGTkiv13r8WQ+e5db7OSpLj7n+12WVC/Qlad7rTpeTFTQRu 08idWidZA6eZPPKHt7vlVdF0uci/eyXHoz34GDoZlijuRLdb8zYBE2svdRvjJgmV whPxjYRdLGU7Ei2iw/NqixUPa8ZWIS6aMEa9scsj2z0ClzwI0Ro+d72J0cui/tzf zrsmR78KIUWc0IiCV76TM/U9jH2TQ8ld5T0hdYnHyI7sU++Tfu2nZpN4sijIsvdz BP8QKCTTIt94OXMN0OBuDqZ7Xn25KBwXsWaPo8vU71O/rgnxZETUGE4cE91FZ9Zh TSW/TU0d6PMcGRZ/fRdM =iDOP -----END PGP SIGNATURE-----

The handle_regservice_request function in mDNSResponder before 625.41.2 allows remote attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference) via unspecified vectors. mDNSResponder provides unicast and multicast mDNS services on UNIX-like operating systems such as OS X. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. mDNSResponder is prone to a remote code-execution vulnerability. A security vulnerability exists in the 'handle_regservice_request' function of mDNSResponder versions prior to 625.41.2

Cisco IOS 15.5(3)M on Integrated Services Router (ISR) 800, 819, and 829 devices allows remote attackers to cause a denial of service (memory consumption) via crafted TCP packets on the SSH port, aka Bug ID CSCuu13476. Cisco IOS and IOS XE Software are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to report low-memory warnings which could in turn cause a partial denial-of-service condition. This issue is tracked by Cisco Bug ID CSCuu13476 and CSCvb66994. The title has been changed to better reflect the vulnerability information

Double free vulnerability in Cisco IOS XE 3.15S, 3.16S, and 3.17S allows remote authenticated users to cause a denial of service (device restart) via a sequence of crafted SNMP read requests, aka Bug ID CSCux13174. Cisco IOS XE Contains a memory double free vulnerability. Vendors have confirmed this vulnerability Bug ID CSCux13174 It is released as. Supplementary information : CWE Vulnerability type by CWE-415: Double Free ( Double release ) Has been identified. http://cwe.mitre.org/data/definitions/415.htmlBy a remotely authenticated user SNMP of read Service disruption via request ( Reboot device ) There is a possibility of being put into a state. Cisco IOSXE is an operating system developed by Cisco Systems for its network devices. A security vulnerability exists in the SNMP subsystem of Cisco IOSXE

The license-certificate upload functionality on Cisco 8800 phones with software 11.0(1) allows remote authenticated users to delete arbitrary files via an invalid file, aka Bug ID CSCuz03010. The Cisco IP Phone 8800 Series is a 8000 series IP telephony product from Cisco. The product provides voice and video capabilities. This issue is being tracked by Cisco Bug ID CSCuz03010

Cisco 8800 phones with software 11.0(1) do not properly enforce mounted-filesystem permissions, which allows local users to write to arbitrary files by leveraging shell access, aka Bug ID CSCuz03014. The Cisco IP Phone 8800 Series is a 8000 series IP telephony product from Cisco. The product provides voice and video capabilities. An attacker could exploit the vulnerability to gain access and modify or replace system files with malicious files. This may aid in further attacks. This issue is being tracked by Cisco bug ID CSCuz03014

Multiple buffer overflows in mDNSResponder before 625.41.2 allow remote attackers to read or write to out-of-bounds memory locations via vectors involving the (1) GetValueForIPv4Addr, (2) GetValueForMACAddr, (3) rfc3110_import, or (4) CopyNSEC3ResourceRecord function. mDNSResponder provides unicast and multicast mDNS services on UNIX-like operating systems such as OS X. mDNSResponder version 379.27 and above prior to version 625.41.2 is vulnerable to several buffer overflow vulnerabilities, as well as a null pointer dereference. mDNSResponder Contains a buffer overflow vulnerability. mDNSResponder is prone to multiple buffer-overflow vulnerabilities because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffer. Attackers can exploit these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions

The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-1863 and CVE-2016-4582. plural Apple The product kernel is authorized or service disruption ( Memory corruption ) There are vulnerabilities that are put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within IOPMrootDomain. An attacker could leverage this vulnerability to execute arbitrary code with kernel privileges. WebKit is prone to an information-disclosure vulnerability. Successful exploits may allow the attacker to gain access to sensitive information. Information obtained may lead to further attacks. Failed exploit attempts may result in a denial-of-service condition. Versions prior to iOS 9.3.3, watchOS 2.2.2, OS X 10.11.6, and tvOS 9.2.2 are vulnerable. Apple iOS is an operating system developed for mobile devices; OS X is a dedicated operating system developed for Mac computers; tvOS is a smart TV operating system; watchOS is a smart watch operating system. A security vulnerability exists in the kernel of several Apple products

Intel Graphics Driver in Apple OS X before 10.11.5 allows attackers to obtain sensitive kernel memory-layout information via a crafted app, a different vulnerability than CVE-2016-1860. This vulnerability CVE-2016-1860 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlAn attacker could obtain important kernel memory layout information through a crafted application. Apple Mac OS X is prone to multiple information-disclosure vulnerabilities and an arbitrary code-execution vulnerability. Failed exploits may result in denial-of-service conditions. Intel Graphics Driver is one of the graphics card drivers

Intel Graphics Driver in Apple OS X before 10.11.5 allows attackers to obtain sensitive kernel memory-layout information via a crafted app, a different vulnerability than CVE-2016-1862. This vulnerability CVE-2016-1862 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlAn attacker could obtain important kernel memory layout information through a crafted application. Apple Mac OS X is prone to multiple information-disclosure vulnerabilities and an arbitrary code-execution vulnerability. Failed exploits may result in denial-of-service conditions. Intel Graphics Driver is one of the graphics card drivers

The XSS auditor in WebKit, as used in Apple iOS before 9.3 and Safari before 9.1, does not properly handle redirects in block mode, which allows remote attackers to obtain sensitive information via a crafted URL. Apple iOS and Safari Used in etc. WebKit is prone to an information-disclosure vulnerability. Successful exploits may allow the attacker to gain access to sensitive information. Information obtained may lead to further attacks. Apple iOS is an operating system developed for mobile devices; Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A security vulnerability exists in WebKit's XSS auditor used in Apple iOS versions prior to 9.3 and Safari versions prior to 9.1. The vulnerability stems from the program's improper handling of block-mode redirects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-07-18-2 iOS 9.3.3 iOS 9.3.3 is now available and addresses the following: Calendar Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A maliciously crafted calendar invite may cause a device to unexpectedly restart Description: A null pointer dereference was addressed through improved memory handling. CVE-2016-4592 : Mikhail WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a malicious website may disclose image data from another website Description: A timing issue existed in the processing of SVG. CVE-2016-4587 : Apple WebKit JavaScript Bindings Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to script execution in the context of a non-HTTP service Description: A cross-protocol cross-site scripting (XPXSS) issue existed in Safari when submitting forms to non-HTTP services compatible with HTTP/0.9. This issue was addressed by disabling scripts and plugins on resources loaded over HTTP/0.9. CVE-2016-4651 : Obscure WebKit Page Loading Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious website may exfiltrate data cross-origin Description: A cross-site scripting issue existed in Safari URL redirection. CVE-2016-4585 : Takeshi Terada of Mitsui Bussan Secure Directions, Inc. CVE-2016-4584 : Chris Vienneau Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004 OS X El Capitan v10.11.6 and Security Update 2016-004 is now available and addresses the following: apache_mod_php Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple issues existed in PHP versions prior to 5.5.36. These were addressed by updating PHP to version 5.5.36. CVE-2016-4650 Audio Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4647 : Juwei Lin (@fuzzerDOTcn) of Trend Micro Audio Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to determine kernel memory layout Description: An out-of-bounds read was addressed through improved input validation. CVE-2016-4648 : Juwei Lin(@fuzzerDOTcn) of Trend Micro Audio Available for: OS X El Capitan v10.11 and later Impact: Parsing a maliciously crafted audio file may lead to the disclosure of user information Description: An out-of-bounds read was addressed through improved bounds checking. CVE-2016-4646 : Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative Audio Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to cause a system denial of service Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4649 : Juwei Lin(@fuzzerDOTcn) of Trend Micro bsdiff Available for: OS X El Capitan v10.11 and later Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: An integer overflow existed in bspatch. This issue was addressed through improved bounds checking. CVE-2014-9862 : an anonymous researcher CFNetwork Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to view sensitive user information Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed through improved restrictions. CVE-2016-4645 : Abhinav Bansal of Zscaler Inc. CoreGraphics Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) CoreGraphics Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to elevate privileges Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. CVE-2016-4652 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative FaceTime Available for: OS X El Capitan v10.11 and later Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic. CVE-2016-4635 : Martin Vigo Graphics Drivers Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4634 : Stefan Esser of SektionEins ImageIO Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to cause a denial of service Description: A memory consumption issue was addressed through improved memory handling. CVE-2016-4632 : Evgeny Sidorov of Yandex ImageIO Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) ImageIO Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4629 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) CVE-2016-4630 : Tyler Bohan of Cisco Talos (talosintel.com /vulnerability-reports) Intel Graphics Driver Available for: OS X El Capitan v10.11 and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4633 : an anonymous researcher IOHIDFamily Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-2016-4626 : Stefan Esser of SektionEins IOSurface Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A use-after-free was addressed through improved memory management. CVE-2016-4625 : Ian Beer of Google Project Zero Kernel Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1863 : Ian Beer of Google Project Zero CVE-2016-1864 : Ju Zhu of Trend Micro CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team Kernel Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to cause a system denial of service Description: A null pointer dereference was addressed through improved input validation. CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent libc++abi Available for: OS X El Capitan v10.11 and later Impact: An application may be able to execute arbitrary code with root privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4621 : an anonymous researcher libexpat Available for: OS X El Capitan v10.11 and later Impact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-0718 : Gustavo Grieco LibreSSL Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple issues existed in LibreSSL before 2.2.7. These were addressed by updating LibreSSL to version 2.2.7. CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google) Mark Brand, Ian Beer of Google Project Zero CVE-2016-2109 : Brian Carpenter libxml2 Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: An access issue existed in the parsing of maliciously crafted XML files. This issue was addressed through improved input validation. CVE-2016-4449 : Kostya Serebryany libxml2 Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: Multiple vulnerabilities in libxml2 Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological University CVE-2016-4448 : Apple CVE-2016-4483 : Gustavo Grieco CVE-2016-4614 : Nick Wellnhofe CVE-2016-4615 : Nick Wellnhofer CVE-2016-4616 : Michael Paddon CVE-2016-4619 : Hanno Boeck libxslt Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 and later Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-1684 : Nicolas GrA(c)goire CVE-2016-4607 : Nick Wellnhofer CVE-2016-4608 : Nicolas GrA(c)goire CVE-2016-4609 : Nick Wellnhofer CVE-2016-4610 : Nick Wellnhofer CVE-2016-4612 : Nicolas GrA(c)goire Login Window Available for: OS X El Capitan v10.11 and later Impact: A malicious application may be able to execute arbitrary code leading to compromise of user information Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4640 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative Login Window Available for: OS X El Capitan v10.11 and later Impact: A malicious application may be able to execute arbitrary code leading to the compromise of user information Description: A type confusion issue was addressed through improved memory handling. CVE-2016-4641 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative Login Window Available for: OS X El Capitan v10.11 and later Impact: A local user may be able to cause a denial of service Description: A memory initialization issue was addressed through improved memory handling. CVE-2016-4639 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative Login Window Available for: OS X El Capitan v10.11 and later Impact: A malicious application may be able to gain root privileges Description: A type confusion issue was addressed through improved memory handling. CVE-2016-4638 : Yubin Fu of Tencent KeenLab working with Trend Micro's Zero Day Initiative OpenSSL Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code Description: Multiple issues existed in OpenSSL. These issues were resolved by backporting the fixes from OpenSSL 1.0.2h/1.0.1 to OpenSSL 0.9.8. CVE-2016-2105 : Guido Vranken CVE-2016-2106 : Guido Vranken CVE-2016-2107 : Juraj Somorovsky CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google), Mark Brand and Ian Beer of Google Project Zero CVE-2016-2109 : Brian Carpenter CVE-2016-2176 : Guido Vranken QuickTime Available for: OS X El Capitan v10.11 and later Impact: Processing a maliciously crafted FlashPix Bitmap Image may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4596 : Ke Liu of Tencent's Xuanwu Lab CVE-2016-4597 : Ke Liu of Tencent's Xuanwu Lab CVE-2016-4600 : Ke Liu of Tencent's Xuanwu Lab CVE-2016-4602 : Ke Liu of Tencent's Xuanwu Lab QuickTime Available for: OS X El Capitan v10.11 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4598 : Ke Liu of Tencent's Xuanwu Lab QuickTime Available for: OS X El Capitan v10.11 and later Impact: Processing a maliciously crafted SGI file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4601 : Ke Liu of Tencent's Xuanwu Lab QuickTime Available for: OS X El Capitan v10.11 and later Impact: Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4599 : Ke Liu of Tencent's Xuanwu Lab Safari Login AutoFill Available for: OS X El Capitan v10.11 and later Impact: A user's password may be visible on screen Description: An issue existed in Safari's password auto-fill. This issue was addressed through improved matching of form fields. CVE-2016-4595 : Jonathan Lewis from DeARX Services (PTY) LTD Sandbox Profiles Available for: OS X El Capitan v10.11 and later Impact: A local application may be able to access the process list Description: An access issue existed with privileged API calls. This issue was addressed through additional restrictions. CVE-2016-4594 : Stefan Esser of SektionEins Note: OS X El Capitan 10.11.6 includes the security content of Safari 9.1.2. For further details see https://support.apple.com/kb/HT206900 OS X El Capitan v10.11.6 and Security Update 2016-004 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXjXAvAAoJEIOj74w0bLRG/5EP/2v9SJTrO+/4b3A1gqC1ch8y +cJ04tXRsO7rvjKT5nCylo30U0Sanz/bUbDx4559YS7/P/IyeyZVheaTJwK8wzEy pSOPpy35hUuVIw0/p4YsuHDThSBPFMmDljTxH7elkfuBV1lPSrCkyDXc0re2HxWV xj68zAxtM0jkkhgcxb2ApZSZVXhrjUZtbY0xEVOoWKKFwbMvKfx+4xSqunwQeS1u wevs1EbxfvsZbc3pG+xYcOonbegBzOy9aCvNO1Yv1zG+AYXC5ERMq1vk3PsWOTQN ZVY1I7mvCaEfvmjq2isRw8XYapAIKISDLwMKBSYrZDQFwPQLRi1VXxQZ67Kq1M3k ah04/lr0RIcoosIcBqxD2+1UAFjUzEUNFkYivjhuaeegN2QdL7Ujegf1QjdAt8lk mmKduxYUDOaRX50Kw7n14ZveJqzE1D5I6QSItaZ9M1vR60a7u91DSj9D87vbt1YC JM/Rvf/4vonp1NjwA2JQwCiZfYliBDdn9iiCl8mzxdsSRD/wXcZCs05nnKmKsCfc 55ET7IwdG3622lVheOJGQZuucwJiTn36zC11XVzZysQd/hLD5rUKUQNX1WOgZdzs xPsslXF5MWx9jcdyWVSWxDrN0sFk+GpQFQDuVozP60xuxqR3qQ0TXir2NP39uIF5 YozOGPQFmX0OviWCQsX6 =ng+m -----END PGP SIGNATURE-----

Cisco IOS 15.0(2)SG5, 15.1(2)SG3, 15.2(1)E, 15.3(3)S, and 15.4(1.13)S allows remote attackers to cause a denial of service (device crash) via a crafted LLDP packet, aka Bug ID CSCun66735. An attacker can exploit this issue to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCun66735. The following releases are affected: Cisco IOS Release 15.0(2)SG5, Release 15.1(2)SG3, Release 15.2(1)E, Release 15.3(3)S, Release 15.4(1.13)S

Cisco IOS 15.2(1)T1.11 and 15.2(2)TST allows remote attackers to cause a denial of service (device crash) via a crafted LLDP packet, aka Bug ID CSCun63132. An attacker can exploit this issue to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCun63132

Cross-site scripting (XSS) vulnerability in Cisco Firepower Management Center 4.10.3, 5.2.0, 5.3.0, 5.3.1, and 5.4.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCur25516. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCur25516

Cisco IOS XE 3.15S and 3.16S on cBR-8 Converged Broadband Router devices allows remote authenticated users to cause a denial of service (NULL pointer dereference and card restart) via a crafted SNMP request, aka Bug ID CSCuu68862. The Cisco IOSXEoncBR-8ConvergedBroadbandRouter is a set of operating systems running on the cBR-8 series of routers from Cisco. A denial of service vulnerability exists in the Cisco IOSXE 3.15S and 3.16S versions on the Cisco IOSXEoncBR-8ConvergedBroadbandRouter device. An attacker can exploit this issue to cause a denial of service condition. This issue is tracked by Cisco Bug ID CSCuu68862