VARIoT IoT vulnerabilities database

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 is remotely accessible via Port 22/SSH without authentication. A remote attacker may be able to make unauthorized configuration changes to the WBM, as well as issue commands to access account credentials and shared keys. Baxter asserts that this vulnerability only allows access to features and functionality on the WBM and that the SIGMA Spectrum infusion pump cannot be controlled from the WBM. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes. Baxter Wireless Battery Module (WBM) is prone to multiple security vulnerabilities. Attackers may exploit these issues to gain unauthorized access, obtain sensitive information, or bypass the authentication mechanism and gain access to the vulnerable device. A security vulnerability exists in Baxter WBM

An unauthenticated remote attacker may be able to execute commands to view wireless account credentials that are stored in cleartext on Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16, which may allow an attacker to gain access the host network. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes. Baxter SIGMA Spectrum Infusion System Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Baxter Wireless Battery Module (WBM) is prone to multiple security vulnerabilities. Attackers may exploit these issues to gain unauthorized access, obtain sensitive information, or bypass the authentication mechanism and gain access to the vulnerable device. Baxter SIGMA Spectrum Infusion System is an intelligent infusion system developed by Baxter, USA. A security vulnerability exists in Baxter WBM

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 has a default account with hard-coded credentials used with the FTP protocol. Baxter asserts no files can be transferred to or from the WBM using this account. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes. Baxter SIGMA Spectrum Infusion System Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Baxter Wireless Battery Module (WBM) is prone to multiple security vulnerabilities. Attackers may exploit these issues to gain unauthorized access, obtain sensitive information, or bypass the authentication mechanism and gain access to the vulnerable device. Baxter SIGMA Spectrum Infusion System is an intelligent infusion system developed by Baxter, USA. A security vulnerability exists in Baxter WBM

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing \u in a json string to cJSON_Parse. FreeSWITCH is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. A remote attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition. Versions prior to FreeSWITCH 1.6.2 and 1.4.23 are vulnerable. FreeSWITCH is a set of free and open source communication software developed by American software developer Anthony Minesale. The software can be used to create audio, video and short message products and applications. There is a heap-based buffer overflow vulnerability in the 'parse_string' function in the libs/esl/src/esl_json.c file of FreeSWITCH 1.4.21 and earlier versions and 1.6.0. The vulnerability stems from the fact that the cJSON_Parse structure does not sufficiently filter' json' character at the end of the string. 1. Advisory Information Title: Heap overflow in freeswitch json parser < 1.6.2 & < 1.4.23 Submitter: Marcello Duarte (marcello@cybersightgroup.com) Product: freeswitch Product URL: http://freeswitch.org Affected Versions: freeswitch < 1.6.2 & < 1.4.23 Fixed Versions: 1.6.2 , 1.4.23 Link to source code diff: https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/cf892528a1a107ed6eb67fb98ed22533e27778fd CVE Status: CVE-2015-7392 2. Vulnerability Information Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No 3. Vulnerability Description Product Information: FreeSWITCH is a scalable open source cross-platform telephony platform designed to route and interconnect popular communication protocols using audio, video, text or any other form of media. It was created in 2006 to fill the void left by proprietary commercial solutions. FreeSWITCH also provides a stable telephony platform on which many applications can be developed using a wide range of free tools. Vulnerability: A carefully crafted json string supplied to cJSON_Parse will trigger a heap overflow with user controlled data. The underlying vulnerability occurs in the parse_string function. This confuses the code responsible for copying the string. Since it doesn't detect the NULL in this situation, it will keep copying until it hits a null in memory. This leads to a heap overflow with user controlled data. Any modules or core code which allows user supplied json to enter the json parser will be vulnerable. Vulnerable Source Code: static const char *parse_string(cJSON *item, const char *str) { ... /* HACKLOG The length of string is determined here, it will stop counting when it hits a null */ while (*ptr != '\"' && *ptr && ++len) if (*ptr++ == '\\') ptr++; /* Skip escaped quotes. */ /* HACKLOG The buffer is alloced with the length obtained from the previous section */ out = (char *)cJSON_malloc( len + 1); /* This is how long we need for the string, roughly. */ if (!out) return 0; /* HACKLOG the following code will copy the string into the alloced buffer taking into account utf16 to utf8 conversion */ ptr = str + 1; ptr2 = out; /* 1 */ while (*ptr != '\"' && *ptr) { if (*ptr != '\\') *ptr2++ = *ptr++; else { ptr++; switch (*ptr) { case 'b': *ptr2++ = '\b'; break; case 'f': *ptr2++ = '\f'; break; case 'n': *ptr2++ = '\n'; break; case 'r': *ptr2++ = '\r'; break; case 't': *ptr2++ = '\t'; break; case 'u': /* transcode utf16 to utf8. */ if (sscanf(ptr + 1, "%4x", &uc) < 1) break; ptr += 4; /* get the unicode char. */ if ((uc >= 0xDC00 && uc <= 0xDFFF) || uc == 0) break; // check for invalid. if (uc >= 0xD800 && uc <= 0xDBFF) // UTF16 surrogate pairs. { if (ptr[1] != '\\' || ptr[2] != 'u') break; // missing second-half of surrogate. if (sscanf(ptr + 3, "%4x", &uc2) < 1) break; ptr += 6; if (uc2 < 0xDC00 || uc2 > 0xDFFF) break; // invalid second-half of surrogate. uc = 0x10000 | ((uc & 0x3FF) << 10) | (uc2 & 0x3FF); } len = 4; if (uc < 0x80) len = 1; else if (uc < 0x800) len = 2; else if (uc < 0x10000) len = 3; ptr2 += len; switch (len) { case 4: *--ptr2 = ((uc | 0x80) & 0xBF); uc >>= 6; case 3: *--ptr2 = ((uc | 0x80) & 0xBF); uc >>= 6; case 2: *--ptr2 = ((uc | 0x80) & 0xBF); uc >>= 6; case 1: *--ptr2 = (char)(uc | firstByteMark[len]); } ptr2 += len; break; default: *ptr2++ = *ptr; break; } /* HACKLOG INCREMENTS past null here, causing the while loop to not detect the end of the buffer so it keeps copying past the end of the alloced buffer */ ptr++; } 4. Vendor Information, Solutions Freeswitch has released versions 1.6.2 , 1.4.23 which fix the issue. 5. Credits This vulnerability was discovered and researched by Marcello Duarte ( marcello@cybersightgroup.com ) from CYBERSIGHT GROUP Vulnerability Research Labs. 6. Report Timeline 2015-09-02 - Vulnerability found 2015-09-13 - Freeswitch developers contacted 2015-09-14 - Freeswitch developers verified bug and patched in master 2015-09-25 - Freeswitch releases fixed packages. 2015-09-20 - CVE requested 2015-09-29 - CVE issued, Advisory released 7. About CYBERSIGHT GROUP CYBERSIGHT GROUP is an organization of security professionals specializing in several areas of offensive computer security research. We specialize in vulnerability research, exploit development, reverse engineering and cyber attack planning. http://cybersightgroup.com , contact@cybersightgroup.com 8. Disclaimer The information provided in the advisory is provided as is without any warranty. CYBERSIGHT GROUP and it's members are not liable in any case of damage, direct or indirect. Permission to redistribute the advisory in it's unmodified form is granted. -- Marcello Duarte Chief Research Officer CYBERSIGHT GROUP

Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 3 before 1.85 and 4 before 2.22 allows remote authenticated users to cause a denial of service via unknown vectors. Exploiting this issue allows remote attackers to trigger denial-of-service conditions. HP Integrated Lights-Out (iLO) is an embedded server management technology of Hewlett-Packard (HP), which uses an integrated remote management port to monitor and maintain the operating status of the server, and remotely manage and control the server. A security vulnerability exists in HP iLO 3 with firmware version 1.80 and earlier and iLO 4 with firmware version 2.20 and earlier. A remote attacker could exploit this vulnerability to cause a denial of service

There is a SQL injection vulnerability in Huawei EIE. Huawei Enterprise Information Engine (EIE) is an enterprise information machine product of China's Huawei. This product supports the integration of various applications of industry customers with mobile communication business applications to achieve mobile data applications. There is a SQL injection vulnerability in Huawei EIE, which originates from the program's insufficient filtering of user-submitted input before constructing SQL query statements. Attackers can use this vulnerability to control applications, access or modify data, or exploit potential vulnerabilities in the underlying database. Vulnerabilities exist in Huawei EIE V400R001. Other versions may also be affected. Huawei Enterprise Information Engine is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query

Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. Versions prior to Endian Firewall 3.0 are vulnerable. Endian Firewall is a set of unified risk management tools based on the Red Hat Enterprise Linux operating system developed by Italian company Endian. The tool provides HTTP/FTP virus protection, POP3/SMTP virus protection, SSL/TLS virtual private network and other functions

VxWorks is a real-time operating system widely used on ICS-related devices. Wind River VxWorks version 5.5-6.9.4.1 has an integer overflow vulnerability in its implementation. Successful use allows an attacker to remotely execute arbitrary code in the operating system, destroy or bypass all memory protection, and set up backdoor accounts

Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.3.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in test/logo/. Vtiger CRM Exists in a vulnerability related to unlimited upload of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. vtiger CRM is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected system; this can result in arbitrary code execution within the context of the affected system. vtiger CRM 6.3.0 and prior versions are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. Vtiger CRM 6.3.0 and previous versions have a code problem vulnerability in the 'Settings_Vtiger_CompanyDetailsSave_Action' class of the modules/Settings/Vtiger/actions/CompanyDetailsSave.php file

Cross-site request forgery (CSRF) vulnerability in Resource Data Management Data Manager before 2.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. An attacker could exploit the vulnerability to perform unauthorized operations

Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 provides different error messages for failed login attempts in unspecified circumstances, which allows remote attackers to obtain sensitive information via a series of requests. Infinite Automation Mango Automation is an open source web-based SCADA (data acquisition and monitoring control), HMI and automation software from Infinite Automation Systems, USA. An arbitrary-file-upload vulnerability 2. Multiple information-disclosure vulnerabilities 3. A command-execution vulnerability 4. An SQL-injection vulnerability 5. A cross-site request forgery vulnerability 6. A cross-site scripting vulnerability Attackers may leverage these issues to steal cookie-based authentication credentials, execute arbitrary script code in the browser, perform unauthorized actions, gain unauthorized access, obtain sensitive information, compromise the application, access or modify data and to execute arbitrary commands in the context of the vulnerable application; other attacks are also possible. It is easy, affordable, and open source.The application is prone to a reflected cross-sitescripting vulnerability due to a failure to properlysanitize user-supplied input to the 'username' POSTparameter in the 'login.htm' script. Mango Automation is a flexible SCADA, HMIAnd Automation software application that allows youto view, log, graph, animate, alarm, and report ondata from sensors, equipment, PLCs, databases, webpages,etc. It is easy, affordable, and open source.The weakness is caused due to the 'login.htm' scriptand how it verifies provided credentials. Attacker canuse this weakness to enumerate valid users on the affectednode.Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bitMicrosoft Windows 7 Ultimate SP1 (EN) 32/64bitJetty(9.2.2.v20140723)Java(TM) SE Runtime Environment (build 1.8.0_51-b16)Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)

Cross-site scripting (XSS) vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Infinite Automation Mango Automation is an open source web-based SCADA (data acquisition and monitoring control), HMI and automation software from Infinite Automation Systems, USA. An arbitrary-file-upload vulnerability 2. Multiple information-disclosure vulnerabilities 3. A command-execution vulnerability 4. An SQL-injection vulnerability 5. A cross-site request forgery vulnerability 6. A cross-site scripting vulnerability Attackers may leverage these issues to steal cookie-based authentication credentials, execute arbitrary script code in the browser, perform unauthorized actions, gain unauthorized access, obtain sensitive information, compromise the application, access or modify data and to execute arbitrary commands in the context of the vulnerable application; other attacks are also possible. It is easy, affordable, and open source.The application is prone to a reflected cross-sitescripting vulnerability due to a failure to properlysanitize user-supplied input to the 'username' POSTparameter in the 'login.htm' script. Product web page: http://www.infiniteautomation.com/ Affected version: 2.5.2 and 2.6.0 beta (build 327) Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source. Desc: Mango Automation suffers from information disclosure vulnerability because it contains default configuration for debugging enabled in the '/WEB-INF./web.xml' file (debug=true). An attacker can entice a logged-in user to visit a specially crafted URL which will produce a system exception with stack trace on the Jetty server. When this error occurs, the debug option generates a status page with all the information from the visitor, meaning that the attacker is able to see usernames, password hashes, e-mails and of course, Cookie sessions). Using the generated error, the attacker can easily perform session hijacking and take over the system using previously discovered vulnerabilities by just visiting the status page non-authenticated. Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit Jetty(9.2.2.v20140723) Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5260 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php 20.08.2015 -- One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session): - http://localhost:8080/status/ Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page: - http://localhost/status/mango.json?time=$ - http://localhost/status/ Sample status output: \"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n Also you can list all of the Classes known to DWR: - http://localhost:8080/dwr/index.html

SQL injection vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Infinite Automation Mango Automation is an open source web-based SCADA (data acquisition and monitoring control), HMI and automation software from Infinite Automation Systems, USA. An arbitrary-file-upload vulnerability 2. Multiple information-disclosure vulnerabilities 3. A command-execution vulnerability 4. An SQL-injection vulnerability 5. A cross-site request forgery vulnerability 6. A cross-site scripting vulnerability Attackers may leverage these issues to steal cookie-based authentication credentials, execute arbitrary script code in the browser, perform unauthorized actions, gain unauthorized access, obtain sensitive information, compromise the application, access or modify data and to execute arbitrary commands in the context of the vulnerable application; other attacks are also possible. It is easy, affordable, and open source.The application is prone to a reflected cross-sitescripting vulnerability due to a failure to properlysanitize user-supplied input to the 'username' POSTparameter in the 'login.htm' script. Product web page: http://www.infiniteautomation.com/ Affected version: 2.5.2 and 2.6.0 beta (build 327) Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source. Desc: Mango Automation suffers from information disclosure vulnerability because it contains default configuration for debugging enabled in the '/WEB-INF./web.xml' file (debug=true). An attacker can entice a logged-in user to visit a specially crafted URL which will produce a system exception with stack trace on the Jetty server. When this error occurs, the debug option generates a status page with all the information from the visitor, meaning that the attacker is able to see usernames, password hashes, e-mails and of course, Cookie sessions). Using the generated error, the attacker can easily perform session hijacking and take over the system using previously discovered vulnerabilities by just visiting the status page non-authenticated. Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit Jetty(9.2.2.v20140723) Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5260 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php 20.08.2015 -- One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session): - http://localhost:8080/status/ Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page: - http://localhost/status/mango.json?time=$ - http://localhost/status/ Sample status output: \"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n Also you can list all of the Classes known to DWR: - http://localhost:8080/dwr/index.html

Cross-site request forgery (CSRF) vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. Infinite Automation Mango Automation is an open source web-based SCADA (data acquisition and monitoring control), HMI and automation software from Infinite Automation Systems, USA. An arbitrary-file-upload vulnerability 2. Multiple information-disclosure vulnerabilities 3. A command-execution vulnerability 4. An SQL-injection vulnerability 5. A cross-site scripting vulnerability Attackers may leverage these issues to steal cookie-based authentication credentials, execute arbitrary script code in the browser, perform unauthorized actions, gain unauthorized access, obtain sensitive information, compromise the application, access or modify data and to execute arbitrary commands in the context of the vulnerable application; other attacks are also possible. It is easy, affordable, and open source.The application is prone to a reflected cross-sitescripting vulnerability due to a failure to properlysanitize user-supplied input to the 'username' POSTparameter in the 'login.htm' script. Product web page: http://www.infiniteautomation.com/ Affected version: 2.5.2 and 2.6.0 beta (build 327) Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source. Desc: Mango Automation suffers from information disclosure vulnerability because it contains default configuration for debugging enabled in the '/WEB-INF./web.xml' file (debug=true). An attacker can entice a logged-in user to visit a specially crafted URL which will produce a system exception with stack trace on the Jetty server. When this error occurs, the debug option generates a status page with all the information from the visitor, meaning that the attacker is able to see usernames, password hashes, e-mails and of course, Cookie sessions). Using the generated error, the attacker can easily perform session hijacking and take over the system using previously discovered vulnerabilities by just visiting the status page non-authenticated. Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit Jetty(9.2.2.v20140723) Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5260 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php 20.08.2015 -- One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session): - http://localhost:8080/status/ Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page: - http://localhost/status/mango.json?time=$ - http://localhost/status/ Sample status output: \"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n Also you can list all of the Classes known to DWR: - http://localhost:8080/dwr/index.html

Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote attackers to obtain sensitive debugging information by entering a crafted URL to trigger an exception, and then visiting a certain status page. Infinite Automation Mango Automation is an open source web-based SCADA (data acquisition and monitoring control), HMI and automation software from Infinite Automation Systems, USA. An arbitrary-file-upload vulnerability 2. Multiple information-disclosure vulnerabilities 3. A command-execution vulnerability 4. An SQL-injection vulnerability 5. A cross-site request forgery vulnerability 6. A cross-site scripting vulnerability Attackers may leverage these issues to steal cookie-based authentication credentials, execute arbitrary script code in the browser, perform unauthorized actions, gain unauthorized access, obtain sensitive information, compromise the application, access or modify data and to execute arbitrary commands in the context of the vulnerable application; other attacks are also possible. It is easy, affordable, and open source.The application is prone to a reflected cross-sitescripting vulnerability due to a failure to properlysanitize user-supplied input to the 'username' POSTparameter in the 'login.htm' script. Product web page: http://www.infiniteautomation.com/ Affected version: 2.5.2 and 2.6.0 beta (build 327) Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source. An attacker can entice a logged-in user to visit a specially crafted URL which will produce a system exception with stack trace on the Jetty server. When this error occurs, the debug option generates a status page with all the information from the visitor, meaning that the attacker is able to see usernames, password hashes, e-mails and of course, Cookie sessions). Using the generated error, the attacker can easily perform session hijacking and take over the system using previously discovered vulnerabilities by just visiting the status page non-authenticated. Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit Jetty(9.2.2.v20140723) Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5260 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php 20.08.2015 -- One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session): - http://localhost:8080/status/ Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page: - http://localhost/status/mango.json?time=$ - http://localhost/status/ Sample status output: \"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n Also you can list all of the Classes known to DWR: - http://localhost:8080/dwr/index.html

Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 build 430 allows remote authenticated users to execute arbitrary OS commands via unspecified vectors. Infinite Automation Mango Automation is an open source web-based SCADA (data acquisition and monitoring control), HMI and automation software from Infinite Automation Systems, USA. An arbitrary-file-upload vulnerability 2. Multiple information-disclosure vulnerabilities 3. A command-execution vulnerability 4. An SQL-injection vulnerability 5. A cross-site request forgery vulnerability 6. A cross-site scripting vulnerability Attackers may leverage these issues to steal cookie-based authentication credentials, execute arbitrary script code in the browser, perform unauthorized actions, gain unauthorized access, obtain sensitive information, compromise the application, access or modify data and to execute arbitrary commands in the context of the vulnerable application; other attacks are also possible. It is easy, affordable, and open source.The application is prone to a reflected cross-sitescripting vulnerability due to a failure to properlysanitize user-supplied input to the 'username' POSTparameter in the 'login.htm' script. Product web page: http://www.infiniteautomation.com/ Affected version: 2.5.2 and 2.6.0 beta (build 327) Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source. Desc: Mango Automation suffers from information disclosure vulnerability because it contains default configuration for debugging enabled in the '/WEB-INF./web.xml' file (debug=true). An attacker can entice a logged-in user to visit a specially crafted URL which will produce a system exception with stack trace on the Jetty server. When this error occurs, the debug option generates a status page with all the information from the visitor, meaning that the attacker is able to see usernames, password hashes, e-mails and of course, Cookie sessions). Using the generated error, the attacker can easily perform session hijacking and take over the system using previously discovered vulnerabilities by just visiting the status page non-authenticated. Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit Jetty(9.2.2.v20140723) Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5260 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php 20.08.2015 -- One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session): - http://localhost:8080/status/ Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page: - http://localhost/status/mango.json?time=$ - http://localhost/status/ Sample status output: \"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n Also you can list all of the Classes known to DWR: - http://localhost:8080/dwr/index.html

Unrestricted file upload vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote authenticated users to execute arbitrary JSP code via vectors involving an upload of an image file. Supplementary information : CWE Vulnerability type by CWE-434: Unrestricted Upload of File with Dangerous Type ( Unlimited upload of dangerous types of files ) Has been identified. Infinite Automation Mango Automation is an open source web-based SCADA (data acquisition and monitoring control), HMI and automation software from Infinite Automation Systems, USA. An arbitrary-file-upload vulnerability 2. Multiple information-disclosure vulnerabilities 3. A command-execution vulnerability 4. An SQL-injection vulnerability 5. A cross-site request forgery vulnerability 6. A cross-site scripting vulnerability Attackers may leverage these issues to steal cookie-based authentication credentials, execute arbitrary script code in the browser, perform unauthorized actions, gain unauthorized access, obtain sensitive information, compromise the application, access or modify data and to execute arbitrary commands in the context of the vulnerable application; other attacks are also possible. n.jsp).Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bitMicrosoft Windows 7 Ultimate SP1 (EN) 32/64bitJetty(9.2.2.v20140723)Java(TM) SE Runtime Environment (build 1.8.0_51-b16)Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode). It is easy, affordable, and open source.The application is prone to a reflected cross-sitescripting vulnerability due to a failure to properlysanitize user-supplied input to the 'username' POSTparameter in the 'login.htm' script. Product web page: http://www.infiniteautomation.com/ Affected version: 2.5.2 and 2.6.0 beta (build 327) Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages, etc. It is easy, affordable, and open source. An attacker can entice a logged-in user to visit a specially crafted URL which will produce a system exception with stack trace on the Jetty server. When this error occurs, the debug option generates a status page with all the information from the visitor, meaning that the attacker is able to see usernames, password hashes, e-mails and of course, Cookie sessions). Using the generated error, the attacker can easily perform session hijacking and take over the system using previously discovered vulnerabilities by just visiting the status page non-authenticated. Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit Jetty(9.2.2.v20140723) Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5260 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php 20.08.2015 -- One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session): - http://localhost:8080/status/ Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page: - http://localhost/status/mango.json?time=$ - http://localhost/status/ Sample status output: \"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n Also you can list all of the Classes known to DWR: - http://localhost:8080/dwr/index.html

Schneider Electric InduSoft Web Studio before 8.0 allows remote attackers to execute arbitrary code or cause a denial of service (unhandled runtime exception and application crash) via a crafted Indusoft Project file. Schneider Electric InduSoft Web Studio is an embedded HMI software package. The Remote Agent is one of the remote agent components

The Remote Agent component in Schneider Electric InduSoft Web Studio before 8.0 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-2649. Zero Day Initiative Is vulnerable to this vulnerability ZDI-CAN-2649 Was numbered.A third party may execute arbitrary code. User interaction is not required to exploit this vulnerability.The specific flaw exists within the Remote Agent service listening on TCP port 1234. The issue lies in the lack of authentication, allowing attackers to execute remote API calls on the service. The Remote Agent is one of the remote agent components. InduSoft Web Studio is prone to a remote code-execution vulnerability

The NVIDIA display driver R352 before 353.82 and R340 before 341.81 on Windows; R304 before 304.128, R340 before 340.93, and R352 before 352.41 on Linux; and R352 before 352.46 on GRID vGPU and vSGA allows local users to write to an arbitrary kernel memory location and consequently gain privileges via a crafted ioctl call. Multiple HP products are prone to a local privilege-escalation vulnerability and a local denial-of-service vulnerability. Local attackers can exploit these issues to gain elevated privileges or cause a denial-of-service condition. ============================================================================ Ubuntu Security Notice USN-2747-1 September 28, 2015 nvidia-graphics-drivers-304, nvidia-graphics-drivers-304-updates, nvidia-graphics-drivers-340, nvidia-graphics-drivers-340-updates, nvidia-graphics-drivers-346, nvidia-graphics-drivers-346-updates, jockey vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: NVIDIA graphics drivers could be made to run programs as an administrator. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: nvidia-304 304.128-0ubuntu0.1 nvidia-304-updates 304.128-0ubuntu0.1 nvidia-340 340.93-0ubuntu0.1 nvidia-340-updates 340.93-0ubuntu0.1 nvidia-346 346.96-0ubuntu0.1 nvidia-346-updates 346.96-0ubuntu0.1 Ubuntu 14.04 LTS: nvidia-304 304.128-0ubuntu0.0.1 nvidia-304-updates 304.128-0ubuntu0.0.1 nvidia-340 340.93-0ubuntu0.0.1 nvidia-340-updates 340.93-0ubuntu0.0.1 nvidia-346 346.96-0ubuntu0.0.1 nvidia-346-updates 346.96-0ubuntu0.0.1 Ubuntu 12.04 LTS: jockey-common 0.9.7-0ubuntu7.16 nvidia-304 304.128-0ubuntu0.0.0.1 nvidia-304-updates 304.128-0ubuntu0.0.0.1 nvidia-340 340.93-0ubuntu0.0.0.1 nvidia-340-updates 340.93-0ubuntu0.0.0.1 After a standard system update you need to reboot your computer to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2747-1 CVE-2015-5950 Package Information: https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.128-0ubuntu0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.128-0ubuntu0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.93-0ubuntu0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.93-0ubuntu0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346/346.96-0ubuntu0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346-updates/346.96-0ubuntu0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.128-0ubuntu0.0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.128-0ubuntu0.0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.93-0ubuntu0.0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.93-0ubuntu0.0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346/346.96-0ubuntu0.0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346-updates/346.96-0ubuntu0.0.1 https://launchpad.net/ubuntu/+source/jockey/0.9.7-0ubuntu7.16 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.128-0ubuntu0.0.0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.128-0ubuntu0.0.0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.93-0ubuntu0.0.0.1 https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.93-0ubuntu0.0.0.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04815468 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04815468 Version: 1 HPSBHF03513 rev.1 - HP PCs and Workstations running Windows and Linux with NVidia Graphics Driver, Local Denial of Service (DoS), Elevation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-09-25 Last Updated: 2015-09-25 Potential Security Impact: Denial of Service (DoS), elevation of privilege Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with certain HP PCs and workstations with Windows and Linux running the NVidia Graphics Driver. The vulnerabilities could be locally exploited resulting in Denial of Service (DoS) and elevation of privilege. Note: This issue is present on Windows and Linux operating systems and affects all currently supported NVIDIA driver releases and all GPUs. This issue does not affect Android based NVIDIA Tegra products. References: CVE-2015-5950 SSRT102235 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Notebooks and Workstations HP EliteBook 8740w 8740w Nvidia video driver HP EliteBook 8440w 8440w Nvidia video driver HP EliteBook 8540w 8540w Nvidia video driver HP EliteBook 8760w 8760w Nvidia video driver HP EliteBook 8560w 8560w Nvidia video driver HP EliteBook 8770w 8570w Nvidia video driver HP EliteBook 8570w 8570w Nvidia video driver HP ZBook 17 17 Nvidia video driver HP ZBook 15 15 Nvidia video driver HP Zbook 17 G2 17 G2 Nvidia video driver HP Zbook 15 G2 15 G2 Nvidia video driver HP Z1 Nvidia video driver HP Z230 Nvidia video driver HP Z420 Nvidia video driver HP Z440 Nvidia video driver HP Z620 Nvidia video driver HP Z640 Nvidia video driver HP Z820 Nvidia video driver HP Z840 Nvidia video driver BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2015-5950 (AV:L/AC:M/Au:S/C:C/I:C/A:C) 6.6 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following NVidia driver updates for the impacted Windows and Linux platforms running the NVidia Graphics Driver . Note: This security bulletin will be revised as additional product updates become available. Linux Users Note: Download and install Linux-specific graphics drivers directly from NVIDIA download resources to address vulnerability. - Long Lived Branch versions 352.41 (or greater) and 346.96 (or greater). - Legacy Support Branches 304.128 (or greater) and 340.93 (or greater). To acquire the HP NVidia driver update, go to http://hp.com 1. Select "Support" and then "Download Drivers" 2. Enter your product name or number in the "Find my product" field. 3. Choose the product from the returned search 4. Choose the appropriate operating system 5. Under the Download Index, select Driver-Graphics, and download the updated NVidia driver version as listed in the table below. 6. Follow the installation instructions to install the NVidia Driver update. | HP Notebooks and Workstations | O/S | Version | Softpaq | |-------------------------------|-----------------|---------|---------| | HP EliteBook 8440w | Windows 7/8/8.1 | 341.81 | SP72938 | | HP EliteBook 8540w | Windows 7/8/8.1 | 341.81 | SP72938 | | HP EliteBook 8560w | Windows 7/8/8.1 | 341.81 | SP72938 | | HP EliteBook 8570w | Windows 7/8/8.1 | 354.04 | SP72937 | | HP EliteBook 8570w | Windows 10 | 354.04 | SP72936 | | HP EliteBook 8740w | Windows 7/8/8.1 | 341.81 | SP72938 | | HP EliteBook 8760w | Windows 7/8/8.1 | 341.81 | SP72938 | | HP EliteBook 8770w | Windows 7/8/8.1 | 354.04 | SP72937 | | HP EliteBook 8770w | Windows 10 | 354.04 | SP72936 | | HP ZBook 15 | Windows 10 | 354.04 | SP72936 | | HP ZBook 15 | Windows 7/8/8.1 | 354.04 | SP72937 | | HP ZBook 15 G2 | Windows 7/8/8.1 | 354.04 | SP72937 | | HP ZBook 15 G2 | Windows 10 | 354.04 | SP72936 | | HP ZBook 17 | Windows 7/8/8.1 | 354.04 | SP72937 | | HP ZBook 17 | Windows 10 | 354.04 | SP72936 | | HP ZBook 17 G2 | Windows 7/8/8.1 | 354.04 | SP72937 | | HP ZBook 17 G2 | Windows 10 | 354.04 | SP72936 | | HP Z1 | See *Note | | | | HP Z230 | See *Note | | | | HP Z420 | See *Note | | | | HP Z440 | See *Note | | | | HP Z620 | See *Note | | | | HP Z640 | See *Note | | | | HP Z820 | See *Note | | | | HP Z840 | See *Note | | | *Note: HP will revise this security bulletin when softpaq updates are available for these products. Until available, customers can download updated NVidia drivers for Windows 7, 8.1 or 10.0 from NVidia.com. HISTORY Version:1 (rev.1) - 25 September 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlYFpJsACgkQ4B86/C0qfVnWugCgi6SU1Yc5YsvliSb/imDb0N8V gfoAniAaSv9eeyapAzMPxUB//a9YGUHL =K/FB -----END PGP SIGNATURE-----