VARIoT IoT vulnerabilities database

The web framework in Cisco TelePresence Advanced Media Gateway Series Software before 1.1(1.40), Cisco TelePresence IP Gateway Series Software, Cisco TelePresence IP VCR Series Software before 3.0(1.27), Cisco TelePresence ISDN Gateway Software before 2.2(1.94), Cisco TelePresence MCU Software before 4.4(3.54) and 4.5 before 4.5(1.45), Cisco TelePresence MSE Supervisor Software before 2.3(1.38), Cisco TelePresence Serial Gateway Series Software before 1.0(1.42), Cisco TelePresence Server Software for Hardware before 3.1(1.98), and Cisco TelePresence Server Software for Virtual Machine before 4.1(1.79) allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors, aka Bug IDs CSCul55968, CSCur08993, CSCur15803, CSCur15807, CSCur15825, CSCur15832, CSCur15842, CSCur15850, and CSCur15855. plural Cisco TelePresence Product Web The framework includes root A vulnerability exists that allows arbitrary commands to be executed with privileges. Vendors have confirmed this vulnerability Bug ID CSCul55968 , CSCur08993 , CSCur15803 , CSCur15807 , CSCur15825 , CSCur15832 , CSCur15842 , CSCur15850 ,and CSCur15855 It is released as.By a remotely authenticated user root An arbitrary command may be executed with authority. Multiple Cisco TelePresence Products are prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input. This issue is being tracked by Cisco Bug IDs CSCur15855, CSCur15842, CSCul55968, CSCur15832, CSCur15825, CSCur15807, CSCur15850, CSCur15803, and CSCur08993. are all products of Cisco (Cisco)

The network drivers in Cisco TelePresence T, Cisco TelePresence TE, and Cisco TelePresence TC before 7.3.2 allow remote attackers to cause a denial of service (process restart or device reload) via a flood of crafted IP packets, aka Bug ID CSCuj68952. An attacker can exploit this issue to restart and reload the device, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCuj68952. Cisco TelePresence is a set of video conferencing solutions called "TelePresence" system of Cisco (Cisco). TC and so on are the terminal software

The web administration interface on Cisco Wireless LAN Controller (WLC) devices before 7.0.241, 7.1.x through 7.4.x before 7.4.122, and 7.5.x and 7.6.x before 7.6.120 allows remote authenticated users to cause a denial of service (device crash) via unspecified parameters, aka Bug IDs CSCum65159 and CSCum65252. An attacker could exploit this vulnerability to cause the affected device to crash, resulting in a denial of service. This issue is being tracked by Cisco Bug ID's CSCum65159 and CSCum65252. The following versions are affected: Cisco WLC prior to 7.0.241, prior to 7.4.122, prior to 7.6.120

Cross-site scripting (XSS) vulnerability in the administrative interface in Cisco WebEx Meetings Server 2.5 and 2.5.0.997 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuq86310. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuq86310. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

Cross-site scripting (XSS) vulnerability in the HTTP module in Cisco Security Manager (CSM) 4.7(0)SP1(1) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCut27789. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCut27789

Cross-site scripting (XSS) vulnerability in Cisco Access Control Server (ACS) 5.5(0.1) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuu11002. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuu11002. The solution supports certification revocation list (CRL), device access permission setting and user profile verification, etc

Hospira LifeCare PCA Infusion System before 7.0 has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. Hospira LifeCare PCA Infusion System Contains hard-coded authentication information, so there is a vulnerability that can gain access.Access may be obtained by a third party. Hospira Lifecare PCA Infusion Pump is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device. Hospira LifeCare PCA Infusion System is an intelligent infusion system developed by Hospira in the United States

Cybertec Series 2000 3G Modem/Router is a 3G routing device. Cybertec Series 2000 3G Modem / Router The WEB interface has a default management account that allows an attacker to exploit a vulnerability to gain unauthorized access to the device.

Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. plural SAP Product LZC Implementation of decompression (vpa106cslzc.cpp of CsObjectInt::CsDecomprLZC function ) Contains a stack-based buffer overflow vulnerability. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker ( crash ) Could be put into a state or execute arbitrary code. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information Title: SAP LZC/LZH Compression Multiple Vulnerabilities Advisory ID: CORE-2015-0009 Advisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities Date published: 2015-05-12 Date of last update: 2015-05-12 Vendors contacted: SAP Release mode: Coordinated release 2. Vulnerability Information Class: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125] Impact: Denial of service Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2015-2282, CVE-2015-2278 3. Vulnerability Description SAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. 4. Vulnerable Packages SAP Netweaver Application Server ABAP. SAP Netweaver Application Server Java. SAP Netweaver RFC SDK SAP RFC SDK SAP GUI SAP MaxDB database SAPCAR archive tool Other products and versions might be affected, but they were not tested. 5. Vendor Information, Solutions and Workarounds SAP published the following Security Notes: 2124806 2121661 2127995 2125316 They can be accessed by SAP clients in their Support Portal [15]. Developers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP. 6. Credits This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team. 7. Technical Description / Proof of Concept Code SAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11]. The code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below. 7.1. The following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer. [..] int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf, SAP_INT inlen, SAP_BYTE * outbuf, SAP_INT outlen, SAP_INT option, SAP_INT * bytes_read, SAP_INT * bytes_written) [..] /* Generate output characters in reverse order ...................*/ while (code >= 256) { *stackp++ = TAB_SUFFIXOF(code); OVERFLOW_CHECK code = TAB_PREFIXOF(code); } [..] Note that the "code" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It's possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables. It's also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer ("OVERFLOW_CHECK"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled ("CS_STACK_CHECK" macro not defined at the time of compilation). 7.2. LZH decompression out-of-bounds read The vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes. The following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer. [..] int CsObjectInt::BuildHufTree ( unsigned * b, /* code lengths in bits (all assumed <= BMAX) */ unsigned n, /* number of codes (assumed <= N_MAX) */ unsigned s, /* number of simple-valued codes (0..s-1) */ int * d, /* list of base values for non-simple codes */ int * e, /* list of extra bits for non-simple codes */ HUFTREE **t, /* result: starting table */ int * m) /* maximum lookup bits, returns actual */ [..] if (p >= v + n) { r.e = INVALIDCODE; /* out of values--invalid code */ } else if (*p < s) { /* 256 is end-of-block code */ r.e = (unsigned char)(*p < 256 ? LITCODE : EOBCODE); r.v.n = (unsigned short) *p; /* simple code is just the value*/ p++; } else { r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/ r.v.n = (unsigned short) d[*p - s]; p++; } [..] The "e" and "d" arrays are indexed with the value of "*p - s" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access. 7.3. Attack scenarios The vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified: 7.3.1. Attacks against server-side components SAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets. 7.3.2. Client-side attacks An attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI. 7.3.3. Man-in-the-middle attacks As most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication. 7.4. Looking in binaries for compression routines The LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It's possible to check if a binary includes these functions by looking at whether the algorithm's constants are used in the program. The following Radare [14] command can be used to check if a binary file includes the mentioned constants: $ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff <binary_file> Example output: $ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64 SAPCAR64: 000 @ 0x1082c1 offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... 0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ 0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ 0x00108301 0000 0008 0000 0010 0000 0000 0000 .............. 8. Report Timeline 2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). 2015-01-21: SAP confirms reception and requests a draft version of the advisory. 2015-01-21: Core Security sends the draft version of the advisory to the vendor. 2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. 2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. 2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. 2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. 2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. 2015-02-04: SAP states that they will be able to provide a fix by May's Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. 2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. 2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. 2015-02-19: SAP states that it is thankful for Core's commitment to go for a coordinated release. They say they will keep us updated. 2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. 2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). 2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core's advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. 2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. 2015-05-12: Core Security requests that SAP fixes the external ID (Core's ID) they used and offer Core's publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. 2015-05-12: Advisory CORE-2015-0009 published. 9. References [1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. [2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. [3] http://conus.info/utils/SAP_pkt_decompr.txt. [4] https://github.com/sensepost/SAPProx. [5] https://github.com/sensepost/SapCap. [6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. [7] https://github.com/CoreSecurity/pysap. [8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. [9] https://github.com/daberlin/sap-reposrc-decompressor. [10] https://labs.mwrinfosecurity.com/tools/sap-decom/. [11] http://www.oxid.it/cain.html. [12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. [13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. [14] http://radare.org/y/. [15] https://service.sap.com/securitynotes. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. Vendors have confirmed this vulnerability SAP Security Note 2124806 , 2121661 , 2127995 ,and 2125316 It is released as.Denial of service by attacker (out-of-bounds read) There is a possibility of being put into a state. Multiple SAP Products are prone to a buffer-overflow vulnerability and a denial-of-service vulnerability. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions. 1. Advisory Information Title: SAP LZC/LZH Compression Multiple Vulnerabilities Advisory ID: CORE-2015-0009 Advisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities Date published: 2015-05-12 Date of last update: 2015-05-12 Vendors contacted: SAP Release mode: Coordinated release 2. Vulnerability Information Class: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125] Impact: Denial of service Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2015-2282, CVE-2015-2278 3. Vulnerability Description SAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. 4. Vulnerable Packages SAP Netweaver Application Server ABAP. SAP Netweaver Application Server Java. SAP Netweaver RFC SDK SAP RFC SDK SAP GUI SAP MaxDB database SAPCAR archive tool Other products and versions might be affected, but they were not tested. 5. Vendor Information, Solutions and Workarounds SAP published the following Security Notes: 2124806 2121661 2127995 2125316 They can be accessed by SAP clients in their Support Portal [15]. Developers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP. 6. Credits This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team. 7. Technical Description / Proof of Concept Code SAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11]. The code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below. 7.1. LZC decompression stack-based buffer overflow The vulnerability [CVE-2015-2282] is caused by an out-of-bounds write to a stack buffer used by the decompression routine to write the output characters. The following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer. [..] int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf, SAP_INT inlen, SAP_BYTE * outbuf, SAP_INT outlen, SAP_INT option, SAP_INT * bytes_read, SAP_INT * bytes_written) [..] /* Generate output characters in reverse order ...................*/ while (code >= 256) { *stackp++ = TAB_SUFFIXOF(code); OVERFLOW_CHECK code = TAB_PREFIXOF(code); } [..] Note that the "code" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It's possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables. It's also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer ("OVERFLOW_CHECK"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled ("CS_STACK_CHECK" macro not defined at the time of compilation). 7.2. LZH decompression out-of-bounds read The vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes. The following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer. [..] int CsObjectInt::BuildHufTree ( unsigned * b, /* code lengths in bits (all assumed <= BMAX) */ unsigned n, /* number of codes (assumed <= N_MAX) */ unsigned s, /* number of simple-valued codes (0..s-1) */ int * d, /* list of base values for non-simple codes */ int * e, /* list of extra bits for non-simple codes */ HUFTREE **t, /* result: starting table */ int * m) /* maximum lookup bits, returns actual */ [..] if (p >= v + n) { r.e = INVALIDCODE; /* out of values--invalid code */ } else if (*p < s) { /* 256 is end-of-block code */ r.e = (unsigned char)(*p < 256 ? LITCODE : EOBCODE); r.v.n = (unsigned short) *p; /* simple code is just the value*/ p++; } else { r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/ r.v.n = (unsigned short) d[*p - s]; p++; } [..] The "e" and "d" arrays are indexed with the value of "*p - s" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access. 7.3. Attack scenarios The vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified: 7.3.1. Attacks against server-side components SAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets. 7.3.2. Client-side attacks An attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI. 7.3.3. Man-in-the-middle attacks As most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication. 7.4. Looking in binaries for compression routines The LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It's possible to check if a binary includes these functions by looking at whether the algorithm's constants are used in the program. The following Radare [14] command can be used to check if a binary file includes the mentioned constants: $ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff <binary_file> Example output: $ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64 SAPCAR64: 000 @ 0x1082c1 offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... 0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ 0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ 0x00108301 0000 0008 0000 0010 0000 0000 0000 .............. 8. Report Timeline 2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday). 2015-01-21: SAP confirms reception and requests a draft version of the advisory. 2015-01-21: Core Security sends the draft version of the advisory to the vendor. 2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015. 2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities. 2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed. 2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date. 2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished. 2015-02-04: SAP states that they will be able to provide a fix by May's Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations. 2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015. 2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory. 2015-02-19: SAP states that it is thankful for Core's commitment to go for a coordinated release. They say they will keep us updated. 2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner. 2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015). 2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core's advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix. 2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published. 2015-05-12: Core Security requests that SAP fixes the external ID (Core's ID) they used and offer Core's publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email. 2015-05-12: Advisory CORE-2015-0009 published. 9. References [1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. [2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. [3] http://conus.info/utils/SAP_pkt_decompr.txt. [4] https://github.com/sensepost/SAPProx. [5] https://github.com/sensepost/SapCap. [6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. [7] https://github.com/CoreSecurity/pysap. [8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. [9] https://github.com/daberlin/sap-reposrc-decompressor. [10] https://labs.mwrinfosecurity.com/tools/sap-decom/. [11] http://www.oxid.it/cain.html. [12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. [13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. [14] http://radare.org/y/. [15] https://service.sap.com/securitynotes. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Cisco TelePresence T, TelePresence TE, and TelePresence TC before 7.1 do not properly implement access control, which allows remote attackers to obtain root privileges by sending packets on the local network and allows physically proximate attackers to obtain root privileges via unspecified vectors, aka Bug ID CSCub67651. Vendors have confirmed this vulnerability Bug ID CSCub67651 It is released as. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlBy sending packets to the local network by a third party, root By an authorized attacker and physically able to control the device, root You may get permission. An attacker can exploit this issue to bypass the authentication mechanism and gain unauthorized access. This may lead to further attacks. Cisco TelePresence is a set of video conferencing solutions called "TelePresence" system of Cisco (Cisco). TC and so on are the terminal software

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. QEMU is prone to a remote memory-corruption vulnerability because the application fails to perform adequate boundary-checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts may result in a denial-of-service condition. Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Once all virtual machines have shut down, start them again for this update to take effect. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: xen security update Advisory ID: RHSA-2015:1002-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1002.html Issue date: 2015-05-13 CVE Names: CVE-2015-3456 ===================================================================== 1. Summary: Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Multi OS (v. 5 client) - i386, x86_64 RHEL Virtualization (v. 5 server) - i386, ia64, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. An out-of-bounds memory access flaw was found in the way QEMU's virtual Floppy Disk Controller (FDC) handled FIFO buffer access while processing certain FDC commands. A privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. (CVE-2015-3456) Red Hat would like to thank Jason Geffner of CrowdStrike for reporting this issue. All xen users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, all running fully-virtualized guests must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1218611 - CVE-2015-3456 qemu: fdc: out-of-bounds fifo buffer memory access 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: xen-3.0.3-146.el5_11.src.rpm i386: xen-debuginfo-3.0.3-146.el5_11.i386.rpm xen-libs-3.0.3-146.el5_11.i386.rpm x86_64: xen-debuginfo-3.0.3-146.el5_11.i386.rpm xen-debuginfo-3.0.3-146.el5_11.x86_64.rpm xen-libs-3.0.3-146.el5_11.i386.rpm xen-libs-3.0.3-146.el5_11.x86_64.rpm RHEL Desktop Multi OS (v. 5 client): Source: xen-3.0.3-146.el5_11.src.rpm i386: xen-3.0.3-146.el5_11.i386.rpm xen-debuginfo-3.0.3-146.el5_11.i386.rpm xen-devel-3.0.3-146.el5_11.i386.rpm x86_64: xen-3.0.3-146.el5_11.x86_64.rpm xen-debuginfo-3.0.3-146.el5_11.i386.rpm xen-debuginfo-3.0.3-146.el5_11.x86_64.rpm xen-devel-3.0.3-146.el5_11.i386.rpm xen-devel-3.0.3-146.el5_11.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: xen-3.0.3-146.el5_11.src.rpm i386: xen-debuginfo-3.0.3-146.el5_11.i386.rpm xen-libs-3.0.3-146.el5_11.i386.rpm ia64: xen-debuginfo-3.0.3-146.el5_11.ia64.rpm xen-libs-3.0.3-146.el5_11.ia64.rpm x86_64: xen-debuginfo-3.0.3-146.el5_11.i386.rpm xen-debuginfo-3.0.3-146.el5_11.x86_64.rpm xen-libs-3.0.3-146.el5_11.i386.rpm xen-libs-3.0.3-146.el5_11.x86_64.rpm RHEL Virtualization (v. 5 server): Source: xen-3.0.3-146.el5_11.src.rpm i386: xen-3.0.3-146.el5_11.i386.rpm xen-debuginfo-3.0.3-146.el5_11.i386.rpm xen-devel-3.0.3-146.el5_11.i386.rpm ia64: xen-3.0.3-146.el5_11.ia64.rpm xen-debuginfo-3.0.3-146.el5_11.ia64.rpm xen-devel-3.0.3-146.el5_11.ia64.rpm x86_64: xen-3.0.3-146.el5_11.x86_64.rpm xen-debuginfo-3.0.3-146.el5_11.i386.rpm xen-debuginfo-3.0.3-146.el5_11.x86_64.rpm xen-devel-3.0.3-146.el5_11.i386.rpm xen-devel-3.0.3-146.el5_11.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3456 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVU1nEXlSAg2UNWIIRAqUxAJ4/PAGie2atGBxiE9sxg6XvYfOdnwCghYMV N+LpzXLkVxe9V4a19FaVRjk= =UhFF -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Release Date: 2015-05-21 Last Updated: 2015-05-21 Potential Security Impact: Denial of Service (DoS), Execution of Arbitary Code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has identitfied with HP Helion OpenStack. Notes: - This is the vulnerability known as "Virtual Environment Neglected Operations Manipulation"also known as "VENOM". - This vulnerability affects all versions of QEMU and could lead to hypervisor breakout, where a user of the guest VM can gain control of the host. HP Helion OpenStack leverages QEMU as a core part of its virtualization functionality and is therefore affected by this vulnerability. - Due to the careful application of sVirt and AppArmor policies the attacker's ability to pivot after successfully exploiting the vulnerability is significantly reduced. References: CVE-2015-3456 (SSRT102076) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Helion OpenStack software: HP Helion OpenStack 1.0.0 HP Helion OpenStack 1.1.0 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2015-3456 (AV:A/AC:L/Au:S/C:C/I:C/A:C) 7.7 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software update to resolve the vulnerability in HP Helion OpenStack. The latest Helion OpenStack software can be downloaded by the following steps: 2. Go to https://helion.hpwsportal.com 3. Find the Helion OpenStack compressed package version 1.1.1 and download the package Follow the deployment steps in the following link: http://docs.hpcloud.com/helion/openstack/1.1.1/update HP Helion OpenStack Upgrade Version HP Helion OpenStack 1.0.0, 1.1.0 HP Helion OpenStack 1.1.1 Note: HP Helion 1.0.0 and 1.1.0 customers are advised to migrate their deployments to version 1.1.1. HISTORY Version:1 (rev.1) - 21 May 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Relevant releases/architectures: RHEV Agents (vdsm) - x86_64 3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201602-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: QEMU: Multiple vulnerabilities Date: February 04, 2016 Bugs: #544328, #549404, #557206, #558416, #559656, #560422, #560550, #560760, #566792, #567144, #567828, #567868, #568214, #568226, #568246, #569646, #570110, #570988, #571562, #571564, #571566 ID: 201602-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in QEMU, the worst of which may allow a remote attacker to cause a Denial of Service or gain elevated privileges from a guest VM. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/qemu < 2.5.0-r1 >= 2.5.0-r1 Description =========== Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All QEMU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.5.0-r1" References ========== [ 1 ] CVE-2015-1779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1779 [ 2 ] CVE-2015-3456 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3456 [ 3 ] CVE-2015-5225 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5225 [ 4 ] CVE-2015-5278 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5278 [ 5 ] CVE-2015-5279 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5279 [ 6 ] CVE-2015-5745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5745 [ 7 ] CVE-2015-6815 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6815 [ 8 ] CVE-2015-6855 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6855 [ 9 ] CVE-2015-7295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7295 [ 10 ] CVE-2015-7504 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7504 [ 11 ] CVE-2015-7512 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7512 [ 12 ] CVE-2015-7549 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7549 [ 13 ] CVE-2015-8345 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8345 [ 14 ] CVE-2015-8504 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8504 [ 15 ] CVE-2015-8556 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8556 [ 16 ] CVE-2015-8558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8558 [ 17 ] CVE-2015-8567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8567 [ 18 ] CVE-2015-8568 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8568 [ 19 ] CVE-2015-8666 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8666 [ 20 ] CVE-2015-8701 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8701 [ 21 ] CVE-2015-8743 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8743 [ 22 ] CVE-2015-8744 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8744 [ 23 ] CVE-2015-8745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8745 [ 24 ] CVE-2016-1568 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1568 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201602-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Background ========== VirtualBox is a powerful virtualization product from Oracle. For the oldstable distribution (wheezy), this problem has been fixed in version 4.1.18-dfsg-2+deb7u5. For the stable distribution (jessie), this problem has been fixed in version 4.3.18-dfsg-3+deb8u2. For the unstable distribution (sid), this problem has been fixed in version 4.3.28-dfsg-1. We recommend that you upgrade your virtualbox packages. ============================================================================ Ubuntu Security Notice USN-2608-1 May 13, 2015 qemu, qemu-kvm vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in QEMU. Software Description: - qemu: Machine emulator and virtualizer - qemu-kvm: Machine emulator and virtualizer Details: Jason Geffner discovered that QEMU incorrectly handled the virtual floppy driver. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3456) Daniel P. Berrange discovered that QEMU incorrectly handled VNC websockets. A remote attacker could use this issue to cause QEMU to consume memory, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-1779) Jan Beulich discovered that QEMU, when used with Xen, didn't properly restrict access to PCI command registers. A malicious guest could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2756) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: qemu-system 1:2.2+dfsg-5expubuntu9.1 qemu-system-aarch64 1:2.2+dfsg-5expubuntu9.1 qemu-system-arm 1:2.2+dfsg-5expubuntu9.1 qemu-system-mips 1:2.2+dfsg-5expubuntu9.1 qemu-system-misc 1:2.2+dfsg-5expubuntu9.1 qemu-system-ppc 1:2.2+dfsg-5expubuntu9.1 qemu-system-sparc 1:2.2+dfsg-5expubuntu9.1 qemu-system-x86 1:2.2+dfsg-5expubuntu9.1 Ubuntu 14.10: qemu-system 2.1+dfsg-4ubuntu6.6 qemu-system-aarch64 2.1+dfsg-4ubuntu6.6 qemu-system-arm 2.1+dfsg-4ubuntu6.6 qemu-system-mips 2.1+dfsg-4ubuntu6.6 qemu-system-misc 2.1+dfsg-4ubuntu6.6 qemu-system-ppc 2.1+dfsg-4ubuntu6.6 qemu-system-sparc 2.1+dfsg-4ubuntu6.6 qemu-system-x86 2.1+dfsg-4ubuntu6.6 Ubuntu 14.04 LTS: qemu-system 2.0.0+dfsg-2ubuntu1.11 qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.11 qemu-system-arm 2.0.0+dfsg-2ubuntu1.11 qemu-system-mips 2.0.0+dfsg-2ubuntu1.11 qemu-system-misc 2.0.0+dfsg-2ubuntu1.11 qemu-system-ppc 2.0.0+dfsg-2ubuntu1.11 qemu-system-sparc 2.0.0+dfsg-2ubuntu1.11 qemu-system-x86 2.0.0+dfsg-2ubuntu1.11 Ubuntu 12.04 LTS: qemu-kvm 1.0+noroms-0ubuntu14.22 After a standard system update you need to restart all QEMU virtual machines to make all the necessary changes

Multiple cross-site scripting (XSS) vulnerabilities in dncs 7.0.0.12 in Cisco Headend Digital Broadband Delivery System allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in a (1) GET or (2) POST request, aka Bug ID CSCur25604. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCur25604. The system provides features such as content protection, video on demand and dbd backup and restore. dncs is one of the security systems that provide remote management integration and scalability

Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-9161, CVE-2015-3046, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052, CVE-2015-3056, CVE-2015-3057, CVE-2015-3070, and CVE-2015-3076. Adobe Reader and Acrobat are prone to multiple memory-corruption vulnerabilities. Failed exploit attempts will likely result in denial-of-service conditions. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. The following products and versions are affected: Adobe Reader 10.1.13 and earlier and 11.0.10 and earlier, Acrobat 10.1.13 and earlier and 11.0.10 and earlier

Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allows attackers to execute arbitrary code via unknown vectors. Adobe Reader and Acrobat are prone to a remote buffer-overflow vulnerability. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts likely result in denial-of-service conditions. The affected products are: Adobe Reader 11.x versions prior to 11.0.11 Adobe Reader 10.x versions prior to 10.1.14 Adobe Acrobat 11.x versions prior to 11.0.11 Adobe Acrobat 10.x versions prior to 10.1.14. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool

Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to cause a denial of service (NULL pointer dereference) via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. http://cwe.mitre.org/data/definitions/476.htmlDenial of service by attacker (NULL Pointer dereference ) There is a possibility of being put into a state. Adobe Acrobat and Reader are prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the denial-of-service condition. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service (memory corruption). The following products and versions are affected: Adobe Reader 10.1.13 and earlier and 11.0.10 and earlier, Acrobat 10.1.13 and earlier and 11.0.10 and earlier

Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-9161, CVE-2015-3049, CVE-2015-3050, CVE-2015-3051, CVE-2015-3052, CVE-2015-3056, CVE-2015-3057, CVE-2015-3070, and CVE-2015-3076. Adobe Reader and Acrobat are prone to multiple memory-corruption vulnerabilities. Failed exploit attempts will likely result in denial-of-service conditions. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. The following products and versions are affected: Adobe Reader 10.1.13 and earlier and 11.0.10 and earlier, Acrobat 10.1.13 and earlier and 11.0.10 and earlier

Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to bypass intended restrictions on JavaScript API execution via unspecified vectors, a different vulnerability than CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, and CVE-2015-3074. This vulnerability CVE-2015-3060 , CVE-2015-3061 , CVE-2015-3062 , CVE-2015-3064 , CVE-2015-3065 , CVE-2015-3066 , CVE-2015-3067 , CVE-2015-3068 , CVE-2015-3069 , CVE-2015-3071 , CVE-2015-3072 , CVE-2015-3073 and CVE-2015-3074 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlBy the attacker, JavaScript API May limit the execution limit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the app.Monitors().select method. By creating a specially crafted PDF with specific JavaScript instructions, it is possible to bypass the JavaScript API restrictions. A remote attacker could exploit this vulnerability to execute arbitrary code. Adobe Reader and Acrobat are prone to multiple security-bypass vulnerabilities. An attacker can exploit these issues to bypass certain security restrictions and perform unauthorized actions. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. The following products and versions are affected: Adobe Reader 10.1.13 and earlier and 11.0.10 and earlier, Acrobat 10.1.13 and earlier and 11.0.10 and earlier

Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to bypass intended restrictions on JavaScript API execution via unspecified vectors, a different vulnerability than CVE-2015-3060, CVE-2015-3061, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, and CVE-2015-3074. This vulnerability CVE-2015-3060 , CVE-2015-3061 , CVE-2015-3063 , CVE-2015-3064 , CVE-2015-3065 , CVE-2015-3066 , CVE-2015-3067 , CVE-2015-3068 , CVE-2015-3069 , CVE-2015-3071 , CVE-2015-3072 , CVE-2015-3073 and CVE-2015-3074 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlBy the attacker, JavaScript API May limit the execution limit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the AFExactMatch method. By creating a specially crafted PDF with specific JavaScript instructions, it is possible to bypass the JavaScript API restrictions. A remote attacker could exploit this vulnerability to execute arbitrary code. Adobe Reader and Acrobat are prone to multiple security-bypass vulnerabilities. An attacker can exploit these issues to bypass certain security restrictions and perform unauthorized actions. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. The following products and versions are affected: Adobe Reader 10.1.13 and earlier and 11.0.10 and earlier, Acrobat 10.1.13 and earlier and 11.0.10 and earlier

Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to bypass intended restrictions on JavaScript API execution via unspecified vectors, a different vulnerability than CVE-2015-3060, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, and CVE-2015-3074. This vulnerability CVE-2015-3060 , CVE-2015-3062 , CVE-2015-3063 , CVE-2015-3064 , CVE-2015-3065 , CVE-2015-3066 , CVE-2015-3067 , CVE-2015-3068 , CVE-2015-3069 , CVE-2015-3071 , CVE-2015-3072 , CVE-2015-3073 and CVE-2015-3074 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlBy the attacker, JavaScript API May limit the execution limit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the ANMatchString method. By creating a specially crafted PDF with specific JavaScript instructions, it is possible to bypass the JavaScript API restrictions. A remote attacker could exploit this vulnerability to execute arbitrary code. Adobe Reader and Acrobat are prone to multiple security-bypass vulnerabilities. An attacker can exploit these issues to bypass certain security restrictions and perform unauthorized actions. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. The following products and versions are affected: Adobe Reader 10.1.13 and earlier and 11.0.10 and earlier, Acrobat 10.1.13 and earlier and 11.0.10 and earlier