VARIoT IoT vulnerabilities database
| VAR-201501-0117 | CVE-2015-0312 | Adobe Flash Player Memory double free vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-415: Double Free ( Double release ) Has been identified. http://cwe.mitre.org/data/definitions/415.htmlAn attacker could execute arbitrary code. Adobe Flash Player is prone to an unspecified remote code-execution vulnerability. Failed exploit attempts will likely cause a denial-of-service condition. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0094-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0094.html
Issue date: 2015-01-27
CVE Names: CVE-2015-0310 CVE-2015-0311 CVE-2015-0312
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-02, and
APSB15-03, listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1185137 - CVE-2015-0310 flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)
1185296 - CVE-2015-0311 CVE-2015-0312 flash-plugin: multiple critical vulnerabilities (APSA15-01)(APSB15-03)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.440-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.440-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.440-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.440-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.440-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.440-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.440-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.440-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.440-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.440-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0310
https://access.redhat.com/security/cve/CVE-2015-0311
https://access.redhat.com/security/cve/CVE-2015-0312
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-02.html
https://helpx.adobe.com/security/products/flash-player/apsb15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUyAGGXlSAg2UNWIIRAi1BAJ9Q5Uq7Z9D/i5dIrMbLRMK/TUbVpQCfZhjG
Xjm8B3oIdHx7wx6dzJxrEAw=
=70K0
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201501-0623 | CVE-2014-4477 | Apple Used in products Webkit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-4476 and CVE-2014-4479. Apple iOS , Apple Safari and Apple TV Used in etc. WebKit Any code that could be executed or service disruption ( Memory corruption and application crash ) There are vulnerabilities that are put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of Set objects. The issue lies in the usage of an iterator after clearing the object. An attacker can leverage this vulnerability to execute code under the context of the renderer process. WebKit is prone to an unspecified memory-corruption vulnerability. Failed exploit attempts will likely cause denial-of-service conditions. Apple iOS is an operating system developed for mobile devices; Apple Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems; Apple TV is a high-definition television set-top box product. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0002
------------------------------------------------------------------------
Date reported : December 28, 2015
Advisory ID : WSA-2015-0002
Advisory URL : http://webkitgtk.org/security/WSA-2015-0002.html
CVE identifiers : CVE-2013-6663, CVE-2014-1748, CVE-2014-3192,
CVE-2014-4409, CVE-2014-4410, CVE-2014-4411,
CVE-2014-4412, CVE-2014-4413, CVE-2014-4414,
CVE-2014-4452, CVE-2014-4459, CVE-2014-4465,
CVE-2014-4466, CVE-2014-4468, CVE-2014-4469,
CVE-2014-4470, CVE-2014-4471, CVE-2014-4472,
CVE-2014-4473, CVE-2014-4474, CVE-2014-4475,
CVE-2014-4476, CVE-2014-4477, CVE-2014-4479,
CVE-2015-1068, CVE-2015-1069, CVE-2015-1070,
CVE-2015-1071, CVE-2015-1072, CVE-2015-1073,
CVE-2015-1074, CVE-2015-1075, CVE-2015-1076,
CVE-2015-1077, CVE-2015-1080, CVE-2015-1081,
CVE-2015-1082, CVE-2015-1083, CVE-2015-1084,
CVE-2015-1119, CVE-2015-1120, CVE-2015-1121,
CVE-2015-1122, CVE-2015-1124, CVE-2015-1126,
CVE-2015-1127, CVE-2015-1152, CVE-2015-1153,
CVE-2015-1154, CVE-2015-1155, CVE-2015-1156,
CVE-2015-2330, CVE-2015-3658, CVE-2015-3659,
CVE-2015-3660, CVE-2015-3727, CVE-2015-3730,
CVE-2015-3731, CVE-2015-3732, CVE-2015-3733,
CVE-2015-3734, CVE-2015-3735, CVE-2015-3736,
CVE-2015-3737, CVE-2015-3738, CVE-2015-3739,
CVE-2015-3740, CVE-2015-3741, CVE-2015-3742,
CVE-2015-3743, CVE-2015-3744, CVE-2015-3745,
CVE-2015-3746, CVE-2015-3747, CVE-2015-3748,
CVE-2015-3749, CVE-2015-3750, CVE-2015-3751,
CVE-2015-3752, CVE-2015-3753, CVE-2015-3754,
CVE-2015-3755, CVE-2015-5788, CVE-2015-5789,
CVE-2015-5790, CVE-2015-5791, CVE-2015-5792,
CVE-2015-5793, CVE-2015-5794, CVE-2015-5795,
CVE-2015-5797, CVE-2015-5798, CVE-2015-5799,
CVE-2015-5800, CVE-2015-5801, CVE-2015-5802,
CVE-2015-5803, CVE-2015-5804, CVE-2015-5805,
CVE-2015-5806, CVE-2015-5807, CVE-2015-5809,
CVE-2015-5810, CVE-2015-5811, CVE-2015-5812,
CVE-2015-5813, CVE-2015-5814, CVE-2015-5815,
CVE-2015-5816, CVE-2015-5817, CVE-2015-5818,
CVE-2015-5819, CVE-2015-5822, CVE-2015-5823,
CVE-2015-5825, CVE-2015-5826, CVE-2015-5827,
CVE-2015-5828, CVE-2015-5928, CVE-2015-5929,
CVE-2015-5930, CVE-2015-5931, CVE-2015-7002,
CVE-2015-7012, CVE-2015-7013, CVE-2015-7014,
CVE-2015-7048, CVE-2015-7095, CVE-2015-7097,
CVE-2015-7099, CVE-2015-7100, CVE-2015-7102,
CVE-2015-7103, CVE-2015-7104.
Several vulnerabilities were discovered on WebKitGTK+.
CVE-2013-6663
Versions affected: WebKitGTK+ before 2.4.0.
Credit to Atte Kettunen of OUSPG.
Use-after-free vulnerability in the SVGImage::setContainerSize
function in core/svg/graphics/SVGImage.cpp in the SVG implementation
in Blink, as used in Google Chrome before 33.0.1750.146, allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to the resizing of a
view.
CVE-2014-1748
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Jordan Milne.
The ScrollView::paint function in platform/scroll/ScrollView.cpp in
Blink, as used in Google Chrome before 35.0.1916.114, allows remote
attackers to spoof the UI by extending scrollbar painting into the
parent frame.
CVE-2014-3192
Versions affected: WebKitGTK+ before 2.6.3.
Credit to cloudfuzzer.
Use-after-free vulnerability in the
ProcessingInstruction::setXSLStyleSheet function in
core/dom/ProcessingInstruction.cpp in the DOM implementation in
Blink, as used in Google Chrome before 38.0.2125.101, allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.
CVE-2014-4409
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Yosuke Hasegawa (NetAgent Co., Led.).
CVE-2014-4410
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Eric Seidel of Google.
CVE-2014-4411
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Google Chrome Security Team.
CVE-2014-4412
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2014-4413
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2014-4414
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2014-4452
Versions affected: WebKitGTK+ before 2.6.0.
Credit to unknown.
CVE-2014-4459
Versions affected: WebKitGTK+ before 2.6.2.
Credit to unknown.
CVE-2014-4465
Versions affected: WebKitGTK+ before 2.6.2.
Credit to Rennie deGraaf of iSEC Partners.
CVE-2014-4466
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2014-4468
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4469
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2014-4470
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4471
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4472
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4473
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4474
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2014-4475
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4476
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2014-4477
Versions affected: WebKitGTK+ before 2.6.4.
Credit to lokihardt@ASRT working with HP’s Zero Day Initiative.
CVE-2014-4479
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2015-1068
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1069
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1070
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1071
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1072
Versions affected: WebKitGTK+ before 2.8.0.
Credit to unknown.
CVE-2015-1073
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1074
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2015-1075
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Google Chrome Security Team.
CVE-2015-1076
Versions affected: WebKitGTK+ before 2.8.0.
Credit to unknown.
CVE-2015-1077
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1080
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-1081
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1082
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1083
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2015-1084
Versions affected: WebKitGTK+ before 2.6.1.
CVE-2015-1119
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Renata Hodovan of University of Szeged / Samsung
Electronics.
CVE-2015-1120
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1121
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1122
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-1124
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1126
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Jouko Pynnonen of Klikki Oy.
CVE-2015-1127
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Tyler C (2.6.5).
The private-browsing implementation in WebKit in Apple Safari before
6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 places browsing
history into an index, which might allow local users to obtain
sensitive information by reading index entries.
CVE-2015-1152
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-1153
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1154
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1155
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative.
CVE-2015-1156
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Zachary Durber of Moodle.
CVE-2015-2330
Versions affected: WebKitGTK+ before 2.6.6.
Credit to Ross Lagerwall.
Late TLS certificate verification in WebKitGTK+ prior to 2.6.6
allows remote attackers to view a secure HTTP request, including,
for example, secure cookies.
CVE-2015-3658
Versions affected: WebKitGTK+ before 2.8.1.
Credit to Brad Hill of Facebook.
CVE-2015-3659
Versions affected: WebKitGTK+ before 2.8.3.
Credit to Peter Rutenbar working with HP's Zero Day Initiative.
CVE-2015-3660
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3727
Versions affected: WebKitGTK+ before 2.8.1.
Credit to Peter Rutenbar working with HP's Zero Day Initiative.
CVE-2015-3730
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3731
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3732
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3733
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3734
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3735
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3736
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3737
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3738
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3739
Versions affected: WebKitGTK+ before 2.8.1.
CVE-2015-3740
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3741
Versions affected: WebKitGTK+ before 2.8.1.
CVE-2015-3742
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3743
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3744
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3745
Versions affected: WebKitGTK+ before 2.8.1.
CVE-2015-3746
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3747
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-3748
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3749
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3750
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Muneaki Nishimura (nishimunea).
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x
before 8.0.8, as used in iOS before 8.4.1 and other products, does
not enforce the HTTP Strict Transport Security (HSTS) protection
mechanism for Content Security Policy (CSP) report requests, which
allows man-in-the-middle attackers to obtain sensitive information
by sniffing the network or spoof a report by modifying the client-
server data stream.
CVE-2015-3751
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Muneaki Nishimura (nishimunea).
CVE-2015-3752
Versions affected: WebKitGTK+ before 2.8.4.
Credit to Muneaki Nishimura (nishimunea).
CVE-2015-3753
Versions affected: WebKitGTK+ before 2.8.3.
Credit to Antonio Sanso and Damien Antipa of Adobe.
CVE-2015-3754
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Dongsung Kim (@kid1ng).
CVE-2015-3755
Versions affected: WebKitGTK+ before 2.10.0.
Credit to xisigr of Tencent's Xuanwu Lab.
CVE-2015-5788
Versions affected: WebKitGTK+ before 2.8.0.
The WebKit Canvas implementation in Apple iOS before 9 allows remote
attackers to bypass the Same Origin Policy and obtain sensitive
image information via vectors involving a CANVAS element.
CVE-2015-5789
Versions affected: WebKitGTK+ before 2.6.1.
CVE-2015-5790
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2015-5791
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-5792
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2015-5793
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5794
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5795
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-5797
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5798
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-5799
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5800
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5801
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5802
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-5803
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5804
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5805
Versions affected: WebKitGTK+ before 2.10.0.
Credit to unknown.
CVE-2015-5806
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-5807
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5809
Versions affected: WebKitGTK+ before 2.8.4.
CVE-2015-5810
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5811
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5812
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5813
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5814
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5815
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5816
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5817
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5818
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5819
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5822
Versions affected: WebKitGTK+ before 2.8.1.
Credit to Mark S. Miller of Google.
CVE-2015-5823
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5825
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Yossi Oren et al. of Columbia University's Network
Security Lab.
CVE-2015-5826
Versions affected: WebKitGTK+ before 2.6.5.
Credit to filedescriptior, Chris Evans.
CVE-2015-5827
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Gildas.
WebKit in Apple iOS before 9 allows remote attackers to bypass the
Same Origin Policy and obtain an object reference via vectors
involving a (1) custom event, (2) message event, or (3) pop state
event.
CVE-2015-5828
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Lorenzo Fontana.
CVE-2015-5928
Versions affected: WebKitGTK+ before 2.8.4.
CVE-2015-5929
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5930
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5931
Versions affected: WebKitGTK+ before 2.10.0.
Credit to unknown.
CVE-2015-7002
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7012
Versions affected: WebKitGTK+ before 2.8.4.
CVE-2015-7013
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7014
Versions affected: WebKitGTK+ before 2.10.0.
Credit to unknown.
CVE-2015-7048
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7095
Versions affected: WebKitGTK+ before 2.10.2.
CVE-2015-7097
Versions affected: WebKitGTK+ before 2.10.3.
CVE-2015-7099
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7100
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7102
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7103
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7104
Versions affected: WebKitGTK+ before 2.10.0.
We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
December 28, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-01-27-2 iOS 8.1.3
iOS 8.1.3 is now available and addresses the following:
AppleFileConduit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted afc command may allow access to
protected parts of the filesystem
Description: A vulnerability existed in the symbolic linking
mechanism of afc. This issue was addressed by adding additional path
checks.
CVE-ID
CVE-2014-4480 : TaiG Jailbreak Team
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the
iSIGHT Partners GVP Program
dyld
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute unsigned code
Description: A state management issue existed in the handling of
Mach-O executable files with overlapping segments. This issue was
addressed through improved validation of segment sizes.
CVE-ID
CVE-2014-4455 : TaiG Jailbreak Team
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of font
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4483 : Apple
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .dfont file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
.dfont files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted XML file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the XML parser. This issue
was addressed through improved bounds checking.
CVE-ID
CVE-2014-4485 : Apple
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in
IOAcceleratorFamily's handling of resource lists. This issue was
addressed by removing unneeded code.
CVE-ID
CVE-2014-4486 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A buffer overflow existed in IOHIDFamily. This issue
was addressed through improved size validation.
CVE-ID
CVE-2014-4487 : TaiG Jailbreak Team
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in IOHIDFamily's handling of
resource queue metadata. This issue was addressed through improved
validation of metadata.
CVE-ID
CVE-2014-4488 : Apple
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of event queues. This issue was addressed through improved
validation.
CVE-ID
CVE-2014-4489 : @beist
iTunes Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A website may be able to bypass sandbox restrictions using
the iTunes Store
Description: An issue existed in the handling of URLs redirected
from Safari to the iTunes Store that could allow a malicious website
to bypass Safari's sandbox restrictions. The issue was addressed with
improved filtering of URLs opened by the iTunes Store.
CVE-ID
CVE-2014-8840 : lokihardt@ASRT working with HP's Zero Day Initiative
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted or compromised iOS applications may be
able to determine addresses in the kernel
Description: An information disclosure issue existed in the handling
of APIs related to kernel extensions. Responses containing an
OSBundleMachOHeaders key may have included kernel addresses, which
may aid in bypassing address space layout randomization protection.
This issue was addressed by unsliding the addresses before returning
them.
CVE-ID
CVE-2014-4491 : @PanguTeam, Stefan Esser
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An issue existed in the kernel shared memory subsystem
that allowed an attacker to write to memory that was intended to be
read-only. This issue was addressed with stricter checking of shared
memory permissions.
CVE-ID
CVE-2014-4495 : Ian Beer of Google Project Zero
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted or compromised iOS applications may be
able to determine addresses in the kernel
Description: The mach_port_kobject kernel interface leaked kernel
addresses and heap permutation value, which may aid in bypassing
address space layout randomization protection. This was addressed by
disabling the mach_port_kobject interface in production
configurations.
CVE-ID
CVE-2014-4496 : TaiG Jailbreak Team
libnetcore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious, sandboxed app can compromise the networkd
daemon
Description: Multiple type confusion issues existed in networkd's
handling of interprocess communication. The issue is addressed
through additional type checking.
CVE-ID
CVE-2014-4492 : Ian Beer of Google Project Zero
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious enterprise-signed application may be able to
take control of the local container for applications already on a
device
Description: A vulnerability existed in the application installation
process. This was addressed by preventing enterprise applications
from overriding existing applications in specific scenarios.
CVE-ID
CVE-2014-4493 : Hui Xue and Tao Wei of FireEye, Inc.
Springboard
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Enterprise-signed applications may be launched without
prompting for trust
Description: An issue existed in determining when to prompt for
trust when first opening an enterprise-signed application. This issue
was addressed through improved code signature validation.
CVE-ID
CVE-2014-4494 : Song Jin, Hui Xue, and Tao Wei of FireEye, Inc.
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a website that frames malicious content may lead to
UI spoofing
Description: A UI spoofing issue existed in the handling of
scrollbar boundaries. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-4467 : Jordan Milne
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Style sheets are loaded cross-origin which may allow for
data exfiltration
Description: An SVG loaded in an img element could load a CSS file
cross-origin. This issue was addressed through enhanced blocking of
external CSS references in SVGs.
CVE-ID
CVE-2014-4465 : Rennie deGraaf of iSEC Partners
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQIcBAEBAgAGBQJUx8umAAoJEBcWfLTuOo7tTskQAI5o4uXj16m90mQhSqUYG35F
pCbUBiLJj4IWcgLsNDKgnhcmX6YOA+q7LnyCuU91K4DLybFZr5/OrxDU4/qCsKQb
8o6uRHdtfq6zrOrUgv+hKXP36Rf5v/zl/P9JViuJoKZXMQow6DYoTpCaUAUwp23z
mrF3EwzZyxfT2ICWwPS7r8A9annIprGBZLJz1Yr7Ek90WILTg9RbgnI60IBfpLzn
Bi4ej9FqV2HAy4S9Fad6jyB9E0rAsl6PRMPGKVvOa2o1/mLqiFGR06qyHwJ+ynj8
tTGcnVhiZVaiur807DY1hb6uB2oLFQXxHFYe3T17l3igM/iminMpWfcq/PmnIIwR
IASrhc24qgUywOGK6FfVKdoh5KNgb3xK4X7U9YL9/eMwgT48a2qO6lLTfYdFfBCh
wEzMAFEDpnkwOSw/s5Ry0eCY+p+DU0Kxr3Ter3zkNO0abf2yXjAtu4nHBk3I1t4P
y8fM8vcWhPDTdfhIWp5Vwcs6sxCGXO1/w6Okuv4LlEDkSJ0Vm2AdhnE0TmhWW0BB
w7XMGRYdUCYRbGIta1wciD8yR1xeAWGIOL9+tYROfK4jgPgFGNjtkhqMWNxLZwnR
IEHZ2hYBhf3bWCtEDP5nZBV7jdUUdMxDzDX9AuPp67SXld2By+iMe8AYgu6EVhfY
CfDJ+b9mxdd8GswiT3OO
=j9pr
-----END PGP SIGNATURE-----
.
CVE-ID
CVE-2014-3192 : cloudfuzzer
CVE-2014-4476 : Apple
CVE-2014-4477 : lokihardt@ASRT working with HP's Zero Day
Initiative
CVE-2014-4479 : Apple
Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 may be obtained from
the Mac App Store
| VAR-201501-0624 | CVE-2014-4479 | Apple Used in products Webkit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-4476 and CVE-2014-4477. Apple iOS , Apple Safari and Apple TV Used in etc. WebKit Any code that could be executed or service disruption ( Memory corruption and application crash ) There are vulnerabilities that are put into a state. WebKit is prone to an unspecified memory-corruption vulnerability.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Apple iOS is an operating system developed for mobile devices; Apple Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems; Apple TV is a high-definition television set-top box product. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0002
------------------------------------------------------------------------
Date reported : December 28, 2015
Advisory ID : WSA-2015-0002
Advisory URL : http://webkitgtk.org/security/WSA-2015-0002.html
CVE identifiers : CVE-2013-6663, CVE-2014-1748, CVE-2014-3192,
CVE-2014-4409, CVE-2014-4410, CVE-2014-4411,
CVE-2014-4412, CVE-2014-4413, CVE-2014-4414,
CVE-2014-4452, CVE-2014-4459, CVE-2014-4465,
CVE-2014-4466, CVE-2014-4468, CVE-2014-4469,
CVE-2014-4470, CVE-2014-4471, CVE-2014-4472,
CVE-2014-4473, CVE-2014-4474, CVE-2014-4475,
CVE-2014-4476, CVE-2014-4477, CVE-2014-4479,
CVE-2015-1068, CVE-2015-1069, CVE-2015-1070,
CVE-2015-1071, CVE-2015-1072, CVE-2015-1073,
CVE-2015-1074, CVE-2015-1075, CVE-2015-1076,
CVE-2015-1077, CVE-2015-1080, CVE-2015-1081,
CVE-2015-1082, CVE-2015-1083, CVE-2015-1084,
CVE-2015-1119, CVE-2015-1120, CVE-2015-1121,
CVE-2015-1122, CVE-2015-1124, CVE-2015-1126,
CVE-2015-1127, CVE-2015-1152, CVE-2015-1153,
CVE-2015-1154, CVE-2015-1155, CVE-2015-1156,
CVE-2015-2330, CVE-2015-3658, CVE-2015-3659,
CVE-2015-3660, CVE-2015-3727, CVE-2015-3730,
CVE-2015-3731, CVE-2015-3732, CVE-2015-3733,
CVE-2015-3734, CVE-2015-3735, CVE-2015-3736,
CVE-2015-3737, CVE-2015-3738, CVE-2015-3739,
CVE-2015-3740, CVE-2015-3741, CVE-2015-3742,
CVE-2015-3743, CVE-2015-3744, CVE-2015-3745,
CVE-2015-3746, CVE-2015-3747, CVE-2015-3748,
CVE-2015-3749, CVE-2015-3750, CVE-2015-3751,
CVE-2015-3752, CVE-2015-3753, CVE-2015-3754,
CVE-2015-3755, CVE-2015-5788, CVE-2015-5789,
CVE-2015-5790, CVE-2015-5791, CVE-2015-5792,
CVE-2015-5793, CVE-2015-5794, CVE-2015-5795,
CVE-2015-5797, CVE-2015-5798, CVE-2015-5799,
CVE-2015-5800, CVE-2015-5801, CVE-2015-5802,
CVE-2015-5803, CVE-2015-5804, CVE-2015-5805,
CVE-2015-5806, CVE-2015-5807, CVE-2015-5809,
CVE-2015-5810, CVE-2015-5811, CVE-2015-5812,
CVE-2015-5813, CVE-2015-5814, CVE-2015-5815,
CVE-2015-5816, CVE-2015-5817, CVE-2015-5818,
CVE-2015-5819, CVE-2015-5822, CVE-2015-5823,
CVE-2015-5825, CVE-2015-5826, CVE-2015-5827,
CVE-2015-5828, CVE-2015-5928, CVE-2015-5929,
CVE-2015-5930, CVE-2015-5931, CVE-2015-7002,
CVE-2015-7012, CVE-2015-7013, CVE-2015-7014,
CVE-2015-7048, CVE-2015-7095, CVE-2015-7097,
CVE-2015-7099, CVE-2015-7100, CVE-2015-7102,
CVE-2015-7103, CVE-2015-7104.
Several vulnerabilities were discovered on WebKitGTK+.
CVE-2013-6663
Versions affected: WebKitGTK+ before 2.4.0.
Credit to Atte Kettunen of OUSPG.
Use-after-free vulnerability in the SVGImage::setContainerSize
function in core/svg/graphics/SVGImage.cpp in the SVG implementation
in Blink, as used in Google Chrome before 33.0.1750.146, allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to the resizing of a
view.
CVE-2014-1748
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Jordan Milne.
The ScrollView::paint function in platform/scroll/ScrollView.cpp in
Blink, as used in Google Chrome before 35.0.1916.114, allows remote
attackers to spoof the UI by extending scrollbar painting into the
parent frame.
CVE-2014-3192
Versions affected: WebKitGTK+ before 2.6.3.
Credit to cloudfuzzer.
Use-after-free vulnerability in the
ProcessingInstruction::setXSLStyleSheet function in
core/dom/ProcessingInstruction.cpp in the DOM implementation in
Blink, as used in Google Chrome before 38.0.2125.101, allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.
CVE-2014-4409
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Yosuke Hasegawa (NetAgent Co., Led.).
CVE-2014-4410
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Eric Seidel of Google.
CVE-2014-4411
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Google Chrome Security Team.
CVE-2014-4412
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2014-4413
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2014-4414
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2014-4452
Versions affected: WebKitGTK+ before 2.6.0.
Credit to unknown.
CVE-2014-4459
Versions affected: WebKitGTK+ before 2.6.2.
Credit to unknown.
CVE-2014-4465
Versions affected: WebKitGTK+ before 2.6.2.
Credit to Rennie deGraaf of iSEC Partners.
CVE-2014-4466
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2014-4468
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4469
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2014-4470
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4471
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4472
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4473
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4474
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2014-4475
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4476
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2014-4477
Versions affected: WebKitGTK+ before 2.6.4.
Credit to lokihardt@ASRT working with HP’s Zero Day Initiative.
CVE-2014-4479
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2015-1068
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1069
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1070
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1071
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1072
Versions affected: WebKitGTK+ before 2.8.0.
Credit to unknown.
CVE-2015-1073
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1074
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2015-1075
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Google Chrome Security Team.
CVE-2015-1076
Versions affected: WebKitGTK+ before 2.8.0.
Credit to unknown.
CVE-2015-1077
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1080
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-1081
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1082
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1083
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2015-1084
Versions affected: WebKitGTK+ before 2.6.1.
CVE-2015-1119
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Renata Hodovan of University of Szeged / Samsung
Electronics.
CVE-2015-1120
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1121
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1122
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-1124
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1126
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Jouko Pynnonen of Klikki Oy.
CVE-2015-1127
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Tyler C (2.6.5).
The private-browsing implementation in WebKit in Apple Safari before
6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 places browsing
history into an index, which might allow local users to obtain
sensitive information by reading index entries.
CVE-2015-1152
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-1153
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1154
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1155
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative.
CVE-2015-1156
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Zachary Durber of Moodle.
CVE-2015-2330
Versions affected: WebKitGTK+ before 2.6.6.
Credit to Ross Lagerwall.
Late TLS certificate verification in WebKitGTK+ prior to 2.6.6
allows remote attackers to view a secure HTTP request, including,
for example, secure cookies.
CVE-2015-3658
Versions affected: WebKitGTK+ before 2.8.1.
Credit to Brad Hill of Facebook.
CVE-2015-3659
Versions affected: WebKitGTK+ before 2.8.3.
Credit to Peter Rutenbar working with HP's Zero Day Initiative.
CVE-2015-3660
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3727
Versions affected: WebKitGTK+ before 2.8.1.
Credit to Peter Rutenbar working with HP's Zero Day Initiative.
CVE-2015-3730
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3731
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3732
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3733
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3734
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3735
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3736
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3737
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3738
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3739
Versions affected: WebKitGTK+ before 2.8.1.
CVE-2015-3740
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3741
Versions affected: WebKitGTK+ before 2.8.1.
CVE-2015-3742
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3743
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3744
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3745
Versions affected: WebKitGTK+ before 2.8.1.
CVE-2015-3746
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3747
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-3748
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3749
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3750
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Muneaki Nishimura (nishimunea).
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x
before 8.0.8, as used in iOS before 8.4.1 and other products, does
not enforce the HTTP Strict Transport Security (HSTS) protection
mechanism for Content Security Policy (CSP) report requests, which
allows man-in-the-middle attackers to obtain sensitive information
by sniffing the network or spoof a report by modifying the client-
server data stream.
CVE-2015-3751
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Muneaki Nishimura (nishimunea).
CVE-2015-3752
Versions affected: WebKitGTK+ before 2.8.4.
Credit to Muneaki Nishimura (nishimunea).
CVE-2015-3753
Versions affected: WebKitGTK+ before 2.8.3.
Credit to Antonio Sanso and Damien Antipa of Adobe.
CVE-2015-3754
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Dongsung Kim (@kid1ng).
CVE-2015-3755
Versions affected: WebKitGTK+ before 2.10.0.
Credit to xisigr of Tencent's Xuanwu Lab.
CVE-2015-5788
Versions affected: WebKitGTK+ before 2.8.0.
The WebKit Canvas implementation in Apple iOS before 9 allows remote
attackers to bypass the Same Origin Policy and obtain sensitive
image information via vectors involving a CANVAS element.
CVE-2015-5789
Versions affected: WebKitGTK+ before 2.6.1.
CVE-2015-5790
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2015-5791
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-5792
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2015-5793
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5794
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5795
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-5797
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5798
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-5799
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5800
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5801
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5802
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-5803
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5804
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5805
Versions affected: WebKitGTK+ before 2.10.0.
Credit to unknown.
CVE-2015-5806
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-5807
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5809
Versions affected: WebKitGTK+ before 2.8.4.
CVE-2015-5810
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5811
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5812
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5813
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5814
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5815
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5816
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5817
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5818
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5819
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5822
Versions affected: WebKitGTK+ before 2.8.1.
Credit to Mark S. Miller of Google.
CVE-2015-5823
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5825
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Yossi Oren et al. of Columbia University's Network
Security Lab.
CVE-2015-5826
Versions affected: WebKitGTK+ before 2.6.5.
Credit to filedescriptior, Chris Evans.
CVE-2015-5827
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Gildas.
WebKit in Apple iOS before 9 allows remote attackers to bypass the
Same Origin Policy and obtain an object reference via vectors
involving a (1) custom event, (2) message event, or (3) pop state
event.
CVE-2015-5828
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Lorenzo Fontana.
CVE-2015-5928
Versions affected: WebKitGTK+ before 2.8.4.
CVE-2015-5929
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5930
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5931
Versions affected: WebKitGTK+ before 2.10.0.
Credit to unknown.
CVE-2015-7002
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7012
Versions affected: WebKitGTK+ before 2.8.4.
CVE-2015-7013
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7014
Versions affected: WebKitGTK+ before 2.10.0.
Credit to unknown.
CVE-2015-7048
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7095
Versions affected: WebKitGTK+ before 2.10.2.
CVE-2015-7097
Versions affected: WebKitGTK+ before 2.10.3.
CVE-2015-7099
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7100
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7102
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7103
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7104
Versions affected: WebKitGTK+ before 2.10.0.
We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
December 28, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-01-27-2 iOS 8.1.3
iOS 8.1.3 is now available and addresses the following:
AppleFileConduit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted afc command may allow access to
protected parts of the filesystem
Description: A vulnerability existed in the symbolic linking
mechanism of afc. This issue was addressed by adding additional path
checks.
CVE-ID
CVE-2014-4480 : TaiG Jailbreak Team
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the
iSIGHT Partners GVP Program
dyld
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute unsigned code
Description: A state management issue existed in the handling of
Mach-O executable files with overlapping segments. This issue was
addressed through improved validation of segment sizes.
CVE-ID
CVE-2014-4455 : TaiG Jailbreak Team
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of font
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4483 : Apple
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .dfont file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
.dfont files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted XML file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the XML parser. This issue
was addressed through improved bounds checking.
CVE-ID
CVE-2014-4485 : Apple
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in
IOAcceleratorFamily's handling of resource lists. This issue was
addressed by removing unneeded code.
CVE-ID
CVE-2014-4486 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A buffer overflow existed in IOHIDFamily. This issue
was addressed through improved size validation.
CVE-ID
CVE-2014-4487 : TaiG Jailbreak Team
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in IOHIDFamily's handling of
resource queue metadata. This issue was addressed through improved
validation of metadata.
CVE-ID
CVE-2014-4488 : Apple
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of event queues. This issue was addressed through improved
validation.
CVE-ID
CVE-2014-4489 : @beist
iTunes Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A website may be able to bypass sandbox restrictions using
the iTunes Store
Description: An issue existed in the handling of URLs redirected
from Safari to the iTunes Store that could allow a malicious website
to bypass Safari's sandbox restrictions. The issue was addressed with
improved filtering of URLs opened by the iTunes Store.
CVE-ID
CVE-2014-8840 : lokihardt@ASRT working with HP's Zero Day Initiative
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted or compromised iOS applications may be
able to determine addresses in the kernel
Description: An information disclosure issue existed in the handling
of APIs related to kernel extensions. Responses containing an
OSBundleMachOHeaders key may have included kernel addresses, which
may aid in bypassing address space layout randomization protection.
This issue was addressed by unsliding the addresses before returning
them.
CVE-ID
CVE-2014-4491 : @PanguTeam, Stefan Esser
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An issue existed in the kernel shared memory subsystem
that allowed an attacker to write to memory that was intended to be
read-only. This issue was addressed with stricter checking of shared
memory permissions.
CVE-ID
CVE-2014-4495 : Ian Beer of Google Project Zero
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted or compromised iOS applications may be
able to determine addresses in the kernel
Description: The mach_port_kobject kernel interface leaked kernel
addresses and heap permutation value, which may aid in bypassing
address space layout randomization protection. This was addressed by
disabling the mach_port_kobject interface in production
configurations.
CVE-ID
CVE-2014-4496 : TaiG Jailbreak Team
libnetcore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious, sandboxed app can compromise the networkd
daemon
Description: Multiple type confusion issues existed in networkd's
handling of interprocess communication. The issue is addressed
through additional type checking.
CVE-ID
CVE-2014-4492 : Ian Beer of Google Project Zero
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious enterprise-signed application may be able to
take control of the local container for applications already on a
device
Description: A vulnerability existed in the application installation
process. This was addressed by preventing enterprise applications
from overriding existing applications in specific scenarios.
CVE-ID
CVE-2014-4493 : Hui Xue and Tao Wei of FireEye, Inc.
Springboard
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Enterprise-signed applications may be launched without
prompting for trust
Description: An issue existed in determining when to prompt for
trust when first opening an enterprise-signed application. This issue
was addressed through improved code signature validation.
CVE-ID
CVE-2014-4494 : Song Jin, Hui Xue, and Tao Wei of FireEye, Inc.
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a website that frames malicious content may lead to
UI spoofing
Description: A UI spoofing issue existed in the handling of
scrollbar boundaries. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-4467 : Jordan Milne
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Style sheets are loaded cross-origin which may allow for
data exfiltration
Description: An SVG loaded in an img element could load a CSS file
cross-origin. This issue was addressed through enhanced blocking of
external CSS references in SVGs.
CVE-ID
CVE-2014-4465 : Rennie deGraaf of iSEC Partners
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQIcBAEBAgAGBQJUx8umAAoJEBcWfLTuOo7tTskQAI5o4uXj16m90mQhSqUYG35F
pCbUBiLJj4IWcgLsNDKgnhcmX6YOA+q7LnyCuU91K4DLybFZr5/OrxDU4/qCsKQb
8o6uRHdtfq6zrOrUgv+hKXP36Rf5v/zl/P9JViuJoKZXMQow6DYoTpCaUAUwp23z
mrF3EwzZyxfT2ICWwPS7r8A9annIprGBZLJz1Yr7Ek90WILTg9RbgnI60IBfpLzn
Bi4ej9FqV2HAy4S9Fad6jyB9E0rAsl6PRMPGKVvOa2o1/mLqiFGR06qyHwJ+ynj8
tTGcnVhiZVaiur807DY1hb6uB2oLFQXxHFYe3T17l3igM/iminMpWfcq/PmnIIwR
IASrhc24qgUywOGK6FfVKdoh5KNgb3xK4X7U9YL9/eMwgT48a2qO6lLTfYdFfBCh
wEzMAFEDpnkwOSw/s5Ry0eCY+p+DU0Kxr3Ter3zkNO0abf2yXjAtu4nHBk3I1t4P
y8fM8vcWhPDTdfhIWp5Vwcs6sxCGXO1/w6Okuv4LlEDkSJ0Vm2AdhnE0TmhWW0BB
w7XMGRYdUCYRbGIta1wciD8yR1xeAWGIOL9+tYROfK4jgPgFGNjtkhqMWNxLZwnR
IEHZ2hYBhf3bWCtEDP5nZBV7jdUUdMxDzDX9AuPp67SXld2By+iMe8AYgu6EVhfY
CfDJ+b9mxdd8GswiT3OO
=j9pr
-----END PGP SIGNATURE-----
.
CVE-ID
CVE-2014-3192 : cloudfuzzer
CVE-2014-4476 : Apple
CVE-2014-4477 : lokihardt@ASRT working with HP's Zero Day
Initiative
CVE-2014-4479 : Apple
Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 may be obtained from
the Mac App Store
| VAR-201501-0622 | CVE-2014-4476 | Apple Used in products Webkit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-4477 and CVE-2014-4479. Apple iOS , Apple Safari and Apple TV Used in etc. WebKit Any code that could be executed or service disruption ( Memory corruption and application crash ) There are vulnerabilities that are put into a state. WebKit is prone to an unspecified memory-corruption vulnerability.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Apple iOS is an operating system developed for mobile devices; Apple Safari is a web browser that is the default browser included with Mac OS X and iOS operating systems; Apple TV is a high-definition television set-top box product. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ------------------------------------------------------------------------
WebKitGTK+ Security Advisory WSA-2015-0002
------------------------------------------------------------------------
Date reported : December 28, 2015
Advisory ID : WSA-2015-0002
Advisory URL : http://webkitgtk.org/security/WSA-2015-0002.html
CVE identifiers : CVE-2013-6663, CVE-2014-1748, CVE-2014-3192,
CVE-2014-4409, CVE-2014-4410, CVE-2014-4411,
CVE-2014-4412, CVE-2014-4413, CVE-2014-4414,
CVE-2014-4452, CVE-2014-4459, CVE-2014-4465,
CVE-2014-4466, CVE-2014-4468, CVE-2014-4469,
CVE-2014-4470, CVE-2014-4471, CVE-2014-4472,
CVE-2014-4473, CVE-2014-4474, CVE-2014-4475,
CVE-2014-4476, CVE-2014-4477, CVE-2014-4479,
CVE-2015-1068, CVE-2015-1069, CVE-2015-1070,
CVE-2015-1071, CVE-2015-1072, CVE-2015-1073,
CVE-2015-1074, CVE-2015-1075, CVE-2015-1076,
CVE-2015-1077, CVE-2015-1080, CVE-2015-1081,
CVE-2015-1082, CVE-2015-1083, CVE-2015-1084,
CVE-2015-1119, CVE-2015-1120, CVE-2015-1121,
CVE-2015-1122, CVE-2015-1124, CVE-2015-1126,
CVE-2015-1127, CVE-2015-1152, CVE-2015-1153,
CVE-2015-1154, CVE-2015-1155, CVE-2015-1156,
CVE-2015-2330, CVE-2015-3658, CVE-2015-3659,
CVE-2015-3660, CVE-2015-3727, CVE-2015-3730,
CVE-2015-3731, CVE-2015-3732, CVE-2015-3733,
CVE-2015-3734, CVE-2015-3735, CVE-2015-3736,
CVE-2015-3737, CVE-2015-3738, CVE-2015-3739,
CVE-2015-3740, CVE-2015-3741, CVE-2015-3742,
CVE-2015-3743, CVE-2015-3744, CVE-2015-3745,
CVE-2015-3746, CVE-2015-3747, CVE-2015-3748,
CVE-2015-3749, CVE-2015-3750, CVE-2015-3751,
CVE-2015-3752, CVE-2015-3753, CVE-2015-3754,
CVE-2015-3755, CVE-2015-5788, CVE-2015-5789,
CVE-2015-5790, CVE-2015-5791, CVE-2015-5792,
CVE-2015-5793, CVE-2015-5794, CVE-2015-5795,
CVE-2015-5797, CVE-2015-5798, CVE-2015-5799,
CVE-2015-5800, CVE-2015-5801, CVE-2015-5802,
CVE-2015-5803, CVE-2015-5804, CVE-2015-5805,
CVE-2015-5806, CVE-2015-5807, CVE-2015-5809,
CVE-2015-5810, CVE-2015-5811, CVE-2015-5812,
CVE-2015-5813, CVE-2015-5814, CVE-2015-5815,
CVE-2015-5816, CVE-2015-5817, CVE-2015-5818,
CVE-2015-5819, CVE-2015-5822, CVE-2015-5823,
CVE-2015-5825, CVE-2015-5826, CVE-2015-5827,
CVE-2015-5828, CVE-2015-5928, CVE-2015-5929,
CVE-2015-5930, CVE-2015-5931, CVE-2015-7002,
CVE-2015-7012, CVE-2015-7013, CVE-2015-7014,
CVE-2015-7048, CVE-2015-7095, CVE-2015-7097,
CVE-2015-7099, CVE-2015-7100, CVE-2015-7102,
CVE-2015-7103, CVE-2015-7104.
Several vulnerabilities were discovered on WebKitGTK+.
CVE-2013-6663
Versions affected: WebKitGTK+ before 2.4.0.
Credit to Atte Kettunen of OUSPG.
Use-after-free vulnerability in the SVGImage::setContainerSize
function in core/svg/graphics/SVGImage.cpp in the SVG implementation
in Blink, as used in Google Chrome before 33.0.1750.146, allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to the resizing of a
view.
CVE-2014-1748
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Jordan Milne.
The ScrollView::paint function in platform/scroll/ScrollView.cpp in
Blink, as used in Google Chrome before 35.0.1916.114, allows remote
attackers to spoof the UI by extending scrollbar painting into the
parent frame.
CVE-2014-3192
Versions affected: WebKitGTK+ before 2.6.3.
Credit to cloudfuzzer.
Use-after-free vulnerability in the
ProcessingInstruction::setXSLStyleSheet function in
core/dom/ProcessingInstruction.cpp in the DOM implementation in
Blink, as used in Google Chrome before 38.0.2125.101, allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.
CVE-2014-4409
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Yosuke Hasegawa (NetAgent Co., Led.).
CVE-2014-4410
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Eric Seidel of Google.
CVE-2014-4411
Versions affected: WebKitGTK+ before 2.6.0.
Credit to Google Chrome Security Team.
CVE-2014-4412
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2014-4413
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2014-4414
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2014-4452
Versions affected: WebKitGTK+ before 2.6.0.
Credit to unknown.
CVE-2014-4459
Versions affected: WebKitGTK+ before 2.6.2.
Credit to unknown.
CVE-2014-4465
Versions affected: WebKitGTK+ before 2.6.2.
Credit to Rennie deGraaf of iSEC Partners.
CVE-2014-4466
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2014-4468
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4469
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2014-4470
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4471
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4472
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4473
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4474
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2014-4475
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2014-4476
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2014-4477
Versions affected: WebKitGTK+ before 2.6.4.
Credit to lokihardt@ASRT working with HP’s Zero Day Initiative.
CVE-2014-4479
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2015-1068
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1069
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1070
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1071
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1072
Versions affected: WebKitGTK+ before 2.8.0.
Credit to unknown.
CVE-2015-1073
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1074
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2015-1075
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Google Chrome Security Team.
CVE-2015-1076
Versions affected: WebKitGTK+ before 2.8.0.
Credit to unknown.
CVE-2015-1077
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1080
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-1081
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1082
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1083
Versions affected: WebKitGTK+ before 2.6.4.
CVE-2015-1084
Versions affected: WebKitGTK+ before 2.6.1.
CVE-2015-1119
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Renata Hodovan of University of Szeged / Samsung
Electronics.
CVE-2015-1120
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1121
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1122
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-1124
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1126
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Jouko Pynnonen of Klikki Oy.
CVE-2015-1127
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Tyler C (2.6.5).
The private-browsing implementation in WebKit in Apple Safari before
6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 places browsing
history into an index, which might allow local users to obtain
sensitive information by reading index entries.
CVE-2015-1152
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-1153
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1154
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-1155
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Joe Vennix of Rapid7 Inc. working with HP's Zero Day
Initiative.
CVE-2015-1156
Versions affected: WebKitGTK+ before 2.8.0.
Credit to Zachary Durber of Moodle.
CVE-2015-2330
Versions affected: WebKitGTK+ before 2.6.6.
Credit to Ross Lagerwall.
Late TLS certificate verification in WebKitGTK+ prior to 2.6.6
allows remote attackers to view a secure HTTP request, including,
for example, secure cookies.
CVE-2015-3658
Versions affected: WebKitGTK+ before 2.8.1.
Credit to Brad Hill of Facebook.
CVE-2015-3659
Versions affected: WebKitGTK+ before 2.8.3.
Credit to Peter Rutenbar working with HP's Zero Day Initiative.
CVE-2015-3660
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3727
Versions affected: WebKitGTK+ before 2.8.1.
Credit to Peter Rutenbar working with HP's Zero Day Initiative.
CVE-2015-3730
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3731
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3732
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3733
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3734
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3735
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3736
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3737
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3738
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3739
Versions affected: WebKitGTK+ before 2.8.1.
CVE-2015-3740
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3741
Versions affected: WebKitGTK+ before 2.8.1.
CVE-2015-3742
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3743
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3744
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3745
Versions affected: WebKitGTK+ before 2.8.1.
CVE-2015-3746
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-3747
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-3748
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3749
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-3750
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Muneaki Nishimura (nishimunea).
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x
before 8.0.8, as used in iOS before 8.4.1 and other products, does
not enforce the HTTP Strict Transport Security (HSTS) protection
mechanism for Content Security Policy (CSP) report requests, which
allows man-in-the-middle attackers to obtain sensitive information
by sniffing the network or spoof a report by modifying the client-
server data stream.
CVE-2015-3751
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Muneaki Nishimura (nishimunea).
CVE-2015-3752
Versions affected: WebKitGTK+ before 2.8.4.
Credit to Muneaki Nishimura (nishimunea).
CVE-2015-3753
Versions affected: WebKitGTK+ before 2.8.3.
Credit to Antonio Sanso and Damien Antipa of Adobe.
CVE-2015-3754
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Dongsung Kim (@kid1ng).
CVE-2015-3755
Versions affected: WebKitGTK+ before 2.10.0.
Credit to xisigr of Tencent's Xuanwu Lab.
CVE-2015-5788
Versions affected: WebKitGTK+ before 2.8.0.
The WebKit Canvas implementation in Apple iOS before 9 allows remote
attackers to bypass the Same Origin Policy and obtain sensitive
image information via vectors involving a CANVAS element.
CVE-2015-5789
Versions affected: WebKitGTK+ before 2.6.1.
CVE-2015-5790
Versions affected: WebKitGTK+ before 2.6.2.
CVE-2015-5791
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-5792
Versions affected: WebKitGTK+ before 2.4.0.
CVE-2015-5793
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5794
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5795
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-5797
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5798
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-5799
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5800
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5801
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5802
Versions affected: WebKitGTK+ before 2.6.0.
CVE-2015-5803
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5804
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5805
Versions affected: WebKitGTK+ before 2.10.0.
Credit to unknown.
CVE-2015-5806
Versions affected: WebKitGTK+ before 2.8.3.
CVE-2015-5807
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5809
Versions affected: WebKitGTK+ before 2.8.4.
CVE-2015-5810
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5811
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5812
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5813
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5814
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5815
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5816
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5817
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5818
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5819
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5822
Versions affected: WebKitGTK+ before 2.8.1.
Credit to Mark S. Miller of Google.
CVE-2015-5823
Versions affected: WebKitGTK+ before 2.8.0.
CVE-2015-5825
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Yossi Oren et al. of Columbia University's Network
Security Lab.
CVE-2015-5826
Versions affected: WebKitGTK+ before 2.6.5.
Credit to filedescriptior, Chris Evans.
CVE-2015-5827
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Gildas.
WebKit in Apple iOS before 9 allows remote attackers to bypass the
Same Origin Policy and obtain an object reference via vectors
involving a (1) custom event, (2) message event, or (3) pop state
event.
CVE-2015-5828
Versions affected: WebKitGTK+ before 2.10.0.
Credit to Lorenzo Fontana.
CVE-2015-5928
Versions affected: WebKitGTK+ before 2.8.4.
CVE-2015-5929
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5930
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-5931
Versions affected: WebKitGTK+ before 2.10.0.
Credit to unknown.
CVE-2015-7002
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7012
Versions affected: WebKitGTK+ before 2.8.4.
CVE-2015-7013
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7014
Versions affected: WebKitGTK+ before 2.10.0.
Credit to unknown.
CVE-2015-7048
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7095
Versions affected: WebKitGTK+ before 2.10.2.
CVE-2015-7097
Versions affected: WebKitGTK+ before 2.10.3.
CVE-2015-7099
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7100
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7102
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7103
Versions affected: WebKitGTK+ before 2.10.0.
CVE-2015-7104
Versions affected: WebKitGTK+ before 2.10.0.
We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.
Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html
The WebKitGTK+ team,
December 28, 2015
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-01-27-2 iOS 8.1.3
iOS 8.1.3 is now available and addresses the following:
AppleFileConduit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted afc command may allow access to
protected parts of the filesystem
Description: A vulnerability existed in the symbolic linking
mechanism of afc. This issue was addressed by adding additional path
checks.
CVE-ID
CVE-2014-4480 : TaiG Jailbreak Team
CoreGraphics
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the
iSIGHT Partners GVP Program
dyld
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A local user may be able to execute unsigned code
Description: A state management issue existed in the handling of
Mach-O executable files with overlapping segments. This issue was
addressed through improved validation of segment sizes.
CVE-ID
CVE-2014-4455 : TaiG Jailbreak Team
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of font
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4483 : Apple
FontParser
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Processing a maliciously crafted .dfont file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
.dfont files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative
Foundation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted XML file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the XML parser. This issue
was addressed through improved bounds checking.
CVE-ID
CVE-2014-4485 : Apple
IOAcceleratorFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in
IOAcceleratorFamily's handling of resource lists. This issue was
addressed by removing unneeded code.
CVE-ID
CVE-2014-4486 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A buffer overflow existed in IOHIDFamily. This issue
was addressed through improved size validation.
CVE-ID
CVE-2014-4487 : TaiG Jailbreak Team
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in IOHIDFamily's handling of
resource queue metadata. This issue was addressed through improved
validation of metadata.
CVE-ID
CVE-2014-4488 : Apple
IOHIDFamily
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of event queues. This issue was addressed through improved
validation.
CVE-ID
CVE-2014-4489 : @beist
iTunes Store
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A website may be able to bypass sandbox restrictions using
the iTunes Store
Description: An issue existed in the handling of URLs redirected
from Safari to the iTunes Store that could allow a malicious website
to bypass Safari's sandbox restrictions. The issue was addressed with
improved filtering of URLs opened by the iTunes Store.
CVE-ID
CVE-2014-8840 : lokihardt@ASRT working with HP's Zero Day Initiative
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted or compromised iOS applications may be
able to determine addresses in the kernel
Description: An information disclosure issue existed in the handling
of APIs related to kernel extensions. Responses containing an
OSBundleMachOHeaders key may have included kernel addresses, which
may aid in bypassing address space layout randomization protection.
This issue was addressed by unsliding the addresses before returning
them.
CVE-ID
CVE-2014-4491 : @PanguTeam, Stefan Esser
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An issue existed in the kernel shared memory subsystem
that allowed an attacker to write to memory that was intended to be
read-only. This issue was addressed with stricter checking of shared
memory permissions.
CVE-ID
CVE-2014-4495 : Ian Beer of Google Project Zero
Kernel
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Maliciously crafted or compromised iOS applications may be
able to determine addresses in the kernel
Description: The mach_port_kobject kernel interface leaked kernel
addresses and heap permutation value, which may aid in bypassing
address space layout randomization protection. This was addressed by
disabling the mach_port_kobject interface in production
configurations.
CVE-ID
CVE-2014-4496 : TaiG Jailbreak Team
libnetcore
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious, sandboxed app can compromise the networkd
daemon
Description: Multiple type confusion issues existed in networkd's
handling of interprocess communication. The issue is addressed
through additional type checking.
CVE-ID
CVE-2014-4492 : Ian Beer of Google Project Zero
MobileInstallation
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious enterprise-signed application may be able to
take control of the local container for applications already on a
device
Description: A vulnerability existed in the application installation
process. This was addressed by preventing enterprise applications
from overriding existing applications in specific scenarios.
CVE-ID
CVE-2014-4493 : Hui Xue and Tao Wei of FireEye, Inc.
Springboard
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Enterprise-signed applications may be launched without
prompting for trust
Description: An issue existed in determining when to prompt for
trust when first opening an enterprise-signed application. This issue
was addressed through improved code signature validation.
CVE-ID
CVE-2014-4494 : Song Jin, Hui Xue, and Tao Wei of FireEye, Inc.
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a website that frames malicious content may lead to
UI spoofing
Description: A UI spoofing issue existed in the handling of
scrollbar boundaries. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-4467 : Jordan Milne
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Style sheets are loaded cross-origin which may allow for
data exfiltration
Description: An SVG loaded in an img element could load a CSS file
cross-origin. This issue was addressed through enhanced blocking of
external CSS references in SVGs.
CVE-ID
CVE-2014-4465 : Rennie deGraaf of iSEC Partners
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQIcBAEBAgAGBQJUx8umAAoJEBcWfLTuOo7tTskQAI5o4uXj16m90mQhSqUYG35F
pCbUBiLJj4IWcgLsNDKgnhcmX6YOA+q7LnyCuU91K4DLybFZr5/OrxDU4/qCsKQb
8o6uRHdtfq6zrOrUgv+hKXP36Rf5v/zl/P9JViuJoKZXMQow6DYoTpCaUAUwp23z
mrF3EwzZyxfT2ICWwPS7r8A9annIprGBZLJz1Yr7Ek90WILTg9RbgnI60IBfpLzn
Bi4ej9FqV2HAy4S9Fad6jyB9E0rAsl6PRMPGKVvOa2o1/mLqiFGR06qyHwJ+ynj8
tTGcnVhiZVaiur807DY1hb6uB2oLFQXxHFYe3T17l3igM/iminMpWfcq/PmnIIwR
IASrhc24qgUywOGK6FfVKdoh5KNgb3xK4X7U9YL9/eMwgT48a2qO6lLTfYdFfBCh
wEzMAFEDpnkwOSw/s5Ry0eCY+p+DU0Kxr3Ter3zkNO0abf2yXjAtu4nHBk3I1t4P
y8fM8vcWhPDTdfhIWp5Vwcs6sxCGXO1/w6Okuv4LlEDkSJ0Vm2AdhnE0TmhWW0BB
w7XMGRYdUCYRbGIta1wciD8yR1xeAWGIOL9+tYROfK4jgPgFGNjtkhqMWNxLZwnR
IEHZ2hYBhf3bWCtEDP5nZBV7jdUUdMxDzDX9AuPp67SXld2By+iMe8AYgu6EVhfY
CfDJ+b9mxdd8GswiT3OO
=j9pr
-----END PGP SIGNATURE-----
.
CVE-ID
CVE-2014-3192 : cloudfuzzer
CVE-2014-4476 : Apple
CVE-2014-4477 : lokihardt@ASRT working with HP's Zero Day
Initiative
CVE-2014-4479 : Apple
Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 may be obtained from
the Mac App Store
| VAR-201709-0150 | CVE-2014-0997 |
Used on multiple devices Android Data processing vulnerability
Related entries in the VARIoT exploits database: VAR-E-201501-0033 |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
WiFiMonitor in Android 4.4.4 as used in the Nexus 5 and 4, Android 4.2.2 as used in the LG D806, Android 4.2.2 as used in the Samsung SM-T310, Android 4.1.2 as used in the Motorola RAZR HD, and potentially other unspecified Android releases before 5.0.1 and 5.0.2 does not properly handle exceptions, which allows remote attackers to cause a denial of service (reboot) via a crafted 802.11 probe response frame. Used on multiple devices Android Contains a data processing vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Wi-Fi Direct can support a pair of connected devices, enabling simultaneous connection of multiple devices, and the Wi-Fi Direct standard will support all Wi-Fi devices. Multiple Android Devices have a denial of service vulnerability that allows an attacker to initiate a denial of service attack.
Successfully exploiting this issue will allow attackers to cause denial-of-service conditions
| VAR-201502-0470 | CVE-2015-0869 | I-O DATA DEVICE NP-BBRM Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
I-O DATA DEVICE NP-BBRM routers allow remote attackers to cause a denial of service (SSDP reflection) via UPnP requests. NP-BBRM provided by I-O DATA DEVICE, INC. is a LAN router. NP-BBRM contains a vulnerability in the UPnP functionality.The device may be used in a DDoS attack, as a SSDP reflector. NP-BBRM is prone to multiple unspecified security vulnerabilities
| VAR-201501-0221 | CVE-2015-0586 | Cisco 2900 Series Integrated Services Router Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Network-Based Application Recognition (NBAR) protocol implementation in Cisco IOS 15.3(100)M and earlier on Cisco 2900 Integrated Services Router (aka Cisco Internet Router) devices allows remote attackers to cause a denial of service (NBAR process hang) via IPv4 packets, aka Bug ID CSCuo73682. Vendors report this vulnerability Bug ID CSCuo73682 Published as. Supplementary information : CWE Vulnerability types by CWE-19: Data Handling ( Data processing ) Has been identified. http://cwe.mitre.org/data/definitions/19.htmlBy a third party, IPv4 Denial of service via packets (NBAR Process hang ) May be in a state.
Attackers can exploit this issue to cause the affected device to reload, denying service to legitimate users. Cisco IOS is a set of operating systems for Internet interconnection
| VAR-201502-0403 | CVE-2015-1460 | Huawei Quidway Switches Remote Security Bypass Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Huawei Quidway switches with firmware before V200R005C00SPC300 allows remote attackers to gain privileges via a crafted packet. Huawei Quidway Switches has a remote security bypass vulnerability that allows an attacker to exploit this vulnerability to bypass certain security restrictions, perform unauthorized operations, or initiate a denial of service attack. Huawei Quidway Switch is an Ethernet switch product of China Huawei. A security vulnerability exists in the Huawei Quidway Switch V200R005C00SPC300. This may aid in further attacks
| VAR-201501-0145 | CVE-2015-1179 | Infinite Automation Systems Mango Automation Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in data_point_details.shtm in Mango Automation 2.4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dpid, (2) dpxid, or (3) pid parameter. Infinite Automation Systems Mango Automation is an open source SCADA/HMI software application from Infinite Automation Systems of Australia that provides real-time logging of data from sensors, PLCs, and databases, generating logs and reports, and sending alerts.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Mango Automation 2.4.0 is vulnerable; other versions may also be affected
| VAR-201501-0116 | CVE-2015-0311 | Adobe Flash Player Vulnerability to execute arbitrary code in |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015. 2015 Year 1 It has been observed on the moon.A third party may be able to execute arbitrary code.
An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0094-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0094.html
Issue date: 2015-01-27
CVE Names: CVE-2015-0310 CVE-2015-0311 CVE-2015-0312
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-02, and
APSB15-03, listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1185137 - CVE-2015-0310 flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)
1185296 - CVE-2015-0311 CVE-2015-0312 flash-plugin: multiple critical vulnerabilities (APSA15-01)(APSB15-03)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.440-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.440-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.440-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.440-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.440-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.440-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.440-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.440-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.440-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.440-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0310
https://access.redhat.com/security/cve/CVE-2015-0311
https://access.redhat.com/security/cve/CVE-2015-0312
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-02.html
https://helpx.adobe.com/security/products/flash-player/apsb15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUyAGGXlSAg2UNWIIRAi1BAJ9Q5Uq7Z9D/i5dIrMbLRMK/TUbVpQCfZhjG
Xjm8B3oIdHx7wx6dzJxrEAw=
=70K0
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201501-0115 | CVE-2015-0310 | Adobe Flash Player In ASLR Vulnerabilities that circumvent protection mechanisms |
CVSS V2: 10.0 CVSS V3: 7.8 Severity: HIGH |
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015. Attacks on this vulnerability 2015 Year 1 Observed on the moon.By the attacker, Windows Above ASLR Protection mechanisms may be bypassed and may be unspecified on other platforms. Adobe Flash Player is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0094-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0094.html
Issue date: 2015-01-27
CVE Names: CVE-2015-0310 CVE-2015-0311 CVE-2015-0312
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security Bulletin APSB15-02, and
APSB15-03, listed in the References section.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1185137 - CVE-2015-0310 flash-plugin: Vulnerability that could be used to circumvent memory randomization mitigations (APSB15-02)
1185296 - CVE-2015-0311 CVE-2015-0312 flash-plugin: multiple critical vulnerabilities (APSA15-01)(APSB15-03)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.440-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.440-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.440-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.440-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.440-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.440-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.440-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.440-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.440-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.440-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0310
https://access.redhat.com/security/cve/CVE-2015-0311
https://access.redhat.com/security/cve/CVE-2015-0312
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-02.html
https://helpx.adobe.com/security/products/flash-player/apsb15-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUyAGGXlSAg2UNWIIRAi1BAJ9Q5Uq7Z9D/i5dIrMbLRMK/TUbVpQCfZhjG
Xjm8B3oIdHx7wx6dzJxrEAw=
=70K0
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201501-0118 | CVE-2015-1028 | D-Link DSL-2730B Router firmware cross-site scripting vulnerability |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2730B router (rev C1) with firmware GE_1.01 allow remote authenticated users to inject arbitrary web script or HTML via the (1) domainname parameter to dnsProxy.cmd (DNS Proxy Configuration Panel); the (2) brName parameter to lancfg2get.cgi (Lan Configuration Panel); the (3) wlAuthMode, (4) wl_wsc_reg, or (5) wl_wsc_mode parameter to wlsecrefresh.wl (Wireless Security Panel); or the (6) wlWpaPsk parameter to wlsecurity.wl (Wireless Password Viewer). D-Link DSL-2730B Router (rev C1) Contains a cross-site scripting vulnerability.By the remotely authenticated user via the following parameters Web Script or HTML May be inserted. The D-Link DSL-2730B is a home wireless ADSL router. D-Link DSL-2730B Router is prone to multiple cross-site scripting vulnerabilities.
An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, and disclose or modify sensitive information.
D-Link DSL-2730B router running firmware version GE_1.01 is vulnerable. The vulnerability is caused by the insufficient filtering of the 'domainname' parameter in the dnsProxy.cmd file; the insufficient filtering of the 'brName' parameter in the lancfg2get.cgi file; wlsecrefresh The 'wlAuthMode', 'wl_wsc_reg' and 'wl_wsc_mode' parameters were not adequately filtered by the .wl file; the 'wlWpaPsk' parameter was not adequately filtered by the wlsecurity.wl file
| VAR-201501-0325 | CVE-2014-8008 |
Cisco Unified Communications Manager of Real-Time Monitoring Tool API Vulnerable to absolute path traversal
Related entries in the VARIoT exploits database: VAR-E-201409-0018, VAR-E-201409-0545 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Absolute path traversal vulnerability in the Real-Time Monitoring Tool (RTMT) API in Cisco Unified Communications Manager (CUCM) allows remote authenticated users to read arbitrary files via a full pathname in an API command, aka Bug ID CSCur49414.
An attacker can exploit this issue to gain access to sensitive information stored in arbitrary files, that may aid in further attacks.
This issue is being tracked by Cisco Bug Id CSCur49414. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution
| VAR-201501-0129 | CVE-2015-1048 | Siemens SIMATIC S7-1200 Open redirection vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Open redirect vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-601: URL Redirection to Untrusted Site ( Open redirect ) Has been identified. http://cwe.mitre.org/data/definitions/601.htmlAny user by a third party Web You may be redirected to a site and run a phishing attack. The Siemens SIMATIC S7-1200 is a modular PLC controller. Siemens SIMATIC S7-1200 CPU is prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.
An attacker can leverage this issue to conduct phishing attacks; other attacks are possible
| VAR-201501-0403 | CVE-2014-9198 |
Schneider Electric ETG3000 FactoryCast HMI Gateway FTP Built-in password vulnerability
Related entries in the VARIoT exploits database: VAR-E-201501-0004 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session. Schneider Electric ETG3000 FactoryCast HMI Gateway is a new intelligent web gateway. This BID is being retired as a duplicate of BID 72258. This may aid in further attacks. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components
| VAR-201708-0293 | CVE-2014-8428 | Barracuda Load Balancer Vulnerabilities related to authorization, permissions, and access control |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Privilege escalation vulnerability in Barracuda Load Balancer 5.0.0.015 via the use of an improperly protected SSH key. Barracuda Load Balancer Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The controller provides protection against intrusion and attack events, while optimizing application load and providing strong performance support. ===============================================================================
title: Virtual Appliance Security Review
case id: CM-2013-01
product: Barracuda Load Balancer ADC
vulnerability type: Multiple
severity: Medium to High
found: 2013-12-13
by: Cristiano Maruti (@cmaruti)
===============================================================================
[EXECUTIVE SUMMARY]
While reviewing the virtual appliance, five major security issues were
identified:
1) Ability to recover the file system encryption keys via simil cold-boot
attack;
2) Off-line super user password reset via physical attack;
3) Hard-coded credential for an interactive unprivileged user;
4) Hard-coded SSH key file that could permit local privilege escalation;
5) Various credentials and private IP address of Barracuda’s internal server.
[VULNERABLE VERSIONS]
Barracuda Load Balancer - firmware version 5.0.0.015. Probably there are other
appliances from the vendor affected by the same problems.
[TECHNICAL DETAILS]
The full report with technical details about the vulnerabilities I have
identified is available at:
https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf
[VULNERABILITY REFERENCE]
The following ID were associated by Barracuda (BNSECID) to handle the
vulnerabilities:
- BNSEC-0004000355: VM filesystem encryption keys can be leaked through memory
dump.
- BNSEC-0006000122: VM appliance susceptible to off-line user password reset.
- BNSEC-0006000124: VM filesystem encryption keys can be leaked through memory
dump.
- BNSEC-0006000123: Hard coded weak credentials for product user.
- BNSEC-0006000126: Internal system information leakage through VM virtual
drive.
The following CVE IDs were pre-allocated to track the vulnerabilities:
- CVE-2014-8426: Hard coded weak credentials for product user.
[DISCLOSURE TIMELINE]
2014-01-03 Report submitted to vendor via its bug bounty program.
2014-01-03 Vendor confirmed receiving the report (automatic reply).
2014-01-09 Vendor gave follow-up.
2014-01-13 Vendor provided BNSEC IDs.
2014-01-22 Researcher requested further update about the status of the
submission.
2014-01-22 Vendor gave follow-up and updates the list of BNSEC IDs.
2014-02-06 Researcher requested for the second time an update about the status
of his submission.
2014-02-06 Vendor acknowledged the delay in processing the submission because
of internal reorganization of the bounty program.
2014-03-18 Vendor sent update. Confirming the severity of the vulnerabilities,
still processing the submission and developing appropriate fixes.
2014-03-20 Vendor approved bounty. Four of five vulnerabilities are eligible
for the bounty program.
2014-04-20 Barracuda created fixes for the issues reported but postponed the
test due to addressing the Heartbleed vulnerability.
2014-04-23 Researcher received the bounty prize.
2014-05-06 Vendor gave follow-up but no further details about the status of the
patching process were disclosed.
2014-06-04 Researcher requested further update about the status of the
submission.
2014-10-01 Vendor postponed the fix due to Shellshock vulnerability.
2014-12-05 Vendor escalated the issues due to cleanup delayed too many times;
coordinated disclosure date will be on January 20th, 2015.
2015-01-20 Public disclosure.
[SOLUTION]
Vendor addressed the vulnerabilities identified by CVE-2014-8426 and
CVE-2014-8428. The Vendor is currently evaluating ways to mitigate the
remaining ones.
[REPORT URL]
https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf
| VAR-201708-0292 | CVE-2014-8426 | Barracuda Load Balancer Vulnerabilities related to the use of hard-coded credentials |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Hard coded weak credentials in Barracuda Load Balancer 5.0.0.015. Barracuda Load Balancer Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The controller provides protection against intrusion and attack events, while optimizing application load and providing strong performance support. ===============================================================================
title: Virtual Appliance Security Review
case id: CM-2013-01
product: Barracuda Load Balancer ADC
vulnerability type: Multiple
severity: Medium to High
found: 2013-12-13
by: Cristiano Maruti (@cmaruti)
===============================================================================
[EXECUTIVE SUMMARY]
While reviewing the virtual appliance, five major security issues were
identified:
1) Ability to recover the file system encryption keys via simil cold-boot
attack;
2) Off-line super user password reset via physical attack;
3) Hard-coded credential for an interactive unprivileged user;
4) Hard-coded SSH key file that could permit local privilege escalation;
5) Various credentials and private IP address of Barracuda’s internal server. Probably there are other
appliances from the vendor affected by the same problems.
[TECHNICAL DETAILS]
The full report with technical details about the vulnerabilities I have
identified is available at:
https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf
[VULNERABILITY REFERENCE]
The following ID were associated by Barracuda (BNSECID) to handle the
vulnerabilities:
- BNSEC-0004000355: VM filesystem encryption keys can be leaked through memory
dump.
- BNSEC-0006000122: VM appliance susceptible to off-line user password reset.
- BNSEC-0006000124: VM filesystem encryption keys can be leaked through memory
dump.
- BNSEC-0006000126: Internal system information leakage through VM virtual
drive.
- BNSEC-0006000125: Privilege escalation using improperly protected SSH key.
- CVE-2014-8428: Privilege escalation using improperly protected SSH key.
[DISCLOSURE TIMELINE]
2014-01-03 Report submitted to vendor via its bug bounty program.
2014-01-03 Vendor confirmed receiving the report (automatic reply).
2014-01-09 Vendor gave follow-up.
2014-01-13 Vendor provided BNSEC IDs.
2014-01-22 Researcher requested further update about the status of the
submission.
2014-01-22 Vendor gave follow-up and updates the list of BNSEC IDs.
2014-02-06 Researcher requested for the second time an update about the status
of his submission.
2014-02-06 Vendor acknowledged the delay in processing the submission because
of internal reorganization of the bounty program.
2014-03-18 Vendor sent update. Confirming the severity of the vulnerabilities,
still processing the submission and developing appropriate fixes.
2014-03-20 Vendor approved bounty. Four of five vulnerabilities are eligible
for the bounty program.
2014-04-20 Barracuda created fixes for the issues reported but postponed the
test due to addressing the Heartbleed vulnerability.
2014-04-23 Researcher received the bounty prize.
2014-05-06 Vendor gave follow-up but no further details about the status of the
patching process were disclosed.
2014-06-04 Researcher requested further update about the status of the
submission.
2014-10-01 Vendor postponed the fix due to Shellshock vulnerability.
2014-12-05 Vendor escalated the issues due to cleanup delayed too many times;
coordinated disclosure date will be on January 20th, 2015.
2015-01-20 Public disclosure.
[SOLUTION]
Vendor addressed the vulnerabilities identified by CVE-2014-8426 and
CVE-2014-8428. The Vendor is currently evaluating ways to mitigate the
remaining ones.
[REPORT URL]
https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf
| VAR-201501-0185 | CVE-2014-6584 | Oracle Sun Systems Products Suite of Integrated Lights Out Manager (ILOM) In Backup Restore Vulnerabilities |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM before 3.2.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Backup Restore. Oracle Integrated Lights Out Manager is prone to a remote security vulnerability.
The vulnerability can be exploited over the 'HTTP' protocol. The 'Backup Restore' sub component is affected.
This vulnerability affects the following supported versions:
ILOM prior to 3.2.4. It can manage and monitor components installed in the server, and remotely manage the server. Remote attackers can use this vulnerability to read data, affecting data confidentiality
| VAR-201501-0542 | CVE-2015-1309 | SAP NetWeaver AS ABAP of Extended Computer Aided Test Tool In XML External entity vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: Medium |
XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638. Vendors have confirmed this vulnerability SAP Note 2016638 It is released as. Supplementary information : CWE Vulnerability type by CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (XML Inappropriate restrictions on external entity references ) Has been identified. http://cwe.mitre.org/data/definitions/611.htmlSkillfully crafted by a third party XML Any file may be accessed through a request. SAP NetWeaver AS ABAP is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks
| VAR-201502-0096 | CVE-2015-1619 | McAfee Email Gateway of Secure Web Mail Client Cross-site scripting vulnerability in user interface |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Cross-site scripting (XSS) vulnerability in the Secure Web Mail Client user interface in McAfee Email Gateway (MEG) 7.6.x before 7.6.3.2, 7.5.x before 75.6, 7.0.x through 7.0.5, 5.6, and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified tokens in Digest messages. McAfee Email Gateway is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. The following versions are affected: MEG 7.6.x prior to 7.6.3.2, 7.5.x prior to 75.6, 7.0.x through 7.0.5, 5.6 and prior