VARIoT IoT vulnerabilities database

The Vendormate Mobile (aka com.vendormate.mobile) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. AppsGeyser Online Android A tool for creating applications. On the developer site, 2014 Year 12 Moon 22 As of the day 130 Over 10,000 Android Application AppsGeyser It is stated that it was created by. AppsGeyser Created with Android The application includes HTTPS In communication SSL Contains code to disable server certificate validation.AppsGeyser If you use an application created in Android A third party on the same network as the device may view or alter the communication content of the product. plural Android The app includes SSL A vulnerability exists that does not properly validate certificates. CERT/CC Then CERT Tapioca Was used to investigate this vulnerability. For details of the survey method, CERT/CC blog Please confirm. In addition, regarding this vulnerability, CERT Oracle Secure Coding Standard for Java of DRD19-J. Properly verify server certificate on SSL/TLS See also CERT Tapioca https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm CERT/CC blog https://www.cert.org/blogs/certcc/post.cfm?EntryID=204 DRD19-J. Properly verify server certificate on SSL/TLS https://www.securecoding.cert.org/confluence/x/CQAJCMan-in-the-middle attacks, although the impact depends on the behavior of the app (man-in-the-middle attack) By HTTPS Network traffic that should be protected by may be viewed or tampered with. As a result, authentication information may be obtained or arbitrary code may be executed. Vendormate Mobile for Android SSL is an Android platform based application. Vendormate Mobile for Android SSL has a security vulnerability. An attacker could use this vulnerability to perform a man-in-the-middle attack and impersonate a trusted server

The Mitsubishi Road Assist (aka com.agero.mitsubishi) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. AppsGeyser Online Android A tool for creating applications. On the developer site, 2014 Year 12 Moon 22 As of the day 130 Over 10,000 Android Application AppsGeyser It is stated that it was created by. AppsGeyser Created with Android The application includes HTTPS In communication SSL Contains code to disable server certificate validation.AppsGeyser If you use an application created in Android A third party on the same network as the device may view or alter the communication content of the product. plural Android The app includes SSL A vulnerability exists that does not properly validate certificates. CERT/CC Then CERT Tapioca Was used to investigate this vulnerability. For details of the survey method, CERT/CC blog Please confirm. In addition, regarding this vulnerability, CERT Oracle Secure Coding Standard for Java of DRD19-J. Properly verify server certificate on SSL/TLS See also CERT Tapioca https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm CERT/CC blog https://www.cert.org/blogs/certcc/post.cfm?EntryID=204 DRD19-J. Properly verify server certificate on SSL/TLS https://www.securecoding.cert.org/confluence/x/CQAJCMan-in-the-middle attacks, although the impact depends on the behavior of the app (man-in-the-middle attack) By HTTPS Network traffic that should be protected by may be viewed or tampered with. As a result, authentication information may be obtained or arbitrary code may be executed. An attacker could use this vulnerability to perform a man-in-the-middle attack and impersonate a trusted server

The DS audio (aka com.synology.DSaudio) application 3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. AppsGeyser Online Android A tool for creating applications. On the developer site, 2014 Year 12 Moon 22 As of the day 130 Over 10,000 Android Application AppsGeyser It is stated that it was created by. AppsGeyser Created with Android The application includes HTTPS In communication SSL Contains code to disable server certificate validation.AppsGeyser If you use an application created in Android A third party on the same network as the device may view or alter the communication content of the product. plural Android The app includes SSL A vulnerability exists that does not properly validate certificates. CERT/CC Then CERT Tapioca Was used to investigate this vulnerability. For details of the survey method, CERT/CC blog Please confirm. In addition, regarding this vulnerability, CERT Oracle Secure Coding Standard for Java of DRD19-J. Properly verify server certificate on SSL/TLS See also CERT Tapioca https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm CERT/CC blog https://www.cert.org/blogs/certcc/post.cfm?EntryID=204 DRD19-J. Properly verify server certificate on SSL/TLS https://www.securecoding.cert.org/confluence/x/CQAJCMan-in-the-middle attacks, although the impact depends on the behavior of the app (man-in-the-middle attack) By HTTPS Network traffic that should be protected by may be viewed or tampered with. As a result, authentication information may be obtained or arbitrary code may be executed. An attacker could use this vulnerability to perform a man-in-the-middle attack and impersonate a trusted server. There is a security vulnerability in version 3.4 of the Android DS audio application

The DS file (aka com.synology.DSfile) application 4.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. AppsGeyser Online Android A tool for creating applications. On the developer site, 2014 Year 12 Moon 22 As of the day 130 Over 10,000 Android Application AppsGeyser It is stated that it was created by. AppsGeyser Created with Android The application includes HTTPS In communication SSL Contains code to disable server certificate validation.AppsGeyser If you use an application created in Android A third party on the same network as the device may view or alter the communication content of the product. plural Android The app includes SSL A vulnerability exists that does not properly validate certificates. CERT/CC Then CERT Tapioca Was used to investigate this vulnerability. For details of the survey method, CERT/CC blog Please confirm. In addition, regarding this vulnerability, CERT Oracle Secure Coding Standard for Java of DRD19-J. Properly verify server certificate on SSL/TLS See also CERT Tapioca https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm CERT/CC blog https://www.cert.org/blogs/certcc/post.cfm?EntryID=204 DRD19-J. Properly verify server certificate on SSL/TLS https://www.securecoding.cert.org/confluence/x/CQAJCMan-in-the-middle attacks, although the impact depends on the behavior of the app (man-in-the-middle attack) By HTTPS Network traffic that should be protected by may be viewed or tampered with. As a result, authentication information may be obtained or arbitrary code may be executed. An attacker could use this vulnerability to perform a man-in-the-middle attack and impersonate a trusted server. There is a security vulnerability in version 4.1.1 of the Android DS file application

The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. AppsGeyser Online Android A tool for creating applications. On the developer site, 2014 Year 12 Moon 22 As of the day 130 Over 10,000 Android Application AppsGeyser It is stated that it was created by. AppsGeyser Created with Android The application includes HTTPS In communication SSL Contains code to disable server certificate validation.AppsGeyser If you use an application created in Android A third party on the same network as the device may view or alter the communication content of the product. plural Android The app includes SSL A vulnerability exists that does not properly validate certificates. CERT/CC Then CERT Tapioca Was used to investigate this vulnerability. For details of the survey method, CERT/CC blog Please confirm. In addition, regarding this vulnerability, CERT Oracle Secure Coding Standard for Java of DRD19-J. Properly verify server certificate on SSL/TLS See also CERT Tapioca https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm CERT/CC blog https://www.cert.org/blogs/certcc/post.cfm?EntryID=204 DRD19-J. Properly verify server certificate on SSL/TLS https://www.securecoding.cert.org/confluence/x/CQAJCMan-in-the-middle attacks, although the impact depends on the behavior of the app (man-in-the-middle attack) By HTTPS Network traffic that should be protected by may be viewed or tampered with. As a result, authentication information may be obtained or arbitrary code may be executed. An attacker could use this vulnerability to perform a man-in-the-middle attack and impersonate a trusted server. There is a security vulnerability in version 3.3 of the Android DS photo+ application

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter. Advantech WebAccess is an IE-based HMI/SCADA monitoring software that features all engineering projects, database setup, drawing and software management using a standard browser over the internet or intranet. A buffer overflow vulnerability exists in Advantech WebAccess. An attacker exploits a vulnerability to execute arbitrary code in the context of an affected application or to crash the entire application. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.2 is vulnerable; other versions may also be affected. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Vulnerabilities 1. *Advisory Information* Title: Advantech WebAccess Vulnerabilities Advisory ID: CORE-2014-0005 Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities Date published: 2014-09-02 Date of last update: 2014-09-01 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Description* Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. 4. WebAccess 7.2 . 5. *Non-vulnerable packages* . AdvantechWebAccessUSANode_20140730_3.4.3 6. *Vendor Information, Solutions and Workarounds* Advantech has addressed the vulnerability in WebAccess by issuing an update located at http://webaccess.advantech.com/downloads_software.php Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.html' files. Core Security also recommends those affected use third party software such as Sentinel [4] or EMET [3] that could help to prevent the exploitation of affected systems to some extent. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writers Team. Core Security Advisories Team would also like to thank ICS-CERT Coordination Center for their assistance during the vulnerability reporting process. 8. Below is shown the result of opening a malicious html file with a long NodeName parameter, an attacker can overflow the stack buffer mentioned above and overwrite the SEH (Structured Exception Handler), enabling arbitrary code execution on the machine. /----- EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..." ECX 0162B720 EDX 01630000 xpsp2res.01630000 EBX 0162B720 ESP 0162B454 EBP 0162B460 ESI 0162B4D8 EDI 03A31E98 EIP 064EA6D4 webvact.064EA6D4 -----/ /----- SEH chain of thread 000016CC Address SE handler 0162DB40 42424242 -----/ 9. *Report Timeline* . 2014-05-06: Core Security notifies Advantech of the vulnerability. Publication date is set for May 26th, 2014. 2014-05-09: CORE asks for a reply. 2014-05-26: First release date missed. 2014-05-26: Core Security notifies that the issues were reported 2 weeks ago and there was no reply since May 6th, 2014. 2014-05-29: Core Security contacts the ICS-CERT for assistance in order to coordinate the disclosure of the advisory. 2014-05-29: ICS-CERT acknowledges Core Security e-mail, and asks for a technical description of the vulnerability. 2014-05-29: Core Security sends technical details to the ICS-CERT. 2014-06-05: ICS-CERT team notifies that they have contacted the vendor and that they will notify us once the vendor has validated the vulnerabilities. 2014-06-18: ICS-CERT team notifies that the vendor is working in a new release, expected to be released in September, and ask if Core Security is interested in validating Advantech's vulnerability fix in their beta version. 2014-06-18: Core Security accepts the testing of the vendor beta version, but shares their concerns about waiting several months for fixes that are related to vulnerabilities already public. 2014-06-18: ICS-CERT notifies that they will let us know when they plan to make the beta version available for testing. 2014-07-03: ICS-CERT team notifies that the vendor is working to provide a download link for the beta version. 2014-07-08: ICS-CERT team sends download link provided by the vendor. 2014-07-10: Core Security confirms to ICS-CERT that the new version it's still vulnerable, and comments that after some analysis the vulnerable function doesn't has changes. 2014-07-10: ICS-CERT notifies that they will let the vendor know that that the vulnerabilities still exist. And asks to setup a teleconference between Core Security, the CERT and the vendor. 2014-07-10: Core Security notifies the ICS-CERT that all interactions are made via email only. 2014-07-10: ICS-CERT notifies they provided the information to the vendor. 2014-07-21: Core Security notifies the ICS-CERT that Tipping Point Zero Day Initiative has released several advisories[2] affecting the vendor including some that appears to be related to the one we are coordinating. 2014-07-21: ICS-CERT notifies that some of those advisories where in coordination with them, and that after a review of the link shared by Core Security are related to ICSA-14-198-02 and don't appear to be related to the reported vulnerability. 2014-07-21: Core Security notifies that ZDI-14-243 and ZDI-14-244 appears to be directly related. 2014-07-21: ICS-CERT is trying to contact Advantech to get a status update and their current plan for vulnerability remediation. 2014-08-07: ICS-CERT notifies that they contacted the vendor and they are waiting for an status update. 2014-08-21: Core Security contacts ICS-CERT since no reply was received in the past two weeks. 2014-08-21: ICS-CERT notifies that vendor representative stated that they are currently training a new product manager and they have not yet responded to the vulnerabilities we are discussing. 2014-08-28: Core Security notifies the ICS-CERT that the advisory publication is going to be scheduled for Monday 1st of September. 2014-08-28: ICS-CERT acknowledges Core Security e-mail. 2014-08-28: Core Security re-schedules the advisory publication for Sep 2nd, 2014. 2014-09-02: Core Security found out that the vendor released a silent fix on 30th of July. 2014-09-02: Core Security releases the advisory CORE-2014-0005 tagged as user-release. 10. *References* [1] http://webaccess.advantech.com/. [2] http://www.zerodayinitiative.com/advisories/published/. [3] http://support.microsoft.com/kb/2458544. [4] https://github.com/CoreSecurity/sentinel. 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the UserName parameter. Advantech WebAccess is an IE-based HMI/SCADA monitoring software that features all engineering projects, database setup, drawing and software management using a standard browser over the internet or intranet. A buffer overflow vulnerability exists in Advantech WebAccess. An attacker exploits a vulnerability to execute arbitrary code in the context of an affected application or to crash the entire application. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.2 is vulnerable; other versions may also be affected. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Vulnerabilities 1. *Advisory Information* Title: Advantech WebAccess Vulnerabilities Advisory ID: CORE-2014-0005 Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities Date published: 2014-09-02 Date of last update: 2014-09-01 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Description* Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. 4. WebAccess 7.2 . 5. *Non-vulnerable packages* . AdvantechWebAccessUSANode_20140730_3.4.3 6. *Vendor Information, Solutions and Workarounds* Advantech has addressed the vulnerability in WebAccess by issuing an update located at http://webaccess.advantech.com/downloads_software.php Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.html' files. Core Security also recommends those affected use third party software such as Sentinel [4] or EMET [3] that could help to prevent the exploitation of affected systems to some extent. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writers Team. Core Security Advisories Team would also like to thank ICS-CERT Coordination Center for their assistance during the vulnerability reporting process. 8. Below is shown the result of opening a malicious html file with a long NodeName parameter, an attacker can overflow the stack buffer mentioned above and overwrite the SEH (Structured Exception Handler), enabling arbitrary code execution on the machine. /----- EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..." ECX 0162B720 EDX 01630000 xpsp2res.01630000 EBX 0162B720 ESP 0162B454 EBP 0162B460 ESI 0162B4D8 EDI 03A31E98 EIP 064EA6D4 webvact.064EA6D4 -----/ /----- SEH chain of thread 000016CC Address SE handler 0162DB40 42424242 -----/ 9. *Report Timeline* . 2014-05-06: Core Security notifies Advantech of the vulnerability. Publication date is set for May 26th, 2014. 2014-05-09: CORE asks for a reply. 2014-05-26: First release date missed. 2014-05-26: Core Security notifies that the issues were reported 2 weeks ago and there was no reply since May 6th, 2014. 2014-05-29: Core Security contacts the ICS-CERT for assistance in order to coordinate the disclosure of the advisory. 2014-05-29: ICS-CERT acknowledges Core Security e-mail, and asks for a technical description of the vulnerability. 2014-05-29: Core Security sends technical details to the ICS-CERT. 2014-06-05: ICS-CERT team notifies that they have contacted the vendor and that they will notify us once the vendor has validated the vulnerabilities. 2014-06-18: ICS-CERT team notifies that the vendor is working in a new release, expected to be released in September, and ask if Core Security is interested in validating Advantech's vulnerability fix in their beta version. 2014-06-18: Core Security accepts the testing of the vendor beta version, but shares their concerns about waiting several months for fixes that are related to vulnerabilities already public. 2014-06-18: ICS-CERT notifies that they will let us know when they plan to make the beta version available for testing. 2014-07-03: ICS-CERT team notifies that the vendor is working to provide a download link for the beta version. 2014-07-08: ICS-CERT team sends download link provided by the vendor. 2014-07-10: Core Security confirms to ICS-CERT that the new version it's still vulnerable, and comments that after some analysis the vulnerable function doesn't has changes. 2014-07-10: ICS-CERT notifies that they will let the vendor know that that the vulnerabilities still exist. And asks to setup a teleconference between Core Security, the CERT and the vendor. 2014-07-10: Core Security notifies the ICS-CERT that all interactions are made via email only. 2014-07-10: ICS-CERT notifies they provided the information to the vendor. 2014-07-21: Core Security notifies the ICS-CERT that Tipping Point Zero Day Initiative has released several advisories[2] affecting the vendor including some that appears to be related to the one we are coordinating. 2014-07-21: ICS-CERT notifies that some of those advisories where in coordination with them, and that after a review of the link shared by Core Security are related to ICSA-14-198-02 and don't appear to be related to the reported vulnerability. 2014-07-21: Core Security notifies that ZDI-14-243 and ZDI-14-244 appears to be directly related. 2014-07-21: ICS-CERT is trying to contact Advantech to get a status update and their current plan for vulnerability remediation. 2014-08-07: ICS-CERT notifies that they contacted the vendor and they are waiting for an status update. 2014-08-21: Core Security contacts ICS-CERT since no reply was received in the past two weeks. 2014-08-21: ICS-CERT notifies that vendor representative stated that they are currently training a new product manager and they have not yet responded to the vulnerabilities we are discussing. 2014-08-28: Core Security notifies the ICS-CERT that the advisory publication is going to be scheduled for Monday 1st of September. 2014-08-28: ICS-CERT acknowledges Core Security e-mail. 2014-08-28: Core Security re-schedules the advisory publication for Sep 2nd, 2014. 2014-09-02: Core Security found out that the vendor released a silent fix on 30th of July. 2014-09-02: Core Security releases the advisory CORE-2014-0005 tagged as user-release. 10. *References* [1] http://webaccess.advantech.com/. [2] http://www.zerodayinitiative.com/advisories/published/. [3] http://support.microsoft.com/kb/2458544. [4] https://github.com/CoreSecurity/sentinel. 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter. Advantech WebAccess is an IE-based HMI/SCADA monitoring software that features all engineering projects, database setup, drawing and software management using a standard browser over the internet or intranet. A buffer overflow vulnerability exists in Advantech WebAccess. An attacker exploits a vulnerability to execute arbitrary code in the context of an affected application or to crash the entire application. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.2 is vulnerable; other versions may also be affected. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Vulnerabilities 1. *Advisory Information* Title: Advantech WebAccess Vulnerabilities Advisory ID: CORE-2014-0005 Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities Date published: 2014-09-02 Date of last update: 2014-09-01 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Description* Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. 4. WebAccess 7.2 . 5. *Non-vulnerable packages* . AdvantechWebAccessUSANode_20140730_3.4.3 6. *Vendor Information, Solutions and Workarounds* Advantech has addressed the vulnerability in WebAccess by issuing an update located at http://webaccess.advantech.com/downloads_software.php Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.html' files. Core Security also recommends those affected use third party software such as Sentinel [4] or EMET [3] that could help to prevent the exploitation of affected systems to some extent. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writers Team. Core Security Advisories Team would also like to thank ICS-CERT Coordination Center for their assistance during the vulnerability reporting process. 8. Below is shown the result of opening a malicious html file with a long NodeName parameter, an attacker can overflow the stack buffer mentioned above and overwrite the SEH (Structured Exception Handler), enabling arbitrary code execution on the machine. /----- EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..." ECX 0162B720 EDX 01630000 xpsp2res.01630000 EBX 0162B720 ESP 0162B454 EBP 0162B460 ESI 0162B4D8 EDI 03A31E98 EIP 064EA6D4 webvact.064EA6D4 -----/ /----- SEH chain of thread 000016CC Address SE handler 0162DB40 42424242 -----/ 9. *Report Timeline* . 2014-05-06: Core Security notifies Advantech of the vulnerability. Publication date is set for May 26th, 2014. 2014-05-09: CORE asks for a reply. 2014-05-26: First release date missed. 2014-05-26: Core Security notifies that the issues were reported 2 weeks ago and there was no reply since May 6th, 2014. 2014-05-29: Core Security contacts the ICS-CERT for assistance in order to coordinate the disclosure of the advisory. 2014-05-29: ICS-CERT acknowledges Core Security e-mail, and asks for a technical description of the vulnerability. 2014-05-29: Core Security sends technical details to the ICS-CERT. 2014-06-05: ICS-CERT team notifies that they have contacted the vendor and that they will notify us once the vendor has validated the vulnerabilities. 2014-06-18: ICS-CERT team notifies that the vendor is working in a new release, expected to be released in September, and ask if Core Security is interested in validating Advantech's vulnerability fix in their beta version. 2014-06-18: Core Security accepts the testing of the vendor beta version, but shares their concerns about waiting several months for fixes that are related to vulnerabilities already public. 2014-06-18: ICS-CERT notifies that they will let us know when they plan to make the beta version available for testing. 2014-07-03: ICS-CERT team notifies that the vendor is working to provide a download link for the beta version. 2014-07-08: ICS-CERT team sends download link provided by the vendor. 2014-07-10: Core Security confirms to ICS-CERT that the new version it's still vulnerable, and comments that after some analysis the vulnerable function doesn't has changes. 2014-07-10: ICS-CERT notifies that they will let the vendor know that that the vulnerabilities still exist. And asks to setup a teleconference between Core Security, the CERT and the vendor. 2014-07-10: Core Security notifies the ICS-CERT that all interactions are made via email only. 2014-07-10: ICS-CERT notifies they provided the information to the vendor. 2014-07-21: Core Security notifies the ICS-CERT that Tipping Point Zero Day Initiative has released several advisories[2] affecting the vendor including some that appears to be related to the one we are coordinating. 2014-07-21: ICS-CERT notifies that some of those advisories where in coordination with them, and that after a review of the link shared by Core Security are related to ICSA-14-198-02 and don't appear to be related to the reported vulnerability. 2014-07-21: Core Security notifies that ZDI-14-243 and ZDI-14-244 appears to be directly related. 2014-07-21: ICS-CERT is trying to contact Advantech to get a status update and their current plan for vulnerability remediation. 2014-08-07: ICS-CERT notifies that they contacted the vendor and they are waiting for an status update. 2014-08-21: Core Security contacts ICS-CERT since no reply was received in the past two weeks. 2014-08-21: ICS-CERT notifies that vendor representative stated that they are currently training a new product manager and they have not yet responded to the vulnerabilities we are discussing. 2014-08-28: Core Security notifies the ICS-CERT that the advisory publication is going to be scheduled for Monday 1st of September. 2014-08-28: ICS-CERT acknowledges Core Security e-mail. 2014-08-28: Core Security re-schedules the advisory publication for Sep 2nd, 2014. 2014-09-02: Core Security found out that the vendor released a silent fix on 30th of July. 2014-09-02: Core Security releases the advisory CORE-2014-0005 tagged as user-release. 10. *References* [1] http://webaccess.advantech.com/. [2] http://www.zerodayinitiative.com/advisories/published/. [3] http://support.microsoft.com/kb/2458544. [4] https://github.com/CoreSecurity/sentinel. 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Cisco IOS XR 4.3(.2) and earlier, as used in Cisco Carrier Routing System (CRS), allows remote attackers to cause a denial of service (CPU consumption and IPv6 packet drops) via a malformed IPv6 packet, aka Bug ID CSCuo95165. Cisco IOS XR is a member of the Cisco IOS Software family that uses a microkernel-based operating system architecture. This issue is being tracked by Cisco Bug ID CSCuo95165

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the projectname parameter. Advantech WebAccess is an IE-based HMI/SCADA monitoring software that features all engineering projects, database setup, drawing and software management using a standard browser over the internet or intranet. A buffer overflow vulnerability exists in Advantech WebAccess. An attacker exploits a vulnerability to execute arbitrary code in the context of an affected application or to crash the entire application. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.2 is vulnerable; other versions may also be affected. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Vulnerabilities 1. *Advisory Information* Title: Advantech WebAccess Vulnerabilities Advisory ID: CORE-2014-0005 Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities Date published: 2014-09-02 Date of last update: 2014-09-01 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Description* Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. 4. WebAccess 7.2 . 5. *Non-vulnerable packages* . AdvantechWebAccessUSANode_20140730_3.4.3 6. *Vendor Information, Solutions and Workarounds* Advantech has addressed the vulnerability in WebAccess by issuing an update located at http://webaccess.advantech.com/downloads_software.php Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.html' files. Core Security also recommends those affected use third party software such as Sentinel [4] or EMET [3] that could help to prevent the exploitation of affected systems to some extent. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writers Team. Core Security Advisories Team would also like to thank ICS-CERT Coordination Center for their assistance during the vulnerability reporting process. 8. Below is shown the result of opening a malicious html file with a long NodeName parameter, an attacker can overflow the stack buffer mentioned above and overwrite the SEH (Structured Exception Handler), enabling arbitrary code execution on the machine. /----- EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..." ECX 0162B720 EDX 01630000 xpsp2res.01630000 EBX 0162B720 ESP 0162B454 EBP 0162B460 ESI 0162B4D8 EDI 03A31E98 EIP 064EA6D4 webvact.064EA6D4 -----/ /----- SEH chain of thread 000016CC Address SE handler 0162DB40 42424242 -----/ 9. *Report Timeline* . 2014-05-06: Core Security notifies Advantech of the vulnerability. Publication date is set for May 26th, 2014. 2014-05-09: CORE asks for a reply. 2014-05-26: First release date missed. 2014-05-26: Core Security notifies that the issues were reported 2 weeks ago and there was no reply since May 6th, 2014. 2014-05-29: Core Security contacts the ICS-CERT for assistance in order to coordinate the disclosure of the advisory. 2014-05-29: ICS-CERT acknowledges Core Security e-mail, and asks for a technical description of the vulnerability. 2014-05-29: Core Security sends technical details to the ICS-CERT. 2014-06-05: ICS-CERT team notifies that they have contacted the vendor and that they will notify us once the vendor has validated the vulnerabilities. 2014-06-18: ICS-CERT team notifies that the vendor is working in a new release, expected to be released in September, and ask if Core Security is interested in validating Advantech's vulnerability fix in their beta version. 2014-06-18: Core Security accepts the testing of the vendor beta version, but shares their concerns about waiting several months for fixes that are related to vulnerabilities already public. 2014-06-18: ICS-CERT notifies that they will let us know when they plan to make the beta version available for testing. 2014-07-03: ICS-CERT team notifies that the vendor is working to provide a download link for the beta version. 2014-07-08: ICS-CERT team sends download link provided by the vendor. 2014-07-10: Core Security confirms to ICS-CERT that the new version it's still vulnerable, and comments that after some analysis the vulnerable function doesn't has changes. 2014-07-10: ICS-CERT notifies that they will let the vendor know that that the vulnerabilities still exist. And asks to setup a teleconference between Core Security, the CERT and the vendor. 2014-07-10: Core Security notifies the ICS-CERT that all interactions are made via email only. 2014-07-10: ICS-CERT notifies they provided the information to the vendor. 2014-07-21: Core Security notifies the ICS-CERT that Tipping Point Zero Day Initiative has released several advisories[2] affecting the vendor including some that appears to be related to the one we are coordinating. 2014-07-21: ICS-CERT notifies that some of those advisories where in coordination with them, and that after a review of the link shared by Core Security are related to ICSA-14-198-02 and don't appear to be related to the reported vulnerability. 2014-07-21: Core Security notifies that ZDI-14-243 and ZDI-14-244 appears to be directly related. 2014-07-21: ICS-CERT is trying to contact Advantech to get a status update and their current plan for vulnerability remediation. 2014-08-07: ICS-CERT notifies that they contacted the vendor and they are waiting for an status update. 2014-08-21: Core Security contacts ICS-CERT since no reply was received in the past two weeks. 2014-08-21: ICS-CERT notifies that vendor representative stated that they are currently training a new product manager and they have not yet responded to the vulnerabilities we are discussing. 2014-08-28: Core Security notifies the ICS-CERT that the advisory publication is going to be scheduled for Monday 1st of September. 2014-08-28: ICS-CERT acknowledges Core Security e-mail. 2014-08-28: Core Security re-schedules the advisory publication for Sep 2nd, 2014. 2014-09-02: Core Security found out that the vendor released a silent fix on 30th of July. 2014-09-02: Core Security releases the advisory CORE-2014-0005 tagged as user-release. 10. *References* [1] http://webaccess.advantech.com/. [2] http://www.zerodayinitiative.com/advisories/published/. [3] http://support.microsoft.com/kb/2458544. [4] https://github.com/CoreSecurity/sentinel. 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter. Advantech WebAccess is an IE-based HMI/SCADA monitoring software featuring all engineering projects, database setup, drawing and software management using standard browsers over the internet or intranet. A buffer overflow vulnerability exists in Advantech WebAccess. An attacker exploits a vulnerability to execute arbitrary code in the context of an affected application or to crash the entire application. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.2 is vulnerable; other versions may also be affected. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Vulnerabilities 1. *Advisory Information* Title: Advantech WebAccess Vulnerabilities Advisory ID: CORE-2014-0005 Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities Date published: 2014-09-02 Date of last update: 2014-09-01 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Description* Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. 4. WebAccess 7.2 . 5. *Non-vulnerable packages* . AdvantechWebAccessUSANode_20140730_3.4.3 6. *Vendor Information, Solutions and Workarounds* Advantech has addressed the vulnerability in WebAccess by issuing an update located at http://webaccess.advantech.com/downloads_software.php Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.html' files. Core Security also recommends those affected use third party software such as Sentinel [4] or EMET [3] that could help to prevent the exploitation of affected systems to some extent. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writers Team. Core Security Advisories Team would also like to thank ICS-CERT Coordination Center for their assistance during the vulnerability reporting process. 8. Below is shown the result of opening a malicious html file with a long NodeName parameter, an attacker can overflow the stack buffer mentioned above and overwrite the SEH (Structured Exception Handler), enabling arbitrary code execution on the machine. /----- EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..." ECX 0162B720 EDX 01630000 xpsp2res.01630000 EBX 0162B720 ESP 0162B454 EBP 0162B460 ESI 0162B4D8 EDI 03A31E98 EIP 064EA6D4 webvact.064EA6D4 -----/ /----- SEH chain of thread 000016CC Address SE handler 0162DB40 42424242 -----/ 9. *Report Timeline* . 2014-05-06: Core Security notifies Advantech of the vulnerability. Publication date is set for May 26th, 2014. 2014-05-09: CORE asks for a reply. 2014-05-26: First release date missed. 2014-05-26: Core Security notifies that the issues were reported 2 weeks ago and there was no reply since May 6th, 2014. 2014-05-29: Core Security contacts the ICS-CERT for assistance in order to coordinate the disclosure of the advisory. 2014-05-29: ICS-CERT acknowledges Core Security e-mail, and asks for a technical description of the vulnerability. 2014-05-29: Core Security sends technical details to the ICS-CERT. 2014-06-05: ICS-CERT team notifies that they have contacted the vendor and that they will notify us once the vendor has validated the vulnerabilities. 2014-06-18: ICS-CERT team notifies that the vendor is working in a new release, expected to be released in September, and ask if Core Security is interested in validating Advantech's vulnerability fix in their beta version. 2014-06-18: Core Security accepts the testing of the vendor beta version, but shares their concerns about waiting several months for fixes that are related to vulnerabilities already public. 2014-06-18: ICS-CERT notifies that they will let us know when they plan to make the beta version available for testing. 2014-07-03: ICS-CERT team notifies that the vendor is working to provide a download link for the beta version. 2014-07-08: ICS-CERT team sends download link provided by the vendor. 2014-07-10: Core Security confirms to ICS-CERT that the new version it's still vulnerable, and comments that after some analysis the vulnerable function doesn't has changes. 2014-07-10: ICS-CERT notifies that they will let the vendor know that that the vulnerabilities still exist. And asks to setup a teleconference between Core Security, the CERT and the vendor. 2014-07-10: Core Security notifies the ICS-CERT that all interactions are made via email only. 2014-07-10: ICS-CERT notifies they provided the information to the vendor. 2014-07-21: Core Security notifies the ICS-CERT that Tipping Point Zero Day Initiative has released several advisories[2] affecting the vendor including some that appears to be related to the one we are coordinating. 2014-07-21: ICS-CERT notifies that some of those advisories where in coordination with them, and that after a review of the link shared by Core Security are related to ICSA-14-198-02 and don't appear to be related to the reported vulnerability. 2014-07-21: Core Security notifies that ZDI-14-243 and ZDI-14-244 appears to be directly related. 2014-07-21: ICS-CERT is trying to contact Advantech to get a status update and their current plan for vulnerability remediation. 2014-08-07: ICS-CERT notifies that they contacted the vendor and they are waiting for an status update. 2014-08-21: Core Security contacts ICS-CERT since no reply was received in the past two weeks. 2014-08-21: ICS-CERT notifies that vendor representative stated that they are currently training a new product manager and they have not yet responded to the vulnerabilities we are discussing. 2014-08-28: Core Security notifies the ICS-CERT that the advisory publication is going to be scheduled for Monday 1st of September. 2014-08-28: ICS-CERT acknowledges Core Security e-mail. 2014-08-28: Core Security re-schedules the advisory publication for Sep 2nd, 2014. 2014-09-02: Core Security found out that the vendor released a silent fix on 30th of July. 2014-09-02: Core Security releases the advisory CORE-2014-0005 tagged as user-release. 10. *References* [1] http://webaccess.advantech.com/. [2] http://www.zerodayinitiative.com/advisories/published/. [3] http://support.microsoft.com/kb/2458544. [4] https://github.com/CoreSecurity/sentinel. 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter. Advantech WebAccess is an IE-based HMI/SCADA monitoring software featuring all engineering projects, database setup, drawing and software management using standard browsers over the internet or intranet. A buffer overflow vulnerability exists in Advantech WebAccess. An attacker exploits a vulnerability to execute arbitrary code in the context of an affected application or to crash the entire application. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.2 is vulnerable; other versions may also be affected. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Vulnerabilities 1. *Advisory Information* Title: Advantech WebAccess Vulnerabilities Advisory ID: CORE-2014-0005 Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities Date published: 2014-09-02 Date of last update: 2014-09-01 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Description* Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. 4. WebAccess 7.2 . 5. *Non-vulnerable packages* . AdvantechWebAccessUSANode_20140730_3.4.3 6. *Vendor Information, Solutions and Workarounds* Advantech has addressed the vulnerability in WebAccess by issuing an update located at http://webaccess.advantech.com/downloads_software.php Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.html' files. Core Security also recommends those affected use third party software such as Sentinel [4] or EMET [3] that could help to prevent the exploitation of affected systems to some extent. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writers Team. Core Security Advisories Team would also like to thank ICS-CERT Coordination Center for their assistance during the vulnerability reporting process. 8. Below is shown the result of opening a malicious html file with a long NodeName parameter, an attacker can overflow the stack buffer mentioned above and overwrite the SEH (Structured Exception Handler), enabling arbitrary code execution on the machine. /----- EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..." ECX 0162B720 EDX 01630000 xpsp2res.01630000 EBX 0162B720 ESP 0162B454 EBP 0162B460 ESI 0162B4D8 EDI 03A31E98 EIP 064EA6D4 webvact.064EA6D4 -----/ /----- SEH chain of thread 000016CC Address SE handler 0162DB40 42424242 -----/ 9. *Report Timeline* . 2014-05-06: Core Security notifies Advantech of the vulnerability. Publication date is set for May 26th, 2014. 2014-05-09: CORE asks for a reply. 2014-05-26: First release date missed. 2014-05-26: Core Security notifies that the issues were reported 2 weeks ago and there was no reply since May 6th, 2014. 2014-05-29: Core Security contacts the ICS-CERT for assistance in order to coordinate the disclosure of the advisory. 2014-05-29: ICS-CERT acknowledges Core Security e-mail, and asks for a technical description of the vulnerability. 2014-05-29: Core Security sends technical details to the ICS-CERT. 2014-06-05: ICS-CERT team notifies that they have contacted the vendor and that they will notify us once the vendor has validated the vulnerabilities. 2014-06-18: ICS-CERT team notifies that the vendor is working in a new release, expected to be released in September, and ask if Core Security is interested in validating Advantech's vulnerability fix in their beta version. 2014-06-18: Core Security accepts the testing of the vendor beta version, but shares their concerns about waiting several months for fixes that are related to vulnerabilities already public. 2014-06-18: ICS-CERT notifies that they will let us know when they plan to make the beta version available for testing. 2014-07-03: ICS-CERT team notifies that the vendor is working to provide a download link for the beta version. 2014-07-08: ICS-CERT team sends download link provided by the vendor. 2014-07-10: Core Security confirms to ICS-CERT that the new version it's still vulnerable, and comments that after some analysis the vulnerable function doesn't has changes. 2014-07-10: ICS-CERT notifies that they will let the vendor know that that the vulnerabilities still exist. And asks to setup a teleconference between Core Security, the CERT and the vendor. 2014-07-10: Core Security notifies the ICS-CERT that all interactions are made via email only. 2014-07-10: ICS-CERT notifies they provided the information to the vendor. 2014-07-21: Core Security notifies the ICS-CERT that Tipping Point Zero Day Initiative has released several advisories[2] affecting the vendor including some that appears to be related to the one we are coordinating. 2014-07-21: ICS-CERT notifies that some of those advisories where in coordination with them, and that after a review of the link shared by Core Security are related to ICSA-14-198-02 and don't appear to be related to the reported vulnerability. 2014-07-21: Core Security notifies that ZDI-14-243 and ZDI-14-244 appears to be directly related. 2014-07-21: ICS-CERT is trying to contact Advantech to get a status update and their current plan for vulnerability remediation. 2014-08-07: ICS-CERT notifies that they contacted the vendor and they are waiting for an status update. 2014-08-21: Core Security contacts ICS-CERT since no reply was received in the past two weeks. 2014-08-21: ICS-CERT notifies that vendor representative stated that they are currently training a new product manager and they have not yet responded to the vulnerabilities we are discussing. 2014-08-28: Core Security notifies the ICS-CERT that the advisory publication is going to be scheduled for Monday 1st of September. 2014-08-28: ICS-CERT acknowledges Core Security e-mail. 2014-08-28: Core Security re-schedules the advisory publication for Sep 2nd, 2014. 2014-09-02: Core Security found out that the vendor released a silent fix on 30th of July. 2014-09-02: Core Security releases the advisory CORE-2014-0005 tagged as user-release. 10. *References* [1] http://webaccess.advantech.com/. [2] http://www.zerodayinitiative.com/advisories/published/. [3] http://support.microsoft.com/kb/2458544. [4] https://github.com/CoreSecurity/sentinel. 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the password parameter. Advantech WebAccess is an IE-based HMI/SCADA monitoring software that features all engineering projects, database setup, drawing and software management using a standard browser over the internet or intranet. A buffer overflow vulnerability exists in Advantech WebAccess. An attacker exploits a vulnerability to execute arbitrary code in the context of an affected application or to crash the entire application. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.2 is vulnerable; other versions may also be affected. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Vulnerabilities 1. *Advisory Information* Title: Advantech WebAccess Vulnerabilities Advisory ID: CORE-2014-0005 Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities Date published: 2014-09-02 Date of last update: 2014-09-01 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Description* Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. 4. WebAccess 7.2 . 5. *Non-vulnerable packages* . AdvantechWebAccessUSANode_20140730_3.4.3 6. *Vendor Information, Solutions and Workarounds* Advantech has addressed the vulnerability in WebAccess by issuing an update located at http://webaccess.advantech.com/downloads_software.php Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.html' files. Core Security also recommends those affected use third party software such as Sentinel [4] or EMET [3] that could help to prevent the exploitation of affected systems to some extent. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writers Team. Core Security Advisories Team would also like to thank ICS-CERT Coordination Center for their assistance during the vulnerability reporting process. 8. Below is shown the result of opening a malicious html file with a long NodeName parameter, an attacker can overflow the stack buffer mentioned above and overwrite the SEH (Structured Exception Handler), enabling arbitrary code execution on the machine. /----- EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..." ECX 0162B720 EDX 01630000 xpsp2res.01630000 EBX 0162B720 ESP 0162B454 EBP 0162B460 ESI 0162B4D8 EDI 03A31E98 EIP 064EA6D4 webvact.064EA6D4 -----/ /----- SEH chain of thread 000016CC Address SE handler 0162DB40 42424242 -----/ 9. *Report Timeline* . 2014-05-06: Core Security notifies Advantech of the vulnerability. Publication date is set for May 26th, 2014. 2014-05-09: CORE asks for a reply. 2014-05-26: First release date missed. 2014-05-26: Core Security notifies that the issues were reported 2 weeks ago and there was no reply since May 6th, 2014. 2014-05-29: Core Security contacts the ICS-CERT for assistance in order to coordinate the disclosure of the advisory. 2014-05-29: ICS-CERT acknowledges Core Security e-mail, and asks for a technical description of the vulnerability. 2014-05-29: Core Security sends technical details to the ICS-CERT. 2014-06-05: ICS-CERT team notifies that they have contacted the vendor and that they will notify us once the vendor has validated the vulnerabilities. 2014-06-18: ICS-CERT team notifies that the vendor is working in a new release, expected to be released in September, and ask if Core Security is interested in validating Advantech's vulnerability fix in their beta version. 2014-06-18: Core Security accepts the testing of the vendor beta version, but shares their concerns about waiting several months for fixes that are related to vulnerabilities already public. 2014-06-18: ICS-CERT notifies that they will let us know when they plan to make the beta version available for testing. 2014-07-03: ICS-CERT team notifies that the vendor is working to provide a download link for the beta version. 2014-07-08: ICS-CERT team sends download link provided by the vendor. 2014-07-10: Core Security confirms to ICS-CERT that the new version it's still vulnerable, and comments that after some analysis the vulnerable function doesn't has changes. 2014-07-10: ICS-CERT notifies that they will let the vendor know that that the vulnerabilities still exist. And asks to setup a teleconference between Core Security, the CERT and the vendor. 2014-07-10: Core Security notifies the ICS-CERT that all interactions are made via email only. 2014-07-10: ICS-CERT notifies they provided the information to the vendor. 2014-07-21: Core Security notifies the ICS-CERT that Tipping Point Zero Day Initiative has released several advisories[2] affecting the vendor including some that appears to be related to the one we are coordinating. 2014-07-21: ICS-CERT notifies that some of those advisories where in coordination with them, and that after a review of the link shared by Core Security are related to ICSA-14-198-02 and don't appear to be related to the reported vulnerability. 2014-07-21: Core Security notifies that ZDI-14-243 and ZDI-14-244 appears to be directly related. 2014-07-21: ICS-CERT is trying to contact Advantech to get a status update and their current plan for vulnerability remediation. 2014-08-07: ICS-CERT notifies that they contacted the vendor and they are waiting for an status update. 2014-08-21: Core Security contacts ICS-CERT since no reply was received in the past two weeks. 2014-08-21: ICS-CERT notifies that vendor representative stated that they are currently training a new product manager and they have not yet responded to the vulnerabilities we are discussing. 2014-08-28: Core Security notifies the ICS-CERT that the advisory publication is going to be scheduled for Monday 1st of September. 2014-08-28: ICS-CERT acknowledges Core Security e-mail. 2014-08-28: Core Security re-schedules the advisory publication for Sep 2nd, 2014. 2014-09-02: Core Security found out that the vendor released a silent fix on 30th of July. 2014-09-02: Core Security releases the advisory CORE-2014-0005 tagged as user-release. 10. *References* [1] http://webaccess.advantech.com/. [2] http://www.zerodayinitiative.com/advisories/published/. [3] http://support.microsoft.com/kb/2458544. [4] https://github.com/CoreSecurity/sentinel. 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter. Advantech WebAccess is an IE-based HMI/SCADA monitoring software featuring all engineering projects, database setup, drawing and software management using standard browsers over the internet or intranet. A buffer overflow vulnerability exists in Advantech WebAccess. An attacker exploits a vulnerability to execute arbitrary code in the context of an affected application or to crash the entire application. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed exploit attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.2 is vulnerable; other versions may also be affected. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Vulnerabilities 1. *Advisory Information* Title: Advantech WebAccess Vulnerabilities Advisory ID: CORE-2014-0005 Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities Date published: 2014-09-02 Date of last update: 2014-09-01 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Description* Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. 4. WebAccess 7.2 . 5. *Non-vulnerable packages* . AdvantechWebAccessUSANode_20140730_3.4.3 6. *Vendor Information, Solutions and Workarounds* Advantech has addressed the vulnerability in WebAccess by issuing an update located at http://webaccess.advantech.com/downloads_software.php Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.html' files. Core Security also recommends those affected use third party software such as Sentinel [4] or EMET [3] that could help to prevent the exploitation of affected systems to some extent. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writers Team. Core Security Advisories Team would also like to thank ICS-CERT Coordination Center for their assistance during the vulnerability reporting process. 8. /----- EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..." ECX 0162B720 EDX 01630000 xpsp2res.01630000 EBX 0162B720 ESP 0162B454 EBP 0162B460 ESI 0162B4D8 EDI 03A31E98 EIP 064EA6D4 webvact.064EA6D4 -----/ /----- SEH chain of thread 000016CC Address SE handler 0162DB40 42424242 -----/ 9. *Report Timeline* . 2014-05-06: Core Security notifies Advantech of the vulnerability. Publication date is set for May 26th, 2014. 2014-05-09: CORE asks for a reply. 2014-05-26: First release date missed. 2014-05-26: Core Security notifies that the issues were reported 2 weeks ago and there was no reply since May 6th, 2014. 2014-05-29: Core Security contacts the ICS-CERT for assistance in order to coordinate the disclosure of the advisory. 2014-05-29: ICS-CERT acknowledges Core Security e-mail, and asks for a technical description of the vulnerability. 2014-05-29: Core Security sends technical details to the ICS-CERT. 2014-06-05: ICS-CERT team notifies that they have contacted the vendor and that they will notify us once the vendor has validated the vulnerabilities. 2014-06-18: ICS-CERT team notifies that the vendor is working in a new release, expected to be released in September, and ask if Core Security is interested in validating Advantech's vulnerability fix in their beta version. 2014-06-18: Core Security accepts the testing of the vendor beta version, but shares their concerns about waiting several months for fixes that are related to vulnerabilities already public. 2014-06-18: ICS-CERT notifies that they will let us know when they plan to make the beta version available for testing. 2014-07-03: ICS-CERT team notifies that the vendor is working to provide a download link for the beta version. 2014-07-08: ICS-CERT team sends download link provided by the vendor. 2014-07-10: Core Security confirms to ICS-CERT that the new version it's still vulnerable, and comments that after some analysis the vulnerable function doesn't has changes. 2014-07-10: ICS-CERT notifies that they will let the vendor know that that the vulnerabilities still exist. And asks to setup a teleconference between Core Security, the CERT and the vendor. 2014-07-10: Core Security notifies the ICS-CERT that all interactions are made via email only. 2014-07-10: ICS-CERT notifies they provided the information to the vendor. 2014-07-21: Core Security notifies the ICS-CERT that Tipping Point Zero Day Initiative has released several advisories[2] affecting the vendor including some that appears to be related to the one we are coordinating. 2014-07-21: ICS-CERT notifies that some of those advisories where in coordination with them, and that after a review of the link shared by Core Security are related to ICSA-14-198-02 and don't appear to be related to the reported vulnerability. 2014-07-21: Core Security notifies that ZDI-14-243 and ZDI-14-244 appears to be directly related. 2014-07-21: ICS-CERT is trying to contact Advantech to get a status update and their current plan for vulnerability remediation. 2014-08-07: ICS-CERT notifies that they contacted the vendor and they are waiting for an status update. 2014-08-21: Core Security contacts ICS-CERT since no reply was received in the past two weeks. 2014-08-21: ICS-CERT notifies that vendor representative stated that they are currently training a new product manager and they have not yet responded to the vulnerabilities we are discussing. 2014-08-28: Core Security notifies the ICS-CERT that the advisory publication is going to be scheduled for Monday 1st of September. 2014-08-28: ICS-CERT acknowledges Core Security e-mail. 2014-08-28: Core Security re-schedules the advisory publication for Sep 2nd, 2014. 2014-09-02: Core Security found out that the vendor released a silent fix on 30th of July. 2014-09-02: Core Security releases the advisory CORE-2014-0005 tagged as user-release. 10. *References* [1] http://webaccess.advantech.com/. [2] http://www.zerodayinitiative.com/advisories/published/. [3] http://support.microsoft.com/kb/2458544. [4] https://github.com/CoreSecurity/sentinel. 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is used, allows remote attackers to cause a denial of service (snmptrapd crash) via a crafted SNMP trap message, which triggers a conversion to the variable type designated in the MIB file, as demonstrated by a NULL type in an ifMtu trap message. Net-SNMP is prone to a remote denial-of-service vulnerability. A remote attacker may exploit this issue to crash the application, resulting in a denial-of-service condition. Net-SNMP is a set of open source Simple Network Management Protocol (Simple Network Management Protocol) software. The software is used to monitor network equipment, computer equipment, UPS equipment, etc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2015-10-21-4 OS X El Capitan 10.11.1 and Security Update 2015-007 OS X El Capitan 10.11.1 and Security Update 2015-007 are now available and address the following: Accelerate Framework Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue existed in the Accelerate Framework in multi-threading mode. This issue was addressed through improved accessor element validation and improved object locking. CVE-ID CVE-2015-5940 : Apple apache_mod_php Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: Multiple vulnerabilities in PHP Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.29 and 5.4.45. These were addressed by updating PHP to versions 5.5.29 and 5.4.45. CVE-ID CVE-2015-0235 CVE-2015-0273 CVE-2015-6834 CVE-2015-6835 CVE-2015-6836 CVE-2015-6837 CVE-2015-6838 ATS Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in ATS. This issue was addressed through improved memory handling. CVE-ID CVE-2015-6985 : John Villamil (@day6reak), Yahoo Pentest Team Audio Available for: OS X El Capitan 10.11 Impact: A malicious application may be able to execute arbitrary code Description: An uninitialized memory issue existed in coreaudiod. This issue was addressed through improved memory initialization. CVE-ID CVE-2015-7003 : Mark Brand of Google Project Zero Audio Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: Playing a malicious audio file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the handling of audio files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5933 : Apple CVE-2015-5934 : Apple Bom Available for: OS X El Capitan 10.11 Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution Description: A file traversal vulnerability existed in the handling of CPIO archives. This issue was addressed through improved validation of metadata. CVE-ID CVE-2015-7006 : Mark Dowd of Azimuth Security CFNetwork Available for: OS X El Capitan 10.11 Impact: Visiting a maliciously crafted website may lead to cookies being overwritten Description: A parsing issue existed when handling cookies with different letter casing. This issue was addressed through improved parsing. CVE-ID CVE-2015-7023 : Marvin Scholz; Xiaofeng Zheng and Jinjin Liang of Tsinghua University, Jian Jiang of University of California, Berkeley, Haixin Duan of Tsinghua University and International Computer Science Institute, Shuo Chen of Microsoft Research Redmond, Tao Wan of Huawei Canada, Nicholas Weaver of International Computer Science Institute and University of California, Berkeley, coordinated via CERT/CC configd Available for: OS X El Capitan 10.11 Impact: A malicious application may be able to elevate privileges Description: A heap based buffer overflow issue existed in the DNS client library. A malicious application with the ability to spoof responses from the local configd service may have been able to cause arbitrary code execution in DNS clients. CVE-ID CVE-2015-7015 : PanguTeam CoreGraphics Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues existed in CoreGraphics. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5925 : Apple CVE-2015-5926 : Apple CoreText Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-6992 : John Villamil (@day6reak), Yahoo Pentest Team CoreText Available for: OS X Yosemite v10.10.5 and OS X El Capitan 10.11 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-6975 : John Villamil (@day6reak), Yahoo Pentest Team CoreText Available for: OS X El Capitan 10.11 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-7017 : John Villamil (@day6reak), Yahoo Pentest Team CoreText Available for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-5944 : John Villamil (@day6reak), Yahoo Pentest Team Disk Images Available for: OS X El Capitan 10.11 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling. CVE-ID CVE-2015-6995 : Ian Beer of Google Project Zero EFI Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: An attacker can exercise unused EFI functions Description: An issue existed with EFI argument handling. This was addressed by removing the affected functions. CVE-ID CVE-2015-7035 : Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of The MITRE Corporation, coordinated via CERT/CC File Bookmark Available for: OS X El Capitan 10.11 Impact: Browsing to a folder with malformed bookmarks may cause unexpected application termination Description: An input validation issue existed in parsing bookmark metadata. This issue was addressed through improved validation checks. CVE-ID CVE-2015-6987 : Luca Todesco (@qwertyoruiop) FontParser Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-5927 : Apple CVE-2015-5942 CVE-2015-6976 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-6977 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero Day Initiative CVE-2015-6991 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-6993 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-7009 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-7010 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-7018 : John Villamil (@day6reak), Yahoo Pentest Team FontParser Available for: OS X El Capitan 10.11 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-6990 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-7008 : John Villamil (@day6reak), Yahoo Pentest Team Grand Central Dispatch Available for: OS X Yosemite v10.10.5 and OS X El Capitan 10.11 Impact: Processing a maliciously crafted package may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of dispatch calls. This issue was addressed through improved memory handling. CVE-ID CVE-2015-6989 : Apple Graphics Drivers Available for: OS X El Capitan 10.11 Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: Multiple out of bounds read issues existed in the NVIDIA graphics driver. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-7019 : Ian Beer of Google Project Zero CVE-2015-7020 : Moony Li of Trend Micro Graphics Drivers Available for: OS X El Capitan 10.11 Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7021 : Moony Li of Trend Micro ImageIO Available for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5 Impact: Processing a maliciously crafted image file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the parsing of image metadata. These issues were addressed through improved metadata validation. CVE-ID CVE-2015-5935 : Apple CVE-2015-5938 : Apple ImageIO Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: Processing a maliciously crafted image file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the parsing of image metadata. These issues were addressed through improved metadata validation. CVE-ID CVE-2015-5936 : Apple CVE-2015-5937 : Apple CVE-2015-5939 : Apple IOAcceleratorFamily Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOAcceleratorFamily. This issue was addressed through improved memory handling. CVE-ID CVE-2015-6996 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X El Capitan 10.11 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-6974 : Luca Todesco (@qwertyoruiop) Kernel Available for: OS X Yosemite v10.10.5 Impact: A local user may be able to execute arbitrary code with system privileges Description: A type confusion issue existed in the validation of Mach tasks. This issue was addressed through improved Mach task validation. CVE-ID CVE-2015-5932 : Luca Todesco (@qwertyoruiop), Filippo Bigarella Kernel Available for: OS X El Capitan 10.11 Impact: An attacker with a privileged network position may be able to execute arbitrary code Description: An uninitialized memory issue existed in the kernel. This issue was addressed through improved memory initialization. CVE-ID CVE-2015-6988 : The Brainy Code Scanner (m00nbsd) Kernel Available for: OS X El Capitan 10.11 Impact: A local application may be able to cause a denial of service Description: An issue existed when reusing virtual memory. This issue was addressed through improved validation. CVE-ID CVE-2015-6994 : Mark Mentovai of Google Inc. libarchive Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: A malicious application may be able to overwrite arbitrary files Description: An issue existed within the path validation logic for symlinks. This issue was addressed through improved path sanitization. CVE-ID CVE-2015-6984 : Christopher Crone of Infinit, Jonathan Schleifer MCX Application Restrictions Available for: OS X Yosemite v10.10.5 and OS X El Capitan 10.11 Impact: A developer-signed executable may acquire restricted entitlements Description: An entitlement validation issue existed in Managed Configuration. A developer-signed app could bypass restrictions on use of restricted entitlements and elevate privileges. This issue was addressed through improved provisioning profile validation. CVE-ID CVE-2015-7016 : Apple Net-SNMP Available for: OS X El Capitan 10.11 Impact: An attacker in a privileged network position may be able to cause a denial of service Description: Multiple issues existed in netsnmp version 5.6. These issues were addressed by using patches affecting OS X from upstream. CVE-ID CVE-2012-6151 CVE-2014-3565 OpenGL Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue existed in OpenGL. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5924 : Apple OpenSSH Available for: OS X El Capitan 10.11 Impact: A local user may be able to conduct impersonation attacks Description: A privilege separation issue existed in PAM support. This issue was addressed with improved authorization checks. CVE-ID CVE-2015-6563 : Moritz Jodeit of Blue Frost Security GmbH Sandbox Available for: OS X El Capitan 10.11 Impact: A local user may be able to execute arbitrary code with kernel privileges Description: An input validation issue existed when handling NVRAM parameters. This issue was addressed through improved validation. CVE-ID CVE-2015-5945 : Rich Trouton (@rtrouton), Howard Hughes Medical Institute, Apple Script Editor Available for: OS X El Capitan 10.11 Impact: An attacker may trick a user into running arbitrary AppleScript Description: In some circumstances, Script Editor did not ask for user confirmation before executing AppleScripts. This issue was addressed by prompting for user confirmation before executing AppleScripts. CVE-ID CVE-2015-7007 : Joe Vennix of Rapid7 Security Available for: OS X El Capitan 10.11 Impact: A malicious application may be able to overwrite arbitrary files Description: A double free issue existed in the handling of AtomicBufferedFile descriptors. This issue was addressed through improved validation of AtomicBufferedFile descriptors. CVE-ID CVE-2015-6983 : David Benjamin, Greg Kerr, Mark Mentovai and Sergey Ulanov from the Chrome Team SecurityAgent Available for: OS X El Capitan 10.11 Impact: A malicious application can programmatically control keychain access prompts Description: A method existed for applications to create synthetic clicks on keychain prompts. This was addressed by disabling synthetic clicks for keychain access windows. CVE-ID CVE-2015-5943 Installation note: OS X El Capitan v10.11.1 includes the security content of Safari 9.0.1: https://support.apple.com/kb/HT205377 OS X El Capitan 10.11.1 and Security Update 2015-007 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWJuKsAAoJEBcWfLTuOo7t8e0P/igVHKDXeLNib2eEzbS2BMVV Ee968BgEDw1xnHK8zzh3bbRNxxAUT9lwe8RuSYECfp8sUYySb51/VIWpmidewsqB az7mJ4Gohldppejc5tykHDoTYesQL7iySLn74PdxZfZXbtz2EGJK19cA6hIHcO5x ZiMCbJzTaAOylKRQRRi3kMdNWEzxbtm90247vNx/zMSjs1bhGlQbJsCVDmX/Q9uH Xja9aPCHDfaQueTw5idbXwT+Y/+I9ytBlL5JXVrjRUDYCtuewC4DNsQxZY0qcDyE A7/0G7iYW5vOECNhpoLA0+1MbdHxJXhwJtmIKX8zucYqe/Vr4j41oGey/HJW55ER USJ2RBpMtGhDEolyvxz7FlSPYOIpp05mwMB0GWQWAmkWDAxnagkQm9xwKBMt4eq4 CNdI0YaX0iPPWYIkI3HpZHdzuwbE5b053cw1hLKc0OVQBiqLUQxe3W5s64ZqTSe0 whlm9lt/9EUwyfXHEiXTYi/d+CF8+JthY4ieXRJ4mwz77udafmgA5Pbl71SqB8pE 7TBByuCOFdou6JmdJPahLDxoGRA+i7Z+a8Myn4WtbemkjrO9iZ/VsdAdl/Db+7cz rEgSPjelEC5z5WxQspiuohxU1NkDnMgWm2Tnx+pFBOfZMheE4xnTfve3vqY+gQdN 4GbuRXld4PbxeDdel0Nk =snJ4 -----END PGP SIGNATURE----- . ============================================================================ Ubuntu Security Notice USN-2711-1 August 17, 2015 net-snmp vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Net-SNMP could be made to crash or run programs if it received specially crafted network traffic. (CVE-2014-3565) Qinghao Tang discovered that Net-SNMP incorrectly handled SNMP PDU parsing failures. (CVE-2015-5621) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: libsnmp30 5.7.2~dfsg-8.1ubuntu5.1 Ubuntu 14.04 LTS: libsnmp30 5.7.2~dfsg-8.1ubuntu3.1 Ubuntu 12.04 LTS: libsnmp15 5.4.3~dfsg-2.4ubuntu1.3 In general, a standard system update will make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201507-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SNMP: Denial of Service Date: July 10, 2015 Bugs: #522062 ID: 201507-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in SNMP could lead to Denial of Service condition. Background ========== SNMP is a widely used protocol for monitoring the health and welfare of network equipment. Workaround ========== There is no known workaround at this time. Resolution ========== All SNMP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-analyzer/net-snmp-5.7.3_pre5-r1" References ========== [ 1 ] CVE-2014-3565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3565 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201507-17 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Remotely exploitable denial of service vulnerability in Net-SNMP, in snmptrapd, due to how it handles trap requests with an empty community string when the perl handler is enabled (CVE-2014-2285). The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVFnIkmqjQ0CJFipgRApj2AJ4siseZB35ENesBHXAJd354ztjc2wCg4i9a CVlceu1C+yhzzsfXCVXUd5g= =mTTW -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: net-snmp security and bug fix update Advisory ID: RHSA-2015:1385-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1385.html Issue date: 2015-07-22 Updated on: 2015-03-02 CVE Names: CVE-2014-3565 ===================================================================== 1. Summary: Updated net-snmp packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser. A denial of service flaw was found in the way snmptrapd handled certain SNMP traps when started with the "-OQ" option. (CVE-2014-3565) This update also fixes the following bugs: * The HOST-RESOURCES-MIB::hrSystemProcesses object was not implemented because parts of the HOST-RESOURCES-MIB module were rewritten in an earlier version of net-snmp. Consequently, HOST-RESOURCES-MIB::hrSystemProcesses did not provide information on the number of currently loaded or running processes. With this update, HOST-RESOURCES-MIB::hrSystemProcesses has been implemented, and the net-snmp daemon reports as expected. (BZ#1134335) * The Net-SNMP agent daemon, snmpd, reloaded the system ARP table every 60 seconds. As a consequence, snmpd could cause a short CPU usage spike on busy systems with a large APR table. With this update, snmpd does not reload the full ARP table periodically, but monitors the table changes using a netlink socket. (BZ#789500) * Previously, snmpd used an invalid pointer to the current time when periodically checking certain conditions specified by the "monitor" option in the /etc/snmpd/snmpd.conf file. Consequently, snmpd terminated unexpectedly on start with a segmentation fault if a certain entry with the "monitor" option was used. Now, snmpd initializes the correct pointer to the current time, and snmpd no longer crashes on start. (BZ#1050970) * Previously, snmpd expected 8-bit network interface indices when processing HOST-RESOURCES-MIB::hrDeviceTable. If an interface index of a local network interface was larger than 30,000 items, snmpd could terminate unexpectedly due to accessing invalid memory. Now, processing of all network sizes is enabled, and snmpd no longer crashes in the described situation. (BZ#1195547) * The snmpdtrapd service incorrectly checked for errors when forwarding a trap with a RequestID value of 0, and logged "Forward failed" even though the trap was successfully forwarded. This update fixes snmptrapd checks and the aforementioned message is now logged only when appropriate. (BZ#1146948) * Previously, snmpd ignored the value of the "storageUseNFS" option in the /etc/snmpd/snmpd.conf file. As a consequence, NFS drivers were shown as "Network Disks", even though "storageUseNFS" was set to "2" to report them as "Fixed Disks" in HOST-RESOURCES-MIB::hrStorageTable. With this update, snmpd takes the "storageUseNFS" option value into account, and "Fixed Disks" NFS drives are reported correctly. (BZ#1125793) * Previously, the Net-SNMP python binding used an incorrect size (8 bytes instead of 4) for variables of IPADDRESS type. Consequently, applications that were using Net-SNMP Python bindings could send malformed SNMP messages. With this update, the bindings now use 4 bytes for variables with IPADRESS type, and only valid SNMP messages are sent. (BZ#1100099) * Previously, the snmpd service did not cut values in HOST-RESOURCES-MIB::hrStorageTable to signed 32-bit integers, as required by SNMP standards, and provided the values as unsigned integers. As a consequence, the HOST-RESOURCES-MIB::hrStorageTable implementation did not conform to RFC 2790. The values are now cut to 32-bit signed integers, and snmpd is therefore standard compliant. (BZ#1104293) Users of net-snmp are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 886468 - snmpd does not report error when clientaddr <ip>:<port> cannot bind to the specified port 967871 - net-snmp does not display correct lm_sensors sensor data / missing CPU cores 1023570 - libnetsnmpagent.so crash under certain conditions - patched upstream in 2009 1034441 - Net-SNMP libraries and headers are invalid due to hyphens. 1069046 - snmpd returns truncated value for Counter64 taken from smuxpeer 1070075 - SNMP HRPROCESSORLOAD RETURNS INCORRECT VALUES FOR PROCESSOR #'S > 100 1073544 - net-snmp.rpm is not multilib safe 1100099 - net-snmp-python adds zeros to end of IP address (IPADDR type), which is not valid 1119567 - After installation of net-snmp-devel-5.5-44.el6_4.4.x86_64 the command '$ man snmp_read' fails 1125155 - CVE-2014-3565 net-snmp: snmptrapd crash when handling an SNMP trap containing a ifMtu with a NULL type 1125793 - [RHEL6] net-snmp "storageUseNFS 2" option does not report NFS mount as "Fixed Disks" 1126914 - Ocetets Truncated with Python Bindings 1134335 - hrSystemProcesses is missing (net-snmp-5.5-49.el6_5.2) 1157373 - README file in net-snmp-python package is wrong 1181994 - net-snmp package does not compile on Fedora 21 1188295 - net-snmp snmpd fork() overhead [fix available] 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: net-snmp-5.5-54.el6.src.rpm i386: net-snmp-5.5-54.el6.i686.rpm net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-libs-5.5-54.el6.i686.rpm x86_64: net-snmp-5.5-54.el6.x86_64.rpm net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-debuginfo-5.5-54.el6.x86_64.rpm net-snmp-libs-5.5-54.el6.i686.rpm net-snmp-libs-5.5-54.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-devel-5.5-54.el6.i686.rpm net-snmp-perl-5.5-54.el6.i686.rpm net-snmp-python-5.5-54.el6.i686.rpm net-snmp-utils-5.5-54.el6.i686.rpm x86_64: net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-debuginfo-5.5-54.el6.x86_64.rpm net-snmp-devel-5.5-54.el6.i686.rpm net-snmp-devel-5.5-54.el6.x86_64.rpm net-snmp-perl-5.5-54.el6.x86_64.rpm net-snmp-python-5.5-54.el6.x86_64.rpm net-snmp-utils-5.5-54.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: net-snmp-5.5-54.el6.src.rpm x86_64: net-snmp-5.5-54.el6.x86_64.rpm net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-debuginfo-5.5-54.el6.x86_64.rpm net-snmp-libs-5.5-54.el6.i686.rpm net-snmp-libs-5.5-54.el6.x86_64.rpm net-snmp-perl-5.5-54.el6.x86_64.rpm net-snmp-python-5.5-54.el6.x86_64.rpm net-snmp-utils-5.5-54.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-debuginfo-5.5-54.el6.x86_64.rpm net-snmp-devel-5.5-54.el6.i686.rpm net-snmp-devel-5.5-54.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: net-snmp-5.5-54.el6.src.rpm i386: net-snmp-5.5-54.el6.i686.rpm net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-devel-5.5-54.el6.i686.rpm net-snmp-libs-5.5-54.el6.i686.rpm net-snmp-perl-5.5-54.el6.i686.rpm net-snmp-python-5.5-54.el6.i686.rpm net-snmp-utils-5.5-54.el6.i686.rpm ppc64: net-snmp-5.5-54.el6.ppc64.rpm net-snmp-debuginfo-5.5-54.el6.ppc.rpm net-snmp-debuginfo-5.5-54.el6.ppc64.rpm net-snmp-devel-5.5-54.el6.ppc.rpm net-snmp-devel-5.5-54.el6.ppc64.rpm net-snmp-libs-5.5-54.el6.ppc.rpm net-snmp-libs-5.5-54.el6.ppc64.rpm net-snmp-perl-5.5-54.el6.ppc64.rpm net-snmp-python-5.5-54.el6.ppc64.rpm net-snmp-utils-5.5-54.el6.ppc64.rpm s390x: net-snmp-5.5-54.el6.s390x.rpm net-snmp-debuginfo-5.5-54.el6.s390.rpm net-snmp-debuginfo-5.5-54.el6.s390x.rpm net-snmp-devel-5.5-54.el6.s390.rpm net-snmp-devel-5.5-54.el6.s390x.rpm net-snmp-libs-5.5-54.el6.s390.rpm net-snmp-libs-5.5-54.el6.s390x.rpm net-snmp-perl-5.5-54.el6.s390x.rpm net-snmp-python-5.5-54.el6.s390x.rpm net-snmp-utils-5.5-54.el6.s390x.rpm x86_64: net-snmp-5.5-54.el6.x86_64.rpm net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-debuginfo-5.5-54.el6.x86_64.rpm net-snmp-devel-5.5-54.el6.i686.rpm net-snmp-devel-5.5-54.el6.x86_64.rpm net-snmp-libs-5.5-54.el6.i686.rpm net-snmp-libs-5.5-54.el6.x86_64.rpm net-snmp-perl-5.5-54.el6.x86_64.rpm net-snmp-python-5.5-54.el6.x86_64.rpm net-snmp-utils-5.5-54.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: net-snmp-5.5-54.el6.src.rpm i386: net-snmp-5.5-54.el6.i686.rpm net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-devel-5.5-54.el6.i686.rpm net-snmp-libs-5.5-54.el6.i686.rpm net-snmp-perl-5.5-54.el6.i686.rpm net-snmp-python-5.5-54.el6.i686.rpm net-snmp-utils-5.5-54.el6.i686.rpm x86_64: net-snmp-5.5-54.el6.x86_64.rpm net-snmp-debuginfo-5.5-54.el6.i686.rpm net-snmp-debuginfo-5.5-54.el6.x86_64.rpm net-snmp-devel-5.5-54.el6.i686.rpm net-snmp-devel-5.5-54.el6.x86_64.rpm net-snmp-libs-5.5-54.el6.i686.rpm net-snmp-libs-5.5-54.el6.x86_64.rpm net-snmp-perl-5.5-54.el6.x86_64.rpm net-snmp-python-5.5-54.el6.x86_64.rpm net-snmp-utils-5.5-54.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3565 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVrzYVXlSAg2UNWIIRAh4WAJ9qV50d0M2RuutHtf3bGj5Gz7Z9pgCfVPGq mY6TkK/8TscxmjL7zjvCerk= =3pS+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 7) - x86_64 3. With this release, outgoing IPv6 messages are correctly sent from the interface specified by clientaddr. (BZ#1190679) * The Net-SNMP daemon, snmpd, did not properly clean memory when reloading its configuration file with multiple "exec" entries. Consequently, the daemon terminated unexpectedly. (BZ#1228893) * Prior to this update, snmpd did not parse complete IPv4 traffic statistics, but reported the number of received or sent bytes in the IP-MIB::ipSystemStatsTable only for IPv6 packets and not for IPv4. Now, the statistics reported by snmpd are collected for IPv4 as well. (BZ#1235697) * The Net-SNMP daemon, snmpd, did not correctly detect the file system change from read-only to read-write. Consequently, after remounting the file system into the read-write mode, the daemon reported it to be still in the read-only mode. A patch has been applied, and snmpd now detects the mode changes as expected. Bugs fixed (https://bugzilla.redhat.com/): 1092308 - backport diskio device filtering 1125155 - CVE-2014-3565 net-snmp: snmptrapd crash when handling an SNMP trap containing a ifMtu with a NULL type 1151310 - snmptrap can't create (or write to) /var/lib/net-snmp/snmpapp.conf if isn't run under root 1184433 - udpTable has wrong indices 1190679 - In IPv6, snmp packet does not send from specified interface assigned by clientaddr option in snmpd.conf

Moxa is the world leader in serial multi-top cards, networked servers, Ethernet switches, industrial computer replacement products, interface converters, and usb-to-network. Moxa has an unknown remote vulnerability and there is currently no detailed vulnerability description

Cogent DataHub is software for SCADA and automation. Cogent DataHub has a remote directory traversal vulnerability due to a program failing to properly filter user-supplied input. Allows an attacker to exploit a vulnerability to access a restricted directory

MICROSYS PROMOTIC is a SCADA software. There are unexplained vulnerabilities in Microsys PROMOTIC and there are currently no detailed vulnerability descriptions

Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh84801. Vendors have confirmed this vulnerability Bug ID CSCuh84801 It is released as.A third party may be able to obtain important information via a crafted packet. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. This issue is being tracked by Cisco BugId CSCuh84801. The solution provides effective IT management in cloud environments and supports all cloud models as well as virtual and physical infrastructures. The vulnerability is due to the fact that the program does not fully verify the null session

The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) does not validate an unspecified parameter, which allows remote authenticated users to cause a denial of service (service crash) via a crafted string, aka Bug ID CSCuq31819. ( Service crash ) There are vulnerabilities that are put into a state. Vendors have confirmed this vulnerability Bug ID CSCuq31819 It is released as.Denial of service via a crafted string by a remotely authenticated user ( Service crash ) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug ID CSCuq31819. The vulnerability is caused by the fact that the program does not have authentication parameters