VARIoT IoT vulnerabilities database
| VAR-201411-0220 | CVE-2014-8589 | SAP Network Interface Router Integer overflow vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Integer overflow in SAP Network Interface Router (SAProuter) 40.4 allows remote attackers to cause a denial of service (resource consumption) via crafted requests. SAP Network Interface Router is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to consume excess resources, denying service to legitimate users
| VAR-201410-1474 | No CVE | Unknown vulnerability in multiple Hitachi products |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
HITACHI Hitachi Group is one of the world's largest integrated multinational corporations. It came to China in the 1960s and became one of the few foreign companies entering the Chinese market in the early days. The main products are electrical appliances such as air conditioners and refrigerators.
Unknown vulnerabilities in multiple Hitachi products. There is no detailed vulnerability description at this time.
The impact of this issue is currently unknown. We will update this BID when more information emerges
| VAR-201412-0519 | CVE-2014-3569 | OpenSSL 'ssl23_get_client_hello()' Function NULL Pointer Dereference Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix. OpenSSL is prone to denial-of-service vulnerability due to a NULL pointer dereference error.
An attacker may exploit this issue to crash the application, resulting in denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:01.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2015-01-14
Affects: All supported versions of FreeBSD.
Corrected: 2015-01-09 00:58:20 UTC (stable/10, 10.1-STABLE)
2015-01-14 21:27:46 UTC (releng/10.1, 10.1-RELEASE-p4)
2015-01-14 21:27:46 UTC (releng/10.0, 10.0-RELEASE-p16)
2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE)
2015-01-14 21:27:46 UTC (releng/9.3, 9.3-RELEASE-p8)
2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE)
2015-01-14 21:27:46 UTC (releng/8.4, 8.4-RELEASE-p22)
CVE Name: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572
CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. [CVE-2014-3569] This does not affect
FreeBSD's default build. [CVE-2014-3570]
III. Impact
An attacker who can send a carefully crafted DTLS message can cause server
daemons that uses OpenSSL to crash, resulting a Denial of Service. [CVE-2014-8275]
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.4 and FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch.asc
# gpg --verify openssl-9.3.patch.asc
[FreeBSD 10.0]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch.asc
# gpg --verify openssl-10.0.patch.asc
[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch
# fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch.asc
# gpg --verify openssl-10.1.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276865
releng/8.4/ r277195
stable/9/ r276865
releng/9.3/ r277195
stable/10/ r276864
releng/10.0/ r277195
releng/10.1/ r277195
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv_20150108.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:01.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.1 (FreeBSD)
iQIcBAEBCgAGBQJUtuEaAAoJEO1n7NZdz2rnQCcP/A19v5HUUhjz5nMbUumRwAmB
QCxNKEy6SbAuxtIwGNYJyyxKIK3R9vTHwlgyQZVb4q8FgMHcu4yABeRfov10mO5Q
U7RkLOJyca6eqEngkrh+AFfbhqfxtccIMUQkDdegsQcqZd2Ya0VeNfjA8H0XIDoL
JSEoCifmxjv6v8ZcpugahsUOBmEWx+vyHJUSPVSv/AsLubzV3hqi4iLpzLky3/dR
4LHGzPny07NkGPVqOBU7mjTs76SzCTS2c4NIVfvbphx8UojMvREbZ8ogCMEVGBXY
fIWesi7Y6lhqbSgWj1EXyZF9NTo/Z4nr7Oh1ER5VSAfmhZAdyhEEEGQrg4Jq0VL3
DJ1Y35Up79xXmVjB14COxodI5UO+55wWnXb8r/zy/eh+wv0sHwlTz56wxo7SxAOa
xOrQj0VJ7zghLhBO7azacbVYIKpfQkJafb7XRUOqu4wt2y3/jeL+0UkWJnNMROrq
aQUB6SdGUVDwQsmodgF0rsGcQYXhaQBPu4KQo8yG8+rpqc2zewi537BJr/PWJvH0
sJ6yYcD7VGyIleVRDpxsg7uBWelnGn+AqHignbyUcic4j/N9lYlF00AVgka2TdOp
i5eZtp7m95v53S4fEX2HGwWpOv+AfCrSKQZGpvdNx+9JyD3LyOvFBxs4k0oZWa6J
6FLFZ38YkLcUIzW6I6Kc
=ztFk
-----END PGP SIGNATURE-----
.
References:
CVE-2015-0235 (SSRT101953)
CVE-2014-3569
CVE-2014-3570
CVE-2014-3571
CVE-2014-3572
CVE-2014-8275
CVE-2015-0204
CVE-2015-0205
CVE-2015-0206
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP ThinPro Linux (x86) v5.1
HP ThinPro Linux (x86) v5.0
HP ThinPro Linux (x86) v4.4
HP ThinPro Linux (x86) v4.3
HP ThinPro Linux (x86) v4.2
HP ThinPro Linux (x86) v4.1
HP ThinPro Linux (ARM) v4.4
HP ThinPro Linux (ARM) v4.3
HP ThinPro Linux (ARM) v4.2
HP ThinPro Linux (ARM) v4.1
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0204 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0205 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0206 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0235 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has released the following software updates to resolve the vulnerability
for HP ThinPro Linux.
Softpaq:
http://ftp.hp.com/pub/softpaq/sp70501-71000/sp70649.exe
Easy Update Via ThinPro / EasyUpdate (x86):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.1-all-
4.4-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.0/service_packs/security-sp-2.1-all-
5.0-5.1-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.1/service_packs/security-sp-2.1-all-
5.0-5.1-x86.xar
Via ThinPro / EasyUpdate (ARM):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.0-all-
4.4-armel.xar
Note: Known issue on security-sp-2.0-all-4.1-4.3-arm.xar: With the patch
applied, VMware cannot connect if security level is set to "Refuse insecure
connections". Updating VMware to the latest package on ftp.hp.com will solve
the problem.
The updated packages have been upgraded to the 1.0.0p version where
these security flaws has been fixed.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
https://www.openssl.org/news/secadv_20150108.txt
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
08baba1b5ee61bdd0bfbcf81d465f154 mbs1/x86_64/lib64openssl1.0.0-1.0.0p-1.mbs1.x86_64.rpm
51198a2b577e182d10ad72d28b67288e mbs1/x86_64/lib64openssl-devel-1.0.0p-1.mbs1.x86_64.rpm
aa34fd335001d83bc71810d6c0b14e85 mbs1/x86_64/lib64openssl-engines1.0.0-1.0.0p-1.mbs1.x86_64.rpm
c8b6fdaba18364b315e78761a5aa0c1c mbs1/x86_64/lib64openssl-static-devel-1.0.0p-1.mbs1.x86_64.rpm
fc67f3da9fcd1077128845ce85be93e2 mbs1/x86_64/openssl-1.0.0p-1.mbs1.x86_64.rpm
ab8f672de2bf2f0f412034f89624aa32 mbs1/SRPMS/openssl-1.0.0p-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFUr+PRmqjQ0CJFipgRAtFXAJ46+q0aetnJkb6I9RuYmX5xFeGx9wCgt1rb
LHbCdAkBpYHYSuaUwpiAu1w=
=ePa9
-----END PGP SIGNATURE-----
. OpenSSL Security Advisory [08 Jan 2015]
=======================================
DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
===========================================================
Severity: Moderate
A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due
to a NULL pointer dereference. This could lead to a Denial Of Service attack.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Markus Stenberg of
Cisco Systems, Inc. The fix was developed by Stephen Henson of the OpenSSL
core team.
DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
=======================================================
Severity: Moderate
A memory leak can occur in the dtls1_buffer_record function under certain
conditions. In particular this could occur if an attacker sent repeated DTLS
records with the same sequence number but for the next epoch. The memory leak
could be exploited by an attacker in a Denial of Service attack through memory
exhaustion.
This issue affects OpenSSL versions: 1.0.1 and 1.0.0.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
This issue was reported to OpenSSL on 7th January 2015 by Chris Mueller who also
provided an initial patch. Further analysis was performed by Matt Caswell of the
OpenSSL development team, who also developed the final patch.
no-ssl3 configuration sets method to NULL (CVE-2014-3569)
=========================================================
Severity: Low
When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.
ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
==========================================================
Severity: Low
An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite
using an ECDSA certificate if the server key exchange message is omitted. This
effectively removes forward secrecy from the ciphersuite.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
==============================================================
Severity: Low
An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. A server could present a weak temporary key
and downgrade the security of the session.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
DH client certificates accepted without verification [Server] (CVE-2015-0205)
=============================================================================
Severity: Low
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client
to authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
This issue affects OpenSSL versions: 1.0.1 and 1.0.0.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.
Certificate fingerprints can be modified (CVE-2014-8275)
========================================================
Severity: Low
OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. By modifying the contents of the
signature algorithm or the encoding of the signature, it is possible
to change the certificate's fingerprint.
This does not allow an attacker to forge certificates, and does not
affect certificate verification or OpenSSL servers/clients in any
other way. It also does not affect common revocation mechanisms. Only
custom applications that rely on the uniqueness of the fingerprint
(e.g. certificate blacklists) may be affected.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and
0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
One variant of this issue was discovered by Antti Karjalainen and
Tuomo Untinen from the Codenomicon CROSS program and reported to
OpenSSL on 1st December 2014 by NCSC-FI Vulnerability
Co-ordination. Another variant was independently reported to OpenSSL
on 12th December 2014 by Konrad Kraszewski from Google. Further
analysis was conducted and fixes were developed by Stephen Henson of
the OpenSSL core team.
Bignum squaring may produce incorrect results (CVE-2014-3570)
=============================================================
Severity: Low
Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64. This bug occurs at random with a very
low probability, and is not known to be exploitable in any way, though
its exact impact is difficult to determine. The following has been
determined:
*) The probability of BN_sqr producing an incorrect result at random
is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and
1/2^128 on affected 64-bit platforms.
*) On most platforms, RSA follows a different code path and RSA
operations are not affected at all. For the remaining platforms
(e.g. OpenSSL built without assembly support), pre-existing
countermeasures thwart bug attacks [1].
*) Static ECDH is theoretically affected: it is possible to construct
elliptic curve points that would falsely appear to be on the given
curve. However, there is no known computationally feasible way to
construct such points with low order, and so the security of static
ECDH private keys is believed to be unaffected.
*) Other routines known to be theoretically affected are modular
exponentiation, primality testing, DSA, RSA blinding, JPAKE and
SRP. No exploits are known and straightforward bug attacks fail -
either the attacker cannot control when the bug triggers, or no
private key material is involved.
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 2nd November 2014 by Pieter Wuille
(Blockstream) who also suggested an initial fix. Further analysis was
conducted by the OpenSSL development team and Adam Langley of
Google. The final fix was developed by Andy Polyakov of the OpenSSL
core team.
[1] http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150108.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04556853
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04556853
Version: 2
HPSBUX03244 SSRT101885 rev.2 - HP-UX Running OpenSSL, Remote Denial of
Service (DoS) and Other Vulnerabilites
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-02-25
Last Updated: 2015-02-25
Potential Security Impact: Remote Denial of Service (DoS) and other
vulnerabilites
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running
OpenSSL. These vulnerabilities could be exploited remotely to create a remote
Denial of Service (DoS) and other vulnerabilites.
References:
CVE-2014-8275 Cryptographic Issues (CWE-310)
CVE-2014-3569 Remote Denial of Service (DoS)
CVE-2014-3570 Cryptographic Issues (CWE-310)
CVE-2014-3571 Remote Denial of Service (DoS)
CVE-2014-3572 Cryptographic Issues (CWE-310)
CVE-2015-0204 Cryptographic Issues (CWE-310)
SSRT101885
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running OpenSSL versions before v0.9.8ze
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0204 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following updates to resolve these vulnerabilities. The
updates are available from either of the following sites:
ftp://sl098ze:Secure12@h2.usa.hp.com
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber
=OPENSSL11I
HP-UX Release
HP-UX OpenSSL depot name
B.11.11 (11i v1)
OpenSSL_A.00.09.08ze.001_HP-UX_B.11.11_32_64.depot
B.11.23 (11i v2)
OpenSSL_A.00.09.08ze.002_HP-UX_B.11.23_IA-PA.depot
B.11.31 (11i v3)
OpenSSL_A.00.09.08ze.003_HP-UX_B.11.31_IA-PA.depot
MANUAL ACTIONS: Yes - Update
Install OpenSSL A.00.09.08ze or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
==================
openssl.OPENSSL-CER
openssl.OPENSSL-CONF
openssl.OPENSSL-DOC
openssl.OPENSSL-INC
openssl.OPENSSL-LIB
openssl.OPENSSL-MAN
openssl.OPENSSL-MIS
openssl.OPENSSL-PRNG
openssl.OPENSSL-PVT
openssl.OPENSSL-RUN
openssl.OPENSSL-SRC
action: install revision A.00.09.08ze.001 or subsequent
HP-UX B.11.23
==================
openssl.OPENSSL-CER
openssl.OPENSSL-CONF
openssl.OPENSSL-DOC
openssl.OPENSSL-INC
openssl.OPENSSL-LIB
openssl.OPENSSL-MAN
openssl.OPENSSL-MIS
openssl.OPENSSL-PRNG
openssl.OPENSSL-PVT
openssl.OPENSSL-RUN
openssl.OPENSSL-SRC
action: install revision A.00.09.08ze.002 or subsequent
HP-UX B.11.31
==================
openssl.OPENSSL-CER
openssl.OPENSSL-CONF
openssl.OPENSSL-DOC
openssl.OPENSSL-INC
openssl.OPENSSL-LIB
openssl.OPENSSL-MAN
openssl.OPENSSL-MIS
openssl.OPENSSL-PRNG
openssl.OPENSSL-PVT
openssl.OPENSSL-RUN
openssl.OPENSSL-SRC
action: install revision A.00.09.08ze.003 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 25 February 2015 Initial release
Version:2 (rev.2) - 25 February 2015 Corrected bulletin number
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners
| VAR-201410-1440 | No CVE | ZTE ZXDSL 931VII 'manager_dev_config_t.gch' Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
ZTE ZXDSL is an ADSL device. ZTE ZXDSL 931VII is a router product of ZTE Corporation of China.
An information disclosure vulnerability exists in ZTE ZXDSL 931VII. Attackers can use this vulnerability to gain access to sensitive information and launch other attacks. ZTE ZXDSL 931VII is prone to an information-disclosure vulnerability
| VAR-201501-0149 | CVE-2014-2355 | GE Proficy HMI/SCADA-CIMPLICITY Vulnerability gained in |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file. GE Intelligent Platforms Proficy HMI/SCADA\342\200\223iFIX is the world's leading industrial automation software solution that provides process visualization, data acquisition and data monitoring for production operations. GE Proficy HMI/SCADA-CIMPLICITY has multiple local buffer overflow vulnerabilities that allow a local attacker to exploit this vulnerability to execute arbitrary code in the context of an application. Failed exploit attempts may result in a denial-of-service condition
| VAR-201410-1153 | CVE-2014-5425 | IOServer Out of bounds read denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
IOServer before Beta2112.exe allows remote attackers to cause a denial of service (out-of-bounds read and master entry consumption) via a null DNP3 header. IOServer is a Windows-based OPC server that allows OPC clients such as human-machine interfaces and monitoring and data acquisition systems to exchange factory data with programmable logic circuits. IOServer is prone to a denial-of-service vulnerability.
IOServer 1.0.20 and prior are vulnerable
| VAR-201410-1081 | CVE-2014-4447 | Apple OS X Server Profile Manager Vulnerability to Get Plaintext Password |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
Profile Manager in Apple OS X Server before 4.0 allows local users to discover cleartext passwords by reading a file after a (1) profile setup or (2) profile edit occurs. Apple Mac OS X Server is prone to a local information-disclosure vulnerability.
Successful exploits may allow the attacker to gain access to sensitive information. Information obtained may lead to further attacks. The software enables file sharing, meeting scheduling, website hosting, network remote access, and more. A local attacker could exploit this vulnerability by reading settings or edited configuration files to discover clear text passwords. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-16-3 OS X Server v4.0
OS X Server v4.0 is now available and addresses the following:
BIND
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in BIND, the most serious of which
may lead to a denial of service
Description: Multiple vulnerabilities existed in BIND. These issues
were addressed by updating BIND to version 9.9.2-P2
CVE-ID
CVE-2013-3919
CVE-2013-4854
CVE-2014-0591
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: A remote attacker may be able to execute arbitrary SQL
queries
Description: A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad@securation.com) of CERT of
Ferdowsi University of Mashhad
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-site scripting issue existed in Xcode Server.
This issue was addressed through improved encoding of HTML output.
CVE-ID
CVE-2014-4406 : David Hoyt of Hoyt LLC
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in PostgreSQL, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in PostgreSQL. These
issues were addressed by updating PostgreSQL to version 9.2.7.
CVE-ID
CVE-2014-0060
CVE-2014-0061
CVE-2014-0062
CVE-2014-0063
CVE-2014-0064
CVE-2014-0065
CVE-2014-0066
Mail Service
Available for: OS X Yosemite v10.10 or later
Impact: Group SACL changes for Mail may not be respected until after
a restart of the Mail service
Description: SACL settings for Mail were cached and changes to the
SACLs were not respected until after a restart of the Mail service.
This issue was addressed by resetting the cache upon changes to the
SACLs.
CVE-ID
CVE-2014-4446 : Craig Courtney
Profile Manager
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in LibYAML, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in LibYAML. These
issues were addressed by switching from YAML to JSON as Profile
Manager's internal serialization format. This
issue was addressed through improved handling of credentials.
CVE-ID
CVE-2014-4447 : Mayo Jordanov
Server
Available for: OS X Yosemite v10.10 or later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling SSL 3.0 support in
Web Server, Calendar & Contacts Server, and Remote Administration.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
ServerRuby
Available for: OS X Yosemite v10.10 or later
Impact: Running a Ruby script that handles untrusted YAML tags may
lead to an unexpected application termination or arbitrary code
execution
Description: An integer overflow issue existed in LibYAML's handling
of YAML tags. This issue was addressed through additional validation
of YAML tags. This issue does not affect systems prior to OS X
Mavericks.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUQCLKAAoJEBcWfLTuOo7tqr0P/1fGVeD8xAAgMRpH/hYYkKpj
CGKAUBfTXM9clAhUHP1Es+T1qG67JX9CNrrl5yKMQCupojgNIkO1D0Pj5QlLZzkL
HR6AgI8eYeykiw8VRFI8DC7f3q/A1aRrijj8bPQ6BoPUq28Vya/GjEAMxV1l21l1
qLyNiDH8X8DC/CWyxOXVMD4yqIpzCOPEIAvgV1aB0z1UEdw7fLLBCEIAkNR3tL9M
5OlRT8X4dzpx3YpTvlB9s7zIAPtLgTjcVpPbkT2yJ9OZsewml2aFM7NWDYpYhIRg
z7bOMmKZep15a+XeXH7cdqXMfHW/XGdkYF/4Z85wHG44Kebaikq+K0XoTxjHlqXi
9rtNdcwh+p4DxTQNO0fK7WbfAo7FiF6aonY9D9hp47jbhB9KODVeOpqo6B7sOudq
tBAAS1pBbrsULUWRCZRaN3LlPigtInqIIPuLGVQx4ApUo1guxXb0A88ZU3yiR+Bl
RJHAEoevKjqhLiZDt1V8sSk6sPAh7p02deP5RDIwNJfapP+RrXoJ6knexRD44kNb
MwVD6a2EcOoRFgwcjvgFZ1etpoHT/VAs7Ql/GjWN5snDLsZ/vlGtSPn1i3kjkxBZ
oYDmJfC91RoC6exW7img3H9csN0sgtVGJRLrf6cdg41EjVjQaUUVQfBn/DVVyMb8
fIWnhQEvESJVqfrk3Q3X
=LbVb
-----END PGP SIGNATURE-----
| VAR-201410-1080 | CVE-2014-4446 | Apple OS X Server Vulnerabilities that prevent access restrictions in email services |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Mail Service in Apple OS X Server before 4.0 does not enforce SACL changes until after a service restart, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a change made by an administrator. Apple Mac OS X is prone to a remote denial of service vulnerability.
A remote attacker can leverage this issue to cause a denial of service condition, denying service to legitimate users. The software enables file sharing, meeting scheduling, website hosting, network remote access, and more. A remote attacker could exploit this vulnerability to bypass established access restrictions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-16-3 OS X Server v4.0
OS X Server v4.0 is now available and addresses the following:
BIND
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in BIND, the most serious of which
may lead to a denial of service
Description: Multiple vulnerabilities existed in BIND. These issues
were addressed by updating BIND to version 9.9.2-P2
CVE-ID
CVE-2013-3919
CVE-2013-4854
CVE-2014-0591
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: A remote attacker may be able to execute arbitrary SQL
queries
Description: A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad@securation.com) of CERT of
Ferdowsi University of Mashhad
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-site scripting issue existed in Xcode Server.
This issue was addressed through improved encoding of HTML output.
CVE-ID
CVE-2014-4406 : David Hoyt of Hoyt LLC
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in PostgreSQL, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in PostgreSQL. These
issues were addressed by updating PostgreSQL to version 9.2.7.
This issue was addressed by resetting the cache upon changes to the
SACLs.
CVE-ID
CVE-2014-4446 : Craig Courtney
Profile Manager
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in LibYAML, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in LibYAML. These
issues were addressed by switching from YAML to JSON as Profile
Manager's internal serialization format.
CVE-ID
CVE-2013-4164
CVE-2013-6393
Profile Manager
Available for: OS X Yosemite v10.10 or later
Impact: A local user may obtain passwords after setting up or
editing profiles in Profile Manager
Description: In certain circumstances, setting up or editing
profiles in Profile Manager may have logged passwords to a file. This
issue was addressed through improved handling of credentials.
CVE-ID
CVE-2014-4447 : Mayo Jordanov
Server
Available for: OS X Yosemite v10.10 or later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling SSL 3.0 support in
Web Server, Calendar & Contacts Server, and Remote Administration.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
ServerRuby
Available for: OS X Yosemite v10.10 or later
Impact: Running a Ruby script that handles untrusted YAML tags may
lead to an unexpected application termination or arbitrary code
execution
Description: An integer overflow issue existed in LibYAML's handling
of YAML tags. This issue was addressed through additional validation
of YAML tags. This issue does not affect systems prior to OS X
Mavericks.
CVE-ID
CVE-2013-6393
OS X Server v4.0 may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUQCLKAAoJEBcWfLTuOo7tqr0P/1fGVeD8xAAgMRpH/hYYkKpj
CGKAUBfTXM9clAhUHP1Es+T1qG67JX9CNrrl5yKMQCupojgNIkO1D0Pj5QlLZzkL
HR6AgI8eYeykiw8VRFI8DC7f3q/A1aRrijj8bPQ6BoPUq28Vya/GjEAMxV1l21l1
qLyNiDH8X8DC/CWyxOXVMD4yqIpzCOPEIAvgV1aB0z1UEdw7fLLBCEIAkNR3tL9M
5OlRT8X4dzpx3YpTvlB9s7zIAPtLgTjcVpPbkT2yJ9OZsewml2aFM7NWDYpYhIRg
z7bOMmKZep15a+XeXH7cdqXMfHW/XGdkYF/4Z85wHG44Kebaikq+K0XoTxjHlqXi
9rtNdcwh+p4DxTQNO0fK7WbfAo7FiF6aonY9D9hp47jbhB9KODVeOpqo6B7sOudq
tBAAS1pBbrsULUWRCZRaN3LlPigtInqIIPuLGVQx4ApUo1guxXb0A88ZU3yiR+Bl
RJHAEoevKjqhLiZDt1V8sSk6sPAh7p02deP5RDIwNJfapP+RrXoJ6knexRD44kNb
MwVD6a2EcOoRFgwcjvgFZ1etpoHT/VAs7Ql/GjWN5snDLsZ/vlGtSPn1i3kjkxBZ
oYDmJfC91RoC6exW7img3H9csN0sgtVGJRLrf6cdg41EjVjQaUUVQfBn/DVVyMb8
fIWnhQEvESJVqfrk3Q3X
=LbVb
-----END PGP SIGNATURE-----
| VAR-201410-1079 | CVE-2014-4444 | Apple OS X of SecurityAgent Vulnerability gained in |
CVSS V2: 4.4 CVSS V3: - Severity: MEDIUM |
SecurityAgent in Apple OS X before 10.10 does not ensure that a Kerberos ticket is in the cache for the correct user, which allows local users to gain privileges in opportunistic circumstances by leveraging a Fast User Switching login. Apple Mac OS X is prone to a local security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. The vulnerability stems from the program not ensuring that Kerberos tickets are cached for the correct user
| VAR-201410-1078 | CVE-2014-4443 | Apple OS X Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Apple OS X before 10.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted ASN.1 data. Apple Mac OS X is prone to a remote denial-of-service vulnerability.
A remote attacker can leverage this issue to crash the affected application, denying service to legitimate users
| VAR-201410-1077 | CVE-2014-4442 | Apple OS X Service disruption in some kernels (DoS) Vulnerabilities |
CVSS V2: 4.7 CVSS V3: - Severity: MEDIUM |
The kernel in Apple OS X before 10.10 allows local users to cause a denial of service (panic) via a message to a system control socket. Apple Mac OS X is prone to a local denial-of-service vulnerability.
A local attacker can leverage this issue to terminate the affected system, denying service to legitimate users
| VAR-201410-1076 | CVE-2014-4441 | Apple OS X of NetFS Client framework file read vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
NetFS Client Framework in Apple OS X before 10.10 does not ensure that the disabling of File Sharing is always possible, which allows remote attackers to read or write to files by leveraging a state in which File Sharing is permanently enabled. Apple Mac OS X is prone to an information-disclosure vulnerability.
Successful attacks will allow attackers to obtain sensitive information that can aid in further attacks. A remote attacker could exploit this vulnerability to read or write files
| VAR-201410-1075 | CVE-2014-4440 | Apple OS X of MCX Vulnerability in obtaining important information in the implementation of desktop configuration profiles |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
The MCX Desktop Config Profiles implementation in Apple OS X before 10.10 retains web-proxy settings from uninstalled mobile-configuration profiles, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging access to an unintended proxy server. Apple Mac OS X is prone to a local security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. A remote attacker could exploit this vulnerability by accessing a proxy server to obtain sensitive information
| VAR-201410-1074 | CVE-2014-4439 | Apple OS X Vulnerability in the collection of important information in an email application |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Mail in Apple OS X before 10.10 does not properly recognize the removal of a recipient address from a message, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading a message intended exclusively for other recipients. Apple Mac OS X is prone to an information-disclosure vulnerability.
An attacker can leverage this issue to gain access to sensitive information. The vulnerability stems from the fact that the program does not process the delete recipient address operation in the message in time
| VAR-201410-1073 | CVE-2014-4438 | Apple OS X of LoginWindow Vulnerabilities that gain access |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Race condition in LoginWindow in Apple OS X before 10.10 allows physically proximate attackers to obtain access by leveraging an unattended workstation on which screen locking had been attempted. Apple Mac OS X is prone to a race-condition security vulnerability.
A local attacker can leverage this issue to gain unauthorized access to the affected system
| VAR-201410-1072 | CVE-2014-4437 | Apple OS X of LaunchServices Vulnerability that bypasses sandbox restrictions |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
LaunchServices in Apple OS X before 10.10 allows attackers to bypass intended sandbox restrictions via an application that specifies a crafted handler for the Content-Type field of an object. Apple Mac OS X is prone to a local security-bypass vulnerability.
A remote attacker can leverage this issue to perform unauthorized actions.
Versions prior to Apple Mac OS X 10.10 are vulnerable
| VAR-201410-1071 | CVE-2014-4436 | Apple OS X of IOHIDFamily Service disruption in (DoS) Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
IOHIDFamily in Apple OS X before 10.10 allows attackers to cause denial of service (out-of-bounds read operation) via a crafted application.
A remote attacker can leverage this issue to crash the affected application, denying service to legitimate users
| VAR-201410-1070 | CVE-2014-4435 | Apple OS X of "iCloud Find My Mac" Vulnerabilities for which access rights are acquired in functions |
CVSS V2: 4.4 CVSS V3: - Severity: MEDIUM |
The "iCloud Find My Mac" feature in Apple OS X before 10.10 does not properly enforce rate limiting of lost-mode PIN entry, which makes it easier for physically proximate attackers to obtain access via a brute-force attack involving a series of reboots. Apple Mac OS X is prone to a remote security vulnerability.
Attackers can exploit this issue with brute-force techniques to obtain sensitive information that can aid in further attacks.
Apple Mac OS X versions prior to 10.10 are vulnerable
| VAR-201410-1069 | CVE-2014-4391 | Apple OS X Vulnerabilities bypassing application author restrictions in code signing function |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The Code Signing feature in Apple OS X before 10.10 does not properly handle incomplete resource envelopes in signed bundles, which allows remote attackers to bypass intended app-author restrictions by omitting an execution-related resource. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within Gatekeeper. The issue lies in the usage of signed applications that do not sign the frameworks they depend on. An attacker can leverage this vulnerability to execute code under the context of the user. Apple Mac OS X is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-16-1 OS X Yosemite v10.10
OS X Yosemite v10.10 is now available and addresses the following:
802.1X
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported stronger
authentication methods. This issue was addressed by disabling LEAP by
default.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt
AFP File Server
Impact: A remote attacker could determine all the network addresses
of the system
Description: The AFP file server supported a command which returned
all the network addresses of the system. This issue was addressed by
removing the addresses from the result.
CVE-ID
CVE-2014-4426 : Craig Young of Tripwire VERT
apache
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to a denial of service. These issues were
addressed by updating Apache to version 2.4.9.
CVE-ID
CVE-2013-6438
CVE-2014-0098
App Sandbox
Impact: An application confined by sandbox restrictions may misuse
the accessibility API
Description: A sandboxed application could misuse the accessibility
API without the user's knowledge. This has been addressed by
requiring administrator approval to use the accessibility API on an
per-application basis.
CVE-ID
CVE-2014-4427 : Paul S. Ziegler of Reflare UG
Bash
Impact: In certain configurations, a remote attacker may be able to
execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment
variables. This issue was addressed through improved environment
variable parsing by better detecting the end of the function
statement. This update also incorporated the suggested CVE-2014-7169
change, which resets the parser state. In addition, this update
added a new namespace for exported functions by creating a function
decorator to prevent unintended header passthrough to Bash. The names
of all environment variables that introduce function definitions are
required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent
unintended function passing via HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy
Bluetooth
Impact: A malicious Bluetooth input device may bypass pairing
Description: Unencrypted connections were permitted from Human
Interface Device-class Bluetooth Low Energy devices. If a Mac had
paired with such a device, an attacker could spoof the legitimate
device to establish a connection. The issue was addressed by denying
unencrypted HID connections.
CVE-ID
CVE-2014-4428 : Mike Ryan of iSEC Partners
CFPreferences
Impact: The 'require password after sleep or screen saver begins'
preference may not be respected until after a reboot
Description: A session management issue existed in the handling of
system preference settings. This issue was addressed through improved
session tracking.
CVE-ID
CVE-2014-4425
Certificate Trust Policy
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at
http://support.apple.com/kb/HT6005.
CoreStorage
Impact: An encrypted volume may stay unlocked when ejected
Description: When an encrypted volume was logically ejected while
mounted, the volume was unmounted but the keys were retained, so it
could have been mounted again without the password. This issue was
addressed by erasing the keys on eject.
CVE-ID
CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC,
Karsten Iwen, Dustin Li (http://dustin.li/), Ken J. Takekoshi, and
other anonymous researchers
CUPS
Impact: A local user can execute arbitrary code with system
privileges
Description: When the CUPS web interface served files, it would
follow symlinks. A local user could create symlinks to arbitrary
files and retrieve them through the web interface. This issue was
addressed by disallowing symlinks to be served via the CUPS web
interface.
CVE-ID
CVE-2014-3537
Dock
Impact: In some circumstances, windows may be visible even when the
screen is locked
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved state
tracking.
CVE-ID
CVE-2014-4431 : Emil Sjolander of Umea University
fdesetup
Impact: The fdesetup command may provide misleading status for the
state of encryption on disk
Description: After updating settings, but before rebooting, the
fdesetup command provided misleading status. This issue was addressed
through improved status reporting.
CVE-ID
CVE-2014-4432
iCloud Find My Mac
Impact: iCloud Lost mode PIN may be bruteforced
Description: A state persistence issue in rate limiting allowed
brute force attacks on iCloud Lost mode PIN. This issue was addressed
through improved state persistence across reboots.
CVE-ID
CVE-2014-4435 : knoy
IOAcceleratorFamily
Impact: An application may cause a denial of service
Description: A NULL pointer dereference was present in the
IntelAccelerator driver. The issue was addressed through improved
error handling.
CVE-ID
CVE-2014-4373 : cunzhang from Adlab of Venustech
IOHIDFamily
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved validation of IOHIDFamily key-mapping properties.
CVE-ID
CVE-2014-4405 : Ian Beer of Google Project Zero
IOHIDFamily
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A heap buffer overflow existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero
IOHIDFamily
Impact: An application may cause a denial of service
Description: A out-of-bounds memory read was present in the
IOHIDFamily driver. The issue was addressed through improved input
validation.
CVE-ID
CVE-2014-4436 : cunzhang from Adlab of Venustech
IOHIDFamily
Impact: A user may be able to execute arbitrary code with system
privileges
Description: An out-of-bounds write issue exited in the IOHIDFamily
driver. The issue was addressed through improved input validation.
CVE-ID
CVE-2014-4380 : cunzhang from Adlab of Venustech
IOKit
Impact: A malicious application may be able to read uninitialized
data from kernel memory
Description: An uninitialized memory access issue existed in the
handling of IOKit functions. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2014-4407 : @PanguTeam
IOKit
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4388 : @PanguTeam
IOKit
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4418 : Ian Beer of Google Project Zero
Kernel
Impact: A local user may be able to determine kernel memory layout
Description: Multiple uninitialized memory issues existed in the
network statistics interface, which led to the disclosure of kernel
memory content. This issue was addressed through additional memory
initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team
CVE-2014-4419 : Fermin J. Serna of the Google Security Team
CVE-2014-4420 : Fermin J. Serna of the Google Security Team
CVE-2014-4421 : Fermin J. Serna of the Google Security Team
Kernel
Impact: A maliciously crafted file system may cause unexpected
system shutdown or arbitrary code execution
Description: A heap-based buffer overflow issue existed in the
handling of HFS resource forks. A maliciously crafted filesystem may
cause an unexpected system shutdown or arbitrary code execution with
kernel privileges. The issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4433 : Maksymilian Arciemowicz
Kernel
Impact: A malicious file system may cause unexpected system shutdown
Description: A NULL dereference issue existed in the handling of HFS
filenames. A maliciously crafted filesystem may cause an unexpected
system shutdown. This issue was addressed by avoiding the NULL
dereference.
CVE-ID
CVE-2014-4434 : Maksymilian Arciemowicz
Kernel
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A double free issue existed in the handling of Mach
ports. This issue was addressed through improved validation of Mach
ports.
CVE-ID
CVE-2014-4375 : an anonymous researcher
Kernel
Impact: A person with a privileged network position may cause a
denial of service
Description: A race condition issue existed in the handling of IPv6
packets. This issue was addressed through improved lock state
checking.
CVE-ID
CVE-2011-2391 : Marc Heuse
Kernel
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out-of-bounds read issue existed in rt_setgate. This
may lead to memory disclosure or memory corruption. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2014-4408
Kernel
Impact: A local user can cause an unexpected system termination
Description: A reachable panic existed in the handling of messages
sent to system control sockets. This issue was addressed through
additional validation of messages.
CVE-ID
CVE-2014-4442 : Darius Davis of VMware
Kernel
Impact: Some kernel hardening measures may be bypassed
Description: The random number generator used for kernel hardening
measures early in the boot process was not cryptographically secure.
Some of its output was inferable from user space, allowing bypass of
the hardening measures. This issue was addressed by using a
cryptographically secure algorithm.
CVE-ID
CVE-2014-4422 : Tarjei Mandt of Azimuth Security
LaunchServices
Impact: A local application may bypass sandbox restrictions
Description: The LaunchServices interface for setting content type
handlers allowed sandboxed applications to specify handlers for
existing content types. A compromised application could use this to
bypass sandbox restrictions. The issue was addressed by restricting
sandboxed applications from specifying content type handlers.
CVE-ID
CVE-2014-4437 : Meder Kydyraliev of the Google Security Team
LoginWindow
Impact: Sometimes the screen might not lock
Description: A race condition existed in LoginWindow, which would
sometimes prevent the screen from locking. The issue was addressed by
changing the order of operations.
CVE-ID
CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of
Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs
Mail
Impact: Mail may send email to unintended recipients
Description: A user interface inconsistency in Mail application
resulted in email being sent to addresses that were removed from the
list of recipients. The issue was addressed through improved user
interface consistency checks.
CVE-ID
CVE-2014-4439 : Patrick J Power of Melbourne, Australia
MCX Desktop Config Profiles
Impact: When mobile configuration profiles were uninstalled, their
settings were not removed
Description: Web proxy settings installed by a mobile configuration
profile were not removed when the profile was uninstalled. This issue
was addressed through improved handling of profile uninstallation.
CVE-ID
CVE-2014-4440 : Kevin Koster of Cloudpath Networks
NetFS Client Framework
Impact: File Sharing may enter a state in which it cannot be
disabled
Description: A state management issue existed in the File Sharing
framework. This issue was addressed through improved state
management.
CVE-ID
CVE-2014-4441 : Eduardo Bonsi of BEARTCOMMUNICATIONS
QuickTime
Impact: Playing a maliciously crafted m4a file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of audio
samples. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4351 : Karl Smith of NCC Group
Safari
Impact: History of pages recently visited in an open tab may remain
after clearing of history
Description: Clearing Safari's history did not clear the
back/forward history for open tabs. This issue was addressed by
clearing the back/forward history.
CVE-ID
CVE-2013-5150
Safari
Impact: Opting in to push notifications from a maliciously crafted
website may cause future Safari Push Notifications to be missed
Description: An uncaught exception issue existed in
SafariNotificationAgent's handling of Safari Push Notifications. This
issue was addressed through improved handling of Safari Push
Notifications.
CVE-ID
CVE-2014-4417 : Marek Isalski of Faelix Limited
Secure Transport
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
Security
Impact: A remote attacker may be able to cause a denial of service
Description: A null dereference existed in the handling of ASN.1
data. This issue was addressed through additional validation of ASN.1
data.
CVE-ID
CVE-2014-4443 : Coverity
Security
Impact: A local user might have access to another user's Kerberos
tickets
Description: A state management issue existed in SecurityAgent.
While Fast User Switching, sometimes a Kerberos ticket for the
switched-to user would be placed in the cache for the previous user.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar
Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of
Kaspersky Lab
Security - Code Signing
Impact: Tampered applications may not be prevented from launching
Description: Apps signed on OS X prior to OS X Mavericks 10.9 or
apps using custom resource rules, may have been susceptible to
tampering that would not have invalidated the signature. On systems
set to allow only apps from the Mac App Store and identified
developers, a downloaded modified app could have been allowed to run
as though it were legitimate. This issue was addressed by ignoring
signatures of bundles with resource envelopes that omit resources
that may influence execution.
CVE-ID
CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day
Initiative
Note: OS X Yosemite includes Safari 8.0, which incorporates
the security content of Safari 7.1. For further details see
"About the security content of Safari 7.1" at
https://support.apple.com/kb/HT6440.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUQCItAAoJEBcWfLTuOo7tVTMQAIpXH2MO4xElrJDdFvz+9hEq
0I/Md7JZMvm66AZZG6AlHPnGn/UfNSD6BxGmuuz2MnVyr3kBTHfGQbsRtoZ/54dZ
OJrFVD+HE+WmjhB2xLoLTMDP5QgdpBY0gpmNF5Ze4tRogpbfrhDQJjjWls4xbB3B
0MYF5Cq+9nMwHquh/gQpp4pRCms+S/3TdHrjunlfnWFJMNT+XTs0Y5+QPZQ8OMAb
lqDGjjjulN3+WLCekIWXX1WeAFjqW5ICSWqt0b8/yWVnLWuYmWvHPC8LrP52+s87
XHgx+9tW/5L+ZMGxfDYKnhkXNsQaFPai1iPgztjz7/c3NON7ogdIbJd290j2GZ2S
CUoozCx2rVn9l7hFYSDP5fHt8x1itvWeH1UX6WP6Ydkf4iXe63ksMaVSFqccEb7r
HlBlx/dE1FuWD+gkOQwDPkKZR1yiMArqrHz1YwC4GZ6/A3aG9B++y1TBCetQO8xs
bFmlhX4Rvmme+NED0Hli7yN/++axkYUfAHTLwnucq1MW+eP9jecsBpFsOMKJ0ika
XrZoquwIM4zQPgY1qBz15Nxeb8lX2IcpL5PKGEeqiKX3SRPerdQKUnUBk1DtHg2h
fl+BG2AfN6uaYGJvGL9G2OX95SylOWW9uoYvfTVafwU7f9tE8RUEStnXhQD00j/r
P2OKoqPuE6SsFq6L2VwF
=Ucxd
-----END PGP SIGNATURE-----
| VAR-201410-1064 | CVE-2014-4434 | Apple OS X Service disruption in some kernels (DoS) Vulnerabilities |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
The kernel in Apple OS X before 10.10 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted filename on an HFS filesystem. Apple Mac OS X is prone to a local denial of service vulnerability.
A local attacker can leverage this issue to cause the affected system to shutdown, denying service to legitimate users