VARIoT IoT vulnerabilities database

Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCuj81735. Vendors have confirmed this vulnerability Bug ID CSCuj81735 It is released as.Authentication may be hijacked by a third party. Cisco WebEx Meetings is a networked online conferencing product in Cisco's WebEx conferencing solution. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCuj81735

The Intercluster Sync Agent Service in Cisco Unified Presence Server allows remote attackers to cause a denial of service via a TCP SYN flood, aka Bug ID CSCun34125. Vendors have confirmed this vulnerability Bug ID CSCun34125 It is released as. Supplementary information : CWE Vulnerability type by CWE-400: Uncontrolled Resource Consumption ( Resource depletion ) Has been identified. http://cwe.mitre.org/data/definitions/400.htmlBy a third party TCP SYN Service disruption via flood (DoS) There is a possibility of being put into a state. This component is responsible for collecting the user's availability status and communication capability information

The WebNavigator server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote attackers to obtain sensitive information via an HTTP request. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. Siemens SIMATIC WinCC and PCS7 are prone to an information-disclosure vulnerability. Siemens SIMATIC WinCC is the German Siemens ( Siemens ) The company's set of automated data collection and monitoring ( SCADA )system. The system provides process monitoring, data acquisition and other functions. PCS7 used with other products Siemens SIMATIC WinCC 7.3 previous version of WebNavigator There is a security hole in the server

Multiple cross-site scripting (XSS) vulnerabilities in the login page in the administrative web interface in Cisco TelePresence Server Software 4.0(2.8) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCup90060. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCup90060. Cisco TelePresence Server Software is a set of video conferencing solutions called "TelePresence" system of Cisco (Cisco). The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect

SQL injection vulnerability in the web framework in Cisco Security Manager 4.5 and 4.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCup26957. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is being tracked by Cisco Bug ID CSCup26957

The Project administration application in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, has a hardcoded encryption key, which allows remote attackers to obtain sensitive information by extracting this key from another product installation and then employing this key during the sniffing of network traffic on TCP port 1030. Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. A privilege elevation vulnerability exists in Siemens SIMATIC WinCC and PCS7 that allows an attacker to exploit the vulnerability to gain administrative access on the affected device. Siemens SIMATIC WinCC and PCS7 are prone to a privilege-escalation vulnerability. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions

NETGEAR DGN2200 is a wireless router product from NETGEAR. An information disclosure vulnerability exists in NETGEAR DGN2200. An attacker could use this vulnerability to gain access to sensitive information. Vulnerabilities in Netgear DGN2200 1.0.0.29_1.7.29_HotS version, other versions may also be affected

The WebNavigator server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote authenticated users to gain privileges via a (1) HTTP or (2) HTTPS request. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. A remote privilege elevation vulnerability exists in Siemens SIMATIC WinCC And PCS7 that can be exploited by remote attackers to gain elevated privileges on affected devices. Siemens SIMATIC WinCC and PCS7 are prone to a remote privilege-escalation vulnerability. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions. There is a security hole in the WebNavigator server used by Siemens SIMATIC WinCC versions prior to 7.3 for PCS7 and other products

The database server in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows remote authenticated users to gain privileges via a request to TCP port 1433. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. A remote privilege elevation vulnerability exists in Siemens' product database servers, which can be exploited by remote attackers to escalate privileges and perform unauthorized actions. SIMATIC WinCC and PCS7 are prone to a remote privilege-escalation vulnerability. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions. A security vulnerability exists in the database server of versions prior to Siemens SIMATIC WinCC 7.3 used by PCS7 and other products

Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, allows local users to gain privileges by leveraging weak system-object access control. Siemens SIMATIC WinCC is a multi-user system that provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to redundant server and remote web client solutions. A number of Siemens products have local privilege escalation vulnerabilities that allow an attacker to exploit vulnerabilities to escalate permissions on affected computers. Siemens SIMATIC WinCC and PCS 7 are prone to a local privilege-escalation vulnerability. Attackers can exploit this issue to gain elevated privileges on affected computers. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions. A security vulnerability exists in versions prior to Siemens SIMATIC WinCC 7.3 used by PCS7 and other products

Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity. Ubiquiti Networks UniFi Controller Exists in a cross-site request forgery vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Multiple Ubiquiti Networks products including UniFi Video, UniFi and mFi are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. The following products are affected: UniFi 2.4.6 UniFi Video 2.1.3 mFi 2.0.15

Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors. UniFi is prone to an information-disclosure vulnerability. An attacker can exploit this issue to perform man-in-the-middle attacks and disclose sensitive information. Successful exploits may lead to other attacks. UniFi 2.4.6 is vulnerable; other versions may also be affected. Ubiquiti Networks UniFi is a set of WiFi wireless network system of Ubiquiti Networks in the United States. UniFi Controller is one of those wireless controllers

The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file. UniFi Video is prone to a security-bypass vulnerability. An authenticated attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. UniFi Video 2.1.3 is vulnerable; other versions may also be affected. Ubiquiti Networks UniFi Video (also known as AirVision or AirVision Controller) is a set of video surveillance system of Ubiquiti Networks in the United States. The vulnerability is caused by the program not restricting access to the application

The D-Link DIR series is a router device developed by D-LINK. Multiple D-Link DIR series products soap.cgi failed to properly filter the \"NewInternalClient\", \"NewExternalPort\" and \"NewInternalPort\" XML parameter data, allowing remote attackers to exploit the vulnerability to inject and execute arbitrary shell commands.

Apple QuickTime allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed version number and flags in an mvhd atom. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the 'mvhd' atom. By exploiting this, an attacker could execute code in the context of the current user. Apple QuickTime is prone to a heap-memory-corruption vulnerability. The software is capable of handling multiple sources such as digital video, media segments, and more. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-10-22-1 QuickTime 7.7.6 QuickTime 7.7.6 is now available and addresses the following: QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of RLE encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1391 : Fernando Munoz working with iDefense VCP, Tom Gallagher & Paul Bates working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of the 'mvhd' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4979 : Andrea Micalizzi aka rgod working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted MIDI file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MIDI files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4350 : s3tm3m working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted m4a file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of audio samples. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4351 : Karl Smith of NCC Group QuickTime 7.7.6 may be obtained from the QuickTime Downloads site: http://www.apple.com/quicktime/download/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUSBRSAAoJEBcWfLTuOo7tgDoQAIBUrnAQpbBQoanvqNDw5R2j Ntl+aKzuZaVloKn78HN0T5ihcx3K0FxtjCN//KGwJpKBCG8MGnF/CisEnstkLM3t jn6oZ0kmowAOt0CEM6s391uWTNnV+Na3dN7WBNu7943+qkTbUiSeojTEE9DHpxCN tE/hmyBR3dEpAKza8rQzGYYZTBJ9wFhcL91M9hmo0ZXrfgdRE8xFQBnEHtUPqv1N QBgVm6GVKxFhgNcUZnk/+JNWpPxlWGDyb+N7mB7H8FIPUJRbxMsJaAro9JjyjM2h Za5gNgVTdNNeM0iVItbt8a6JLo+F1CFD6dJJvFZUSoGYhCevfIrRHNmZBKynLFNw lciM0iUXgoEwTsgfwOQf9gr8QSzMdTrODXgX6PQptKL2xSxHQ15Vumz9Z+LdZb2B osh/+iGndw+xQCojR3+IomTZlxlHEaGxm45PkRtYwrAsmXXNnsOIC5Eqrk5sFpPH gDioMLytASE2Y+ASBTHT0kNOVs2BY/2uLlToE+/tf908oLOjDpmHmbzk9PZHrJsX hGaqFdrpGmZsm1QcO05/ykoPiqka1C9cgJHYKdXddeTCZEss4oFB0ER/fQ7cz6Bc iOV80BMWMFArsZMPmiwltCYfiw82HxeTgc7UvRHGFlXmpE4q1lHrU1dt+NkOnmv9 t/srMKTMnrGAAGLz0jqq =PiXJ -----END PGP SIGNATURE-----

The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors. The Common Unix Printing System (CUPS) is a universal Unix printing system that is a cross-platform printing solution for Unix environments. It is based on the Internet printing protocol and provides most PostScript and raster printing. The CUPS Web Interface has a local privilege escalation vulnerability that allows attacks. Use vulnerabilities for symbolic link attacks to overwrite any file in the context of the affected application. Other attacks may also be possible. An attacker with local access could potentially exploit this issue to gain elevated privileges. CUPS 1.7.4 and earlier versions are vulnerable. A remote attacker could exploit this vulnerability to obtain sensitive information. ============================================================================ Ubuntu Security Notice USN-2341-1 September 08, 2014 cups vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: CUPS could be made to expose sensitive information, leading to privilege escalation. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: cups 1.7.2-0ubuntu1.2 Ubuntu 12.04 LTS: cups 1.5.3-0ubuntu8.5 Ubuntu 10.04 LTS: cups 1.4.3-1ubuntu1.13 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cups security and bug fix update Advisory ID: RHSA-2014:1388-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1388.html Issue date: 2014-10-14 CVE Names: CVE-2014-2856 CVE-2014-3537 CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 ===================================================================== 1. Summary: Updated cups packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. (CVE-2014-2856) It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031) The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat Product Security. These updated cups packages also include several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the References section, for information on the most significant of these changes. All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 978387 - Bad IPP responses with version 2.0 (collection handling bug) 1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide 1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release 1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation 1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537 1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack 1128767 - CVE-2014-5031 cups: world-readable permissions 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: cups-1.4.2-67.el6.src.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm ppc64: cups-1.4.2-67.el6.ppc64.rpm cups-debuginfo-1.4.2-67.el6.ppc.rpm cups-debuginfo-1.4.2-67.el6.ppc64.rpm cups-devel-1.4.2-67.el6.ppc.rpm cups-devel-1.4.2-67.el6.ppc64.rpm cups-libs-1.4.2-67.el6.ppc.rpm cups-libs-1.4.2-67.el6.ppc64.rpm cups-lpd-1.4.2-67.el6.ppc64.rpm s390x: cups-1.4.2-67.el6.s390x.rpm cups-debuginfo-1.4.2-67.el6.s390.rpm cups-debuginfo-1.4.2-67.el6.s390x.rpm cups-devel-1.4.2-67.el6.s390.rpm cups-devel-1.4.2-67.el6.s390x.rpm cups-libs-1.4.2-67.el6.s390.rpm cups-libs-1.4.2-67.el6.s390x.rpm cups-lpd-1.4.2-67.el6.s390x.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm ppc64: cups-debuginfo-1.4.2-67.el6.ppc64.rpm cups-php-1.4.2-67.el6.ppc64.rpm s390x: cups-debuginfo-1.4.2-67.el6.s390x.rpm cups-php-1.4.2-67.el6.s390x.rpm x86_64: cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm x86_64: cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-2856.html https://www.redhat.com/security/data/cve/CVE-2014-3537.html https://www.redhat.com/security/data/cve/CVE-2014-5029.html https://www.redhat.com/security/data/cve/CVE-2014-5030.html https://www.redhat.com/security/data/cve/CVE-2014-5031.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUPKsIXlSAg2UNWIIRApSvAJ9WxP5yQ+v5GDRGnSINYq0Pro0AoQCfXZqW WjIIQcBG+Sou8Is2vIFlLok= =5S/K -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . A malformed file with an invalid page header and compressed raster data can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679 http://advisories.mageia.org/MGASA-2014-0193.html http://advisories.mageia.org/MGASA-2014-0313.html http://advisories.mageia.org/MGASA-2015-0067.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm 7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm 5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF6q1mqjQ0CJFipgRAuxXAKDq8A/WlNzp54yRN7xnKy8ZBaRZQwCfSAh0 n7hHPzmYVzh2wFP6PffIl0E= =ykhv -----END PGP SIGNATURE----- . For the stable distribution (wheezy), these problems have been fixed in version 1.5.3-5+deb7u4. For the unstable distribution (sid), these problems have been fixed in version 1.7.4-2

CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. The Common Unix Printing System (CUPS) is a universal Unix printing system that is a cross-platform printing solution for Unix environments. It is based on the Internet printing protocol and provides most PostScript and raster printing. The CUPS Web Interface has a local privilege escalation vulnerability that allows attacks. Use vulnerabilities for symbolic link attacks to overwrite any file in the context of the affected application. Other attacks may also be possible. An attacker with local access could potentially exploit this issue to gain elevated privileges. CUPS 1.7.4 and earlier versions are vulnerable. ============================================================================ Ubuntu Security Notice USN-2341-1 September 08, 2014 cups vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: CUPS could be made to expose sensitive information, leading to privilege escalation. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: cups 1.7.2-0ubuntu1.2 Ubuntu 12.04 LTS: cups 1.5.3-0ubuntu8.5 Ubuntu 10.04 LTS: cups 1.4.3-1ubuntu1.13 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cups security and bug fix update Advisory ID: RHSA-2014:1388-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1388.html Issue date: 2014-10-14 CVE Names: CVE-2014-2856 CVE-2014-3537 CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 ===================================================================== 1. Summary: Updated cups packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. (CVE-2014-2856) It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031) The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat Product Security. These updated cups packages also include several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the References section, for information on the most significant of these changes. All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 978387 - Bad IPP responses with version 2.0 (collection handling bug) 1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide 1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release 1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation 1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537 1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack 1128767 - CVE-2014-5031 cups: world-readable permissions 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: cups-1.4.2-67.el6.src.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm ppc64: cups-1.4.2-67.el6.ppc64.rpm cups-debuginfo-1.4.2-67.el6.ppc.rpm cups-debuginfo-1.4.2-67.el6.ppc64.rpm cups-devel-1.4.2-67.el6.ppc.rpm cups-devel-1.4.2-67.el6.ppc64.rpm cups-libs-1.4.2-67.el6.ppc.rpm cups-libs-1.4.2-67.el6.ppc64.rpm cups-lpd-1.4.2-67.el6.ppc64.rpm s390x: cups-1.4.2-67.el6.s390x.rpm cups-debuginfo-1.4.2-67.el6.s390.rpm cups-debuginfo-1.4.2-67.el6.s390x.rpm cups-devel-1.4.2-67.el6.s390.rpm cups-devel-1.4.2-67.el6.s390x.rpm cups-libs-1.4.2-67.el6.s390.rpm cups-libs-1.4.2-67.el6.s390x.rpm cups-lpd-1.4.2-67.el6.s390x.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm ppc64: cups-debuginfo-1.4.2-67.el6.ppc64.rpm cups-php-1.4.2-67.el6.ppc64.rpm s390x: cups-debuginfo-1.4.2-67.el6.s390x.rpm cups-php-1.4.2-67.el6.s390x.rpm x86_64: cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm x86_64: cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-2856.html https://www.redhat.com/security/data/cve/CVE-2014-3537.html https://www.redhat.com/security/data/cve/CVE-2014-5029.html https://www.redhat.com/security/data/cve/CVE-2014-5030.html https://www.redhat.com/security/data/cve/CVE-2014-5031.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUPKsIXlSAg2UNWIIRApSvAJ9WxP5yQ+v5GDRGnSINYq0Pro0AoQCfXZqW WjIIQcBG+Sou8Is2vIFlLok= =5S/K -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . It was discovered that the web interface in CUPS incorrectly validated permissions on rss files and directory index files. A malformed file with an invalid page header and compressed raster data can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679 http://advisories.mageia.org/MGASA-2014-0193.html http://advisories.mageia.org/MGASA-2014-0313.html http://advisories.mageia.org/MGASA-2015-0067.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm 7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm 5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF6q1mqjQ0CJFipgRAuxXAKDq8A/WlNzp54yRN7xnKy8ZBaRZQwCfSAh0 n7hHPzmYVzh2wFP6PffIl0E= =ykhv -----END PGP SIGNATURE----- . For the stable distribution (wheezy), these problems have been fixed in version 1.5.3-5+deb7u4. For the unstable distribution (sid), these problems have been fixed in version 1.7.4-2

systest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the lpres parameter. IBM 1754 GCM16 and GCM32 Global Console Managers are prone to an unspecified remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions. The following versions are vulnerable: IBM 1754 GCM16 Global Console Manager running firmware 1.20.0.22575 and prior IBM 1754 GCM32 Global Console Manager running firmware 1.20.0.22575 and prior. The product supports AES encryption, LDAP and smart card/common access card (CAC) readers and more, enabling centralized authentication and local or remote system access

Cross-site request forgery (CSRF) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. Omron NS5, NS8, NS10, NS12 and NS15 HMI Terminals are Omron's touch screen HMI programming software. Allows remote attackers to perform unauthorized operations with specially crafted data. This may lead to further attacks. The following products are affected: Omron NS5, NS8, NS10, NS12, NS15 HMI Terminals versions 8.1xx to 8.68x

Cross-site scripting (XSS) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to inject arbitrary web script or HTML via crafted data. Omron NS5, NS8, NS10, NS12 and NS15 HMI Terminals are Omron's touch screen HMI programming software. There is an HTML injection vulnerability in Omron NS series HMI Terminals. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. The following products and versions are affected: Omron NS5, NS8, NS10, NS12, NS15 HMI Terminals 8.1xx to 8.68x versions