VARIoT IoT vulnerabilities database

Halon Security Router is a router product from Halon Security, USA. There are multiple security vulnerabilities in Halon Security Router 3.2-winter-r1 and earlier versions: 1. Cross-site scripting vulnerability 2. Cross-site request forgery vulnerability 3. Open redirection vulnerability. When a user browses an affected website, their browser executes arbitrary script code provided by the attacker. This could lead to attackers stealing cookie-based authentication, performing unauthorized operations, or redirecting users to malicious websites. Other attacks are also possible

vmx86.sys in VMware Workstation 10.0.1 build 1379776 and VMware Player 6.0.1 build 1379776 on Windows might allow local users to cause a denial of service (read access violation and system crash) via a crafted buffer in an IOCTL call. NOTE: the researcher reports "Vendor rated issue as non-exploitable.". VMware Player is a free software that allows PC users to easily run virtual machines on Windows or Linux PCs. VMWare Workstation is a popular virtual machine application. Allows a local attacker to cause a blue screen, causing the system to crash. Local attackers with access to a guest operating system can exploit this issue to crash the host operating system, effectively denying service to legitimate users. The Blue Screen is triggered because the vulnerable function doesn\x92t check if a pointer to a memory page is valid or not, thus causing a memory access violation by trying to read from an unallocated memory page. Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2384/ Copyright: Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information

Cross-site scripting (XSS) vulnerability in Advanced_Wireless_Content.asp in ASUS RT-AC68U and other RT series routers with firmware before 3.0.0.4.374.5047 allows remote attackers to inject arbitrary web script or HTML via the current_page parameter to apply.cgi. ASUS RT-AC68U is a router device. A remote attacker can exploit a vulnerability to build a malicious URI, entice a user to resolve, obtain sensitive cookies, hijack a session, or perform malicious operations on the client. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The vulnerability stems from the fact that the apply.cgi script does not filter the 'current_page' parameter correctly

Cisco IOS XR does not properly throttle ICMPv6 redirect packets, which allows remote attackers to cause a denial of service (IPv4 and IPv6 transit outage) via crafted redirect messages, aka Bug ID CSCum14266. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. A denial of service vulnerability exists in Cisco IOS XR. Attackers can exploit this issue to cause all or most of the IPv4 and IPv6 traffic to fail while being processed on an affected device, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCum14266. The vulnerability is caused by the program not properly managing ICMPv6 redirected packets

Directory traversal vulnerability in the messaging API in Cisco Unity Connection allows remote authenticated users to read arbitrary files via vectors related to unenforced access constraints for .wav files and the audio/x-wav MIME type, aka Bug ID CSCun91071. Cisco Unity Connection is prone to a directory-traversal vulnerability. Exploiting this issue can allow an attacker to gain access to arbitrary files. Information harvested may aid in launching further attacks. This issue is being tracked by Cisco Bug ID CSCun91071. The platform can use voice commands to make calls or listen to messages "hands-free"

Cross-site scripting (XSS) vulnerability in the web administration interface in FortiADC with firmware before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via the locale parameter to gui_partA/. (CWE-79). Fortinet Provided by FortiADC Contains a cross-site scripting vulnerability. Fortinet Provided by FortiADC Is /FortiADC/gui_partA/?locale=en of locale There is a problem with parameter processing and cross-site scripting (CWE-79) Vulnerabilities exist. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. FortiADC versions 3.2.0 and prior are vulnerable. FortiADC is an application delivery controller from Fortinet, which optimizes network availability, user experience, mobile performance and cloud-based enterprise application control, and enhances server efficiency and reduces data center network complexity. and cost. The vulnerability is due to the fact that the gui_partA/ URI does not adequately filter the 'locale' parameter

Cross-site scripting (XSS) vulnerability in UserServlet in Cisco Emergency Responder (ER) 8.6 and earlier allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun24384. It ensures that Cisco Callmanager can transfer emergency calls directly to the appropriate Public Safety Answering Point (PSAP). An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCun24384. The software provides features such as real-time location tracking database and caller's location

Multiple cross-site request forgery (CSRF) vulnerabilities in CERUserServlet pages in Cisco Emergency Responder (ER) 8.6 and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCun24250. This vulnerability Bug ID CSCun24250 It is released as.A third party may be able to hijack the authentication of any user. It ensures that Cisco Callmanager can transfer emergency calls directly to the appropriate Public Safety Answering Point (PSAP). Exploiting the issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCun24250. The software provides features such as real-time location tracking database and caller's location

Cisco Emergency Responder (ER) 8.6 and earlier allows remote attackers to inject web pages and modify dynamic content via unspecified parameters, aka Bug ID CSCun37882. The Cisco Emergency Responder (ER) enhances the emergency call capabilities of Cisco CallManager. It ensures that Cisco Callmanager can transfer emergency calls directly to the appropriate Public Safety Answering Point (PSAP). An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. These issues are being tracked by Cisco Bug ID CSCun37882. The software provides features such as real-time location tracking database and caller's location

Multiple open redirect vulnerabilities in Cisco Emergency Responder (ER) 8.6 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters, aka Bug ID CSCun37909. Cisco Emergency Responder (ER) Contains an open redirect vulnerability. It ensures that Cisco Callmanager can transfer emergency calls directly to the appropriate Public Safety Answering Point (PSAP). An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. This issue is being tracked by Cisco Bug ID CSCun37909. The software provides features such as real-time location tracking database and caller's location

The IKE implementation in Cisco IOS 15.4(1)T and earlier and IOS XE allows remote attackers to cause a denial of service (security-association drop) via crafted Main Mode packets, aka Bug ID CSCun31021. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The fake IKE Main Mode packet was not processed correctly due to the program. This allows unauthenticated remote attackers to remove security associations that have already been established on the affected device. This issue is being tracked by Cisco Bug ID CSCun31021

In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect. plural FortiBalancer The product contains a vulnerability related to improper default permissions.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The FortiBalancer Series is an application delivery controller device. FortiBalancer is prone to a security-bypass vulnerability. This may lead to further attacks. FortiBalancer 400, 1000, 2000, and 3000 are vulnerable

In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect. plural FortiBalancer The product contains a vulnerability related to improper default permissions.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The FortiBalancer Series is an application delivery controller device. FortiBalancer is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and gain unauthorized access. This may lead to further attacks. FortiBalancer 400, 1000, 2000, and 3000 are vulnerable

Cross-site scripting (XSS) vulnerability in the web interface on Huawei Echo Life HG8247 routers with software before V100R006C00SPC127 allows remote attackers to inject arbitrary web script or HTML via an invalid TELNET connection attempt with a crafted username that is not properly handled during construction of the "failed log-in attempts over telnet" log view. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') http://cwe.mitre.org/data/definitions/79.htmlAn arbitrary script may be executed on the user's web browser. Or hijack a user session. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Echo Life HG8247 running firmware versions V1R006C00S120 and prior are vulnerable

The ICOMM 610 Wireless Modem has a cross-site request forgery vulnerability that allows remote attackers to build malicious URIs, entice users to resolve, and perform malicious operations in the target user context. ICOMM Tele ICOMM 610 is a wireless broadband modem (Modem) product from India's ICOMM Tele. A cross-site request forgery vulnerability exists in ICOMM Tele ICOMM 610 01.01.08.991 and earlier versions. A remote attacker could use this vulnerability to perform unauthorized operations. ICOMM 610 is prone to a cross-site request-forgery vulnerability. This may lead to further attacks. ICOMM 610 01.01.08.991 and prior are vulnerable

MobileIron VSP versions prior to 5.9.1 and Sentry versions prior to 5.0 have an authentication bypass vulnerability due to an XML file with obfuscated passwords. MobileIron VSP and Sentry Exists in an inadequate protection of credentials.Information may be obtained. MobileIron VSP and Sentry There is a cryptographic strength vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. MobileIron VSP and Sentry are prone to an XPath-injection weakness. An attacker can exploit this issue by manipulating the XPath query logic to gain access to sensitive information that may aid in launching further attacks. MobileIron VSP prior to 5.9.1 and Sentry 5.0 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Matta Consulting - Matta Advisory https://www.trustmatta.com MobileIron Multiple Products Authentication Bypass Vulnerability Advisory ID: MATTA-2013-004 CVE reference: CVE-2014-1409, CVE-2013-7286 Affected platforms: VSP and Sentry Version: VSP < 5.9.1 and Sentry < 5.0 Date: 2013-December-19 Security risk: Critical Researcher: Nico Leidecker Vendor Status: Patch released Vulnerability Disclosure Policy: https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt Permanent URL: https://www.trustmatta.com/advisories/MATTA-2013-004.txt ===================================================================== Description: During an external penetration test exercise for one of our clients, an authentication bypass vulnerability was found in the administrative interface of a MobileIron deployment. This ultimately allowed us to, gain access to our client's internal network. The 'j_username' parameter of the script at https://<target>/mics/j_spring_security_check is vulnerable to blind XPath Injection, allowing an unauthenticated attacker to retrieve the underlying XML document. This XML document is an excerpt of the configuration file of the device. It contains obfuscated passwords and, depending on configuration, might contain domain credentials and allow the attacker to reposition both internally and on any of the attached devices. This vulnerability has been assigned CVE-2014-1409. The password obfuscation algorithm is known and has already been documented [1]... AES-ECB-PKCS1.5 with a known, shared key. While we won't release a full-featured exploit for the vulnerability, we will release a PoC to confirm whether the hashes are indeed vulnerable. The vendor has confirmed that a stronger encryption method is used since release 5.7. This vulnerability has been assigned CVE-2013-7286. [1] https://www.hackinparis.com/sites/hackinparis.com/files/MDM-HIP_2013.pdf NB: A second insecure encryption scheme is described in [1], MITRE has assigned CVE-2013-7287 to that separate vulnerability. ===================================================================== Base64 encoded script to confirm whether the hash provided is vulnerable to CVE-2013-7286: IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCiMKIyAgTW9iaWxlSXJvbiB1c2VzIEFFUy1FQ0ItUEtDUzEu NSAod2l0aCBhIGtub3duIGtleSkKIyB0byBzdG9yZSBjcmVkZW50aWFscy4uLiBXaGF0IGEgYnJp bGxpYW50IGlkZWEhCiMKIyBUaGlzIHNjcmlwdCBpcyBhYm91dCBjaGVja2luZyB3aGV0aGVyIHRo ZSBwcm92aWRlZAojIGhhc2ggaXMgdnVsbmVyYWJsZSB0byBDVkUtMjAxMy03Mjg2IG9yIG5vdC4K IwojIE5leHRHZW4kIH4gMjAxMwoKaW1wb3J0IHN5cwppbXBvcnQgYmluYXNjaWkKaW1wb3J0IGhh c2hsaWIKaW1wb3J0IHN0cmluZwpmcm9tIENyeXB0by5DaXBoZXIgaW1wb3J0IEFFUwoKaWYgbGVu KHN5cy5hcmd2KTwyOiAgICAKIHN5cy5leGl0KCdVc2FnZTogLi9DVkUtMjAxMy03Mjg2LnB5IDxi YXNlNjRlbmNvZGVkIGJsb2I +JykKCkJTID0gOAp1bnBhZCA9IGxhbWJkYSBzIDogc1swOi1vcmQo c1stMV0pXQoKaWYgX19uYW1lX189PSAiX19tYWluX18iOgogICAgIyBHZW5lcmF0ZSB0aGUgbWFz dGVyIGtleS4uLgogICAgIyBZZXMuIEl0J3Mgbm90IGEgdHlwbyEKICAgIHBocmFzZSA9ICdIYWt1 bmEgbWF0YXRhIHdoYXQgYSB3b2RlcmZ1bCBwaHJhc2UnCiAgICBtID0gaGFzaGxpYi5zaGExKCkK ICAgIG0udXBkYXRlKHBocmFzZSkKIyBXZSBvbmx5IHdhbnQgdGhlIDE2IGZpcnN0IGJ5dGVzICgx MjhiaXQga2V5LCAxNjBiaXQgaGFzaCBmdW5jdGlvbikKICAgIGtleSA9IG0uZGlnZXN0KClbOjE2 XQogICAgY2lwaGVydGV4dCA9IGJpbmFzY2lpLmEyYl9iYXNlNjQoc3lzLmFyZ3ZbMV0pCiAgICBj aXBoZXIgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfRUNCKSAKICAgIHBsYWludGV4dCA9IHVucGFk KGNpcGhlci5kZWNyeXB0KGNpcGhlcnRleHQpKQogICAgdnVsbmVyYWJsZSA9IGxlbihwbGFpbnRl eHQpID4gMCBhbmQgYWxsKGMgaW4gc3RyaW5nLnByaW50YWJsZSBmb3IgYyBpbiBwbGFpbnRleHQp CiAgICBwcmludCAnJXNWVUxORVJBQkxFIFRPIENWRS0yMDEzLTcyODYnICUgKCcnIGlmIHZ1bG5l cmFibGUgZWxzZSAnTk9UICcpCg== ===================================================================== Impact Successful exploitation allows an unauthenticated attacker to take over the device and potentially any device attached to it as well as the Active Directory Domain it might be linked to. ===================================================================== Versions affected: - - Sentry Standalone < 5 - - VSP < 5.9.1 ===================================================================== Workaround: Restrict access to the MICS service (administrative interface) to specific hosts: MICS Portal -> Security -> Portal ACLs -> System Manager Portal ACL ===================================================================== Credits This vulnerability was discovered by Nico Leidecker from Matta Consulting. ===================================================================== History 19-12-13 initial discovery 30-12-13 client has mitigated the vulnerability 30-12-13 initial attempt to contact the vendor 30-12-13 reply from the vendor 31-12-13 a draft of this advisory is sent to the vendor 03-01-14 vendor can't reproduce / ask for more details 03-01-14 more details are sent 07-01-14 vendor recognize that there is a bug but dissmisses it as a security vulnerability 07-01-14 more details are sent 14-01-14 a week lapsed, no reply... we chase it up 14-01-14 vendor reply: they're working on a response 15-01-14 vendor respond: reclassify the bug as a security issue, indicate that they indend on fixing the bug in the Q1 release, provide a workaround and ask for us to hold on releasing the advisory until the release is published 15-01-14 we agree to a deadline extension, send the CVEs MITRE has assigned ... 19-02-14 vendor release 5.9.1 (but doesn't let us know) ... 31-03-14 vendor indicate that the release of VSP 6 is delayed but the bugs have been fixed in 5.9.1 02-04-14 release of this advisory ===================================================================== About Matta Matta is a privately held company with Headquarters in London, and a European office in Amsterdam. Established in 2001, Matta operates in Europe, Asia, the Middle East and North America using a respected team of senior consultants. Matta is an accredited provider of Tiger Scheme training and conducts regular research. https://www.trustmatta.com https://www.trustmatta.com/training.html https://www.trustmatta.com/network-penetration-testing.html https://www.trustmatta.com/vulnerability-assessment.html ===================================================================== Disclaimer and Copyright Copyright (c) 2014 Matta Consulting Limited. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. The information provided in this advisory is provided "as is" without warranty of any kind. Matta Consulting disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Matta Consulting or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Matta Consulting or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJTO/cTAAoJELJDQjn66kB28ysIAILzCnK9mifpyjswSKOJPzUi EgcexJdVIjWZf32gLi202YCHJkiIXNGfG390HrWMQZZWU2l+lEb4cMb4NH8xsjzg 06GbBnrRzBcE35dhO3C0aHuPFh7MRQzbRM4mVyPg1ViUlM7Lb9kQBoD6xdS4gZ09 SaNAdm44WrvGiFAO8yuT56cjHZ1ZYfr+iHQjxY7UIrvmzKKSvMnvv13Fy2CIrRPe zk7QLfyxszbR/eo+HOroNhHAPnfl8Mu0Y/1ihFTJF96irCPuejR7v9WzqlJxRfZB ZQJCKnz1c9cCDPxNY9GliBKT0FlkLX+IOVP/TF40jT7Zk6f+cWgOXcghlgnyunA= =XxBr -----END PGP SIGNATURE-----

MobileIron VSP < 5.9.1 and Sentry < 5.0 has a weak password obfuscation algorithm. MobileIron VSP and Sentry Exists in an inadequate protection of credentials.Information may be obtained. The MobileIron Virtual Smartphone Platform (VSP) and Sentry are products of MobileIron. VSP is a virtual smartphone platform. Sentry is a smart gateway product. An attacker could exploit the vulnerability to view encrypted data for sensitive information. MobileIron VSP and Sentry are prone to a security weakness that may allow attackers to obtain sensitive information. This may lead to other attacks. MobileIron VSP prior to 5.9.1 and Sentry 5.0 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Matta Consulting - Matta Advisory https://www.trustmatta.com MobileIron Multiple Products Authentication Bypass Vulnerability Advisory ID: MATTA-2013-004 CVE reference: CVE-2014-1409, CVE-2013-7286 Affected platforms: VSP and Sentry Version: VSP < 5.9.1 and Sentry < 5.0 Date: 2013-December-19 Security risk: Critical Researcher: Nico Leidecker Vendor Status: Patch released Vulnerability Disclosure Policy: https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt Permanent URL: https://www.trustmatta.com/advisories/MATTA-2013-004.txt ===================================================================== Description: During an external penetration test exercise for one of our clients, an authentication bypass vulnerability was found in the administrative interface of a MobileIron deployment. This ultimately allowed us to, gain access to our client's internal network. The 'j_username' parameter of the script at https://<target>/mics/j_spring_security_check is vulnerable to blind XPath Injection, allowing an unauthenticated attacker to retrieve the underlying XML document. This XML document is an excerpt of the configuration file of the device. It contains obfuscated passwords and, depending on configuration, might contain domain credentials and allow the attacker to reposition both internally and on any of the attached devices. This vulnerability has been assigned CVE-2014-1409. AES-ECB-PKCS1.5 with a known, shared key. While we won't release a full-featured exploit for the vulnerability, we will release a PoC to confirm whether the hashes are indeed vulnerable. The vendor has confirmed that a stronger encryption method is used since release 5.7. This vulnerability has been assigned CVE-2013-7286. [1] https://www.hackinparis.com/sites/hackinparis.com/files/MDM-HIP_2013.pdf NB: A second insecure encryption scheme is described in [1], MITRE has assigned CVE-2013-7287 to that separate vulnerability. ===================================================================== Base64 encoded script to confirm whether the hash provided is vulnerable to CVE-2013-7286: IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCiMKIyAgTW9iaWxlSXJvbiB1c2VzIEFFUy1FQ0ItUEtDUzEu NSAod2l0aCBhIGtub3duIGtleSkKIyB0byBzdG9yZSBjcmVkZW50aWFscy4uLiBXaGF0IGEgYnJp bGxpYW50IGlkZWEhCiMKIyBUaGlzIHNjcmlwdCBpcyBhYm91dCBjaGVja2luZyB3aGV0aGVyIHRo ZSBwcm92aWRlZAojIGhhc2ggaXMgdnVsbmVyYWJsZSB0byBDVkUtMjAxMy03Mjg2IG9yIG5vdC4K IwojIE5leHRHZW4kIH4gMjAxMwoKaW1wb3J0IHN5cwppbXBvcnQgYmluYXNjaWkKaW1wb3J0IGhh c2hsaWIKaW1wb3J0IHN0cmluZwpmcm9tIENyeXB0by5DaXBoZXIgaW1wb3J0IEFFUwoKaWYgbGVu KHN5cy5hcmd2KTwyOiAgICAKIHN5cy5leGl0KCdVc2FnZTogLi9DVkUtMjAxMy03Mjg2LnB5IDxi YXNlNjRlbmNvZGVkIGJsb2I +JykKCkJTID0gOAp1bnBhZCA9IGxhbWJkYSBzIDogc1swOi1vcmQo c1stMV0pXQoKaWYgX19uYW1lX189PSAiX19tYWluX18iOgogICAgIyBHZW5lcmF0ZSB0aGUgbWFz dGVyIGtleS4uLgogICAgIyBZZXMuIEl0J3Mgbm90IGEgdHlwbyEKICAgIHBocmFzZSA9ICdIYWt1 bmEgbWF0YXRhIHdoYXQgYSB3b2RlcmZ1bCBwaHJhc2UnCiAgICBtID0gaGFzaGxpYi5zaGExKCkK ICAgIG0udXBkYXRlKHBocmFzZSkKIyBXZSBvbmx5IHdhbnQgdGhlIDE2IGZpcnN0IGJ5dGVzICgx MjhiaXQga2V5LCAxNjBiaXQgaGFzaCBmdW5jdGlvbikKICAgIGtleSA9IG0uZGlnZXN0KClbOjE2 XQogICAgY2lwaGVydGV4dCA9IGJpbmFzY2lpLmEyYl9iYXNlNjQoc3lzLmFyZ3ZbMV0pCiAgICBj aXBoZXIgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfRUNCKSAKICAgIHBsYWludGV4dCA9IHVucGFk KGNpcGhlci5kZWNyeXB0KGNpcGhlcnRleHQpKQogICAgdnVsbmVyYWJsZSA9IGxlbihwbGFpbnRl eHQpID4gMCBhbmQgYWxsKGMgaW4gc3RyaW5nLnByaW50YWJsZSBmb3IgYyBpbiBwbGFpbnRleHQp CiAgICBwcmludCAnJXNWVUxORVJBQkxFIFRPIENWRS0yMDEzLTcyODYnICUgKCcnIGlmIHZ1bG5l cmFibGUgZWxzZSAnTk9UICcpCg== ===================================================================== Impact Successful exploitation allows an unauthenticated attacker to take over the device and potentially any device attached to it as well as the Active Directory Domain it might be linked to. ===================================================================== Versions affected: - - Sentry Standalone < 5 - - VSP < 5.9.1 ===================================================================== Workaround: Restrict access to the MICS service (administrative interface) to specific hosts: MICS Portal -> Security -> Portal ACLs -> System Manager Portal ACL ===================================================================== Credits This vulnerability was discovered by Nico Leidecker from Matta Consulting. ===================================================================== History 19-12-13 initial discovery 30-12-13 client has mitigated the vulnerability 30-12-13 initial attempt to contact the vendor 30-12-13 reply from the vendor 31-12-13 a draft of this advisory is sent to the vendor 03-01-14 vendor can't reproduce / ask for more details 03-01-14 more details are sent 07-01-14 vendor recognize that there is a bug but dissmisses it as a security vulnerability 07-01-14 more details are sent 14-01-14 a week lapsed, no reply... we chase it up 14-01-14 vendor reply: they're working on a response 15-01-14 vendor respond: reclassify the bug as a security issue, indicate that they indend on fixing the bug in the Q1 release, provide a workaround and ask for us to hold on releasing the advisory until the release is published 15-01-14 we agree to a deadline extension, send the CVEs MITRE has assigned ... 19-02-14 vendor release 5.9.1 (but doesn't let us know) ... 31-03-14 vendor indicate that the release of VSP 6 is delayed but the bugs have been fixed in 5.9.1 02-04-14 release of this advisory ===================================================================== About Matta Matta is a privately held company with Headquarters in London, and a European office in Amsterdam. Established in 2001, Matta operates in Europe, Asia, the Middle East and North America using a respected team of senior consultants. Matta is an accredited provider of Tiger Scheme training and conducts regular research. https://www.trustmatta.com https://www.trustmatta.com/training.html https://www.trustmatta.com/network-penetration-testing.html https://www.trustmatta.com/vulnerability-assessment.html ===================================================================== Disclaimer and Copyright Copyright (c) 2014 Matta Consulting Limited. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. The information provided in this advisory is provided "as is" without warranty of any kind. Matta Consulting disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Matta Consulting or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Matta Consulting or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJTO/cTAAoJELJDQjn66kB28ysIAILzCnK9mifpyjswSKOJPzUi EgcexJdVIjWZf32gLi202YCHJkiIXNGfG390HrWMQZZWU2l+lEb4cMb4NH8xsjzg 06GbBnrRzBcE35dhO3C0aHuPFh7MRQzbRM4mVyPg1ViUlM7Lb9kQBoD6xdS4gZ09 SaNAdm44WrvGiFAO8yuT56cjHZ1ZYfr+iHQjxY7UIrvmzKKSvMnvv13Fy2CIrRPe zk7QLfyxszbR/eo+HOroNhHAPnfl8Mu0Y/1ihFTJF96irCPuejR7v9WzqlJxRfZB ZQJCKnz1c9cCDPxNY9GliBKT0FlkLX+IOVP/TF40jT7Zk6f+cWgOXcghlgnyunA= =XxBr -----END PGP SIGNATURE-----

In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect. plural FortiBalancer The product contains a vulnerability related to improper default permissions.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The FortiBalancer Series is an application delivery controller device. FortiBalancer is prone to a security-bypass vulnerability. This may lead to further attacks. FortiBalancer 400, 1000, 2000, and 3000 are vulnerable

WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A security vulnerability exists in WebKit used in Apple Safari versions 6.1.2 and prior and 7.x prior to 7.0.3 due to the program not properly validating WebProcess IPC messages. A remote attacker can use the WebProcess access permission to exploit this vulnerability to bypass the sandbox protection mechanism and read arbitrary files. CVE-ID CVE-2014-1297 : Ian Beer of Google Project Zero For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3 and Safari 6.1.3 may be obtained from Mac App Store. For OS X Lion systems Safari 6.1.3 is available via the Apple Software Update application. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-04-22-2 iOS 7.1.1 iOS 7.1.1 is now available and addresses the following: CFNetwork HTTPProtocol Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker in a privileged network position can obtain web site credentials Description: Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines. CVE-ID CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris IOKit Kernel Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization Description: A set of kernel pointers stored in an IOKit object could be retrieved from userland. This issue was addressed through removing the pointers from the object. CVE-ID CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative Security - Secure Transport Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL Description: In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection. CVE-ID CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti of Prosecco at Inria Paris WebKit Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-2871 : miaubiz CVE-2014-1298 : Google Chrome Security Team CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative CVE-2014-1302 : Google Chrome Security Team, Apple CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative CVE-2014-1304 : Apple CVE-2014-1305 : Apple CVE-2014-1307 : Google Chrome Security Team CVE-2014-1308 : Google Chrome Security Team CVE-2014-1309 : cloudfuzzer CVE-2014-1310 : Google Chrome Security Team CVE-2014-1311 : Google Chrome Security Team CVE-2014-1312 : Google Chrome Security Team CVE-2014-1313 : Google Chrome Security Team CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "7.1.1". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTVet5AAoJEPefwLHPlZEwx3YP/iL/NwYn7T1q1ezvAVHQ6T3F 9X+ylJYZ+Ago+ij0wdzlDNJfVLPPbWde3biss6p10zDtLHHJK1jOQJLcZOBHtABG 7+OjIxFw5ZZCmWfOkF/GkfL/kBZllN0GuDCb7v4DVUf6GQPtWBsszQ9pre9Peotx TZOHxpPd2TBdz1GkLoFSd4I2yXIT5uIkRfvv9vgDXeNihDMlrJdq8ZBSlfKt+eXT kQ3+hGW2knT7np3BdWPQgqo9+YIfcAXN4Rnj0rPXVzzeKwpUrVjLwJgivecwhB7w mF+AWfH5oajw+ANzMeFm/DirlAADcM5LgdxtHnXH2Xh1NV5tOCSnaYWyFK4Nadex rVEWTOW4VxSb881dOikwY182kBlpaMjVgpvb04GA5zMAW+MtS7o4hj/H6ywGe7zm t7ZdyAo7i3QRFwBGEcJw1KjyTWnP1ILuBC9dekek+3DmxRAeQuBsrbPz2cxXPf9V jlvnxwiRzc/VqgAIyhCtgj0S3sEAMxnVXYSrbZpTpi1ZifiTriyyX291mS8xZBcF LZaNUzusQnEkyE+iGODKi+OPvgUnACIK8gWjMIDbwX99Fmd3LXU1fTpvdlkeuDBS LKBvZQs0JyYqOxkhU7PsRI6WN1F2nQHuMnb0mlFruejTrRbgyHxvMK6lpVP0nMoK Av6eIuVxA8q9Lm6TCh+h =ilSw -----END PGP SIGNATURE-----

WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1. Apple Safari Used in etc. WebKit is prone to an unspecified memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-04-01-1 Safari 6.1.3 and Safari 7.0.3 Safari 6.1.3 and Safari 7.0.3 are now available and address the following: WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-2871 : miaubiz CVE-2013-2926 : cloudfuzzer CVE-2013-2928 : Google Chrome Security Team CVE-2013-6625 : cloudfuzzer CVE-2014-1289 : Apple CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day Initiative, Google Chrome Security Team CVE-2014-1291 : Google Chrome Security Team CVE-2014-1292 : Google Chrome Security Team CVE-2014-1293 : Google Chrome Security Team CVE-2014-1294 : Google Chrome Security Team CVE-2014-1298 : Google Chrome Security Team CVE-2014-1299 : Google Chrome Security Team, Apple, Renata Hodovan of University of Szeged / Samsung Electronics CVE-2014-1300 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative CVE-2014-1301 : Google Chrome Security Team CVE-2014-1302 : Google Chrome Security Team, Apple CVE-2014-1303 : KeenTeam working with HP's Zero Day Initiative CVE-2014-1304 : Apple CVE-2014-1305 : Apple CVE-2014-1307 : Google Chrome Security Team CVE-2014-1308 : Google Chrome Security Team CVE-2014-1309 : cloudfuzzer CVE-2014-1310 : Google Chrome Security Team CVE-2014-1311 : Google Chrome Security Team CVE-2014-1312 : Google Chrome Security Team CVE-2014-1313 : Google Chrome Security Team CVE-2014-1713 : VUPEN working with HP's Zero Day Initiative WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: An attacker running arbitary code in the WebProcess may be able to read arbitrary files despite sandbox restrictions Description: A logic issue existed in the handling of IPC messages from the WebProcess. This issue was addressed through additional validation of IPC messages. CVE-ID CVE-2014-1297 : Ian Beer of Google Project Zero For OS X Mavericks and OS X Mountain Lion systems, Safari 7.0.3 and Safari 6.1.3 may be obtained from Mac App Store. For OS X Lion systems Safari 6.1.3 is available via the Apple Software Update application. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTOwlLAAoJEPefwLHPlZEwmPYP/AoGVbrVVEQfbWZ/OMER6jCR bDN4ykWdExJFRKr972tsirke9mLrDX1Flqg3jYpqrna6lWsZxk1wA/IXy4TRG97O mpA75r7853lCJ482h5XImTdv6wWqMfTTNR1YzsK+TCLZA3sDlByQ4yshwGWhOf1Q nY+hPpaC05PEmPeNKMWw6PA9IgA9e84uy0b/3+c2acOUZ9aAYEXmydPySY+5uYLa ecXjvee83LVTu8Pq2/C9yCJ1kI1EMix6Q3CTb2Cv/Dtgu1q7rZMG7qKieFpMKO2J xM7RYm1qPNlZ4hf+ZPX+D4+k6g2sZMqYdocdG1qXubk8m314CinHajdsZH9jXDHO 01gnYeMRp2IUBJlClQ7mPyIveJqJV9XpzvMTciuTVEuhzWhMaazzly8dp+8NCu4Q QShPJKqAq16ACJqqOarwo8xaSumZ3UcKhVrD0Gxo1/dhzO1Hy52yo7WrWLaOVH89 bXPeVMfYIF0V9xysbixNmBIEro0mYDuor/XlXBFicZAjmyGEVE04K4UjenMeDoYO /1A2zaVyM9MD50y+X/rFErtz2cj7uNcZ1XSNqPdGameoti5WvvoRbKs/D/H7E8bX p8JDoVJoy46fOBfwNv6eaQYTGYzgtdoEtmTKL3zDauQC1bxI1Jwtma07S97D2SyJ urMcI/V2h8JnGD4sS/7L =kHuK -----END PGP SIGNATURE-----