VARIoT IoT vulnerabilities database

Unspecified vulnerability in the SSH implementation on D-Link Japan DES-3800 devices with firmware before R4.50B58 allows remote authenticated users to cause a denial of service (device hang) via unknown vectors, a different vulnerability than CVE-2013-5998. DES-3800 Series provided by D-Link Japan contains a denial-of-service (DoS) vulnerability due to an issue in the implementation of SSH. Note that this vulnerability is different from JVN#28812735. Hisashi Kojima, Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A user who can login using SSH may cause the product to stop responding. The D-Link DES-3800 is a three-layer 100M network managed switch. D-Link DES-3800 Series are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause the device to stop responding, denying service to legitimate users

Unspecified vulnerability in the Web manager implementation on D-Link Japan DES-3800 devices with firmware before R4.50B58 allows remote attackers to cause a denial of service (device hang) via unknown vectors, a different vulnerability than CVE-2013-5997. DES-3800 Series provided by D-Link Japan contains a denial-of-service (DoS) vulnerability due to an issue in the Web manager function. Note that this vulnerability is different from JVN#65312543. Hisashi Kojima, Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A remote attacker may cause the product to stop responding. The D-Link DES-3800 is a three-layer 100M network managed switch. D-Link DES-3800 Series are prone to a denial-of-service vulnerability

The IPSec implementation in Cisco IOS allows remote attackers to cause a denial of service (MTU change and tunnel-session drop) via crafted ICMP packets, aka Bug ID CSCul29918. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is caused by the failure to correctly process some ICMP packets. Cisco IOS is prone to a remote denial-of-service vulnerability. This issue is being tracked by Cisco Bug ID CSCul29918

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse. Ruby is prone to a heap-based buffer overflow vulnerability because it fails to adequate boundary checks on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application using the affected function. Failed exploit attempts will likely crash the application. Following versions are vulnerable: Ruby 1.8 Ruby 1.9 prior to 1.9.3-p484 Ruby 2.0 prior to 2.0.0-p353 Ruby 2.1 prior to 2.1.0 preview2. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1821 Ben Murphy discovered that unrestricted entity expansion in REXML can lead to a Denial of Service by consuming all host memory. CVE-2013-4073 William (B.J.) Snow Orvis discovered a vulnerability in the hostname checking in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate issued by a trusted certification authority. For the oldstable distribution (squeeze), these problems have been fixed in version 1.8.7.302-2squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.8.7.358-7.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.8.7.358-9. We recommend that you upgrade your ruby1.8 packages. Relevant releases/architectures: OpenStack 3 - noarch, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: ruby security update Advisory ID: RHSA-2013:1767-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1767.html Issue date: 2013-11-26 CVE Names: CVE-2013-4164 ===================================================================== 1. Summary: Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6.2, 6.3, and 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Compute Node EUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Compute Node EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.2) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.2) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. A buffer overflow flaw was found in the way Ruby parsed floating point numbers from their text representation. (CVE-2013-4164) All ruby users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1033460 - CVE-2013-4164 ruby: heap overflow in floating point parsing 6. Package List: Red Hat Enterprise Linux Compute Node EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm x86_64: ruby-1.8.7.352-13.el6_2.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-irb-1.8.7.352-13.el6_2.x86_64.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Compute Node EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm x86_64: ruby-1.8.7.352-13.el6_3.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.x86_64.rpm ruby-irb-1.8.7.352-13.el6_3.x86_64.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm x86_64: ruby-1.8.7.352-13.el6_4.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.x86_64.rpm ruby-irb-1.8.7.352-13.el6_4.x86_64.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-docs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm ruby-ri-1.8.7.352-13.el6_2.x86_64.rpm ruby-static-1.8.7.352-13.el6_2.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) : Source: ruby-1.8.7.352-13.el6_3.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-docs-1.8.7.352-13.el6_3.x86_64.rpm ruby-ri-1.8.7.352-13.el6_3.x86_64.rpm ruby-static-1.8.7.352-13.el6_3.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-docs-1.8.7.352-13.el6_4.x86_64.rpm ruby-ri-1.8.7.352-13.el6_4.x86_64.rpm ruby-static-1.8.7.352-13.el6_4.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm i386: ruby-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-irb-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-rdoc-1.8.7.352-13.el6_2.i686.rpm ppc64: ruby-1.8.7.352-13.el6_2.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc64.rpm ruby-devel-1.8.7.352-13.el6_2.ppc.rpm ruby-devel-1.8.7.352-13.el6_2.ppc64.rpm ruby-irb-1.8.7.352-13.el6_2.ppc64.rpm ruby-libs-1.8.7.352-13.el6_2.ppc.rpm ruby-libs-1.8.7.352-13.el6_2.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_2.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_2.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390x.rpm ruby-devel-1.8.7.352-13.el6_2.s390.rpm ruby-devel-1.8.7.352-13.el6_2.s390x.rpm ruby-irb-1.8.7.352-13.el6_2.s390x.rpm ruby-libs-1.8.7.352-13.el6_2.s390.rpm ruby-libs-1.8.7.352-13.el6_2.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_2.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_2.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-irb-1.8.7.352-13.el6_2.x86_64.rpm ruby-libs-1.8.7.352-13.el6_2.i686.rpm ruby-libs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm i386: ruby-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-irb-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-rdoc-1.8.7.352-13.el6_3.i686.rpm ppc64: ruby-1.8.7.352-13.el6_3.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_3.ppc64.rpm ruby-devel-1.8.7.352-13.el6_3.ppc.rpm ruby-devel-1.8.7.352-13.el6_3.ppc64.rpm ruby-irb-1.8.7.352-13.el6_3.ppc64.rpm ruby-libs-1.8.7.352-13.el6_3.ppc.rpm ruby-libs-1.8.7.352-13.el6_3.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_3.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_3.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_3.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_3.s390x.rpm ruby-devel-1.8.7.352-13.el6_3.s390.rpm ruby-devel-1.8.7.352-13.el6_3.s390x.rpm ruby-irb-1.8.7.352-13.el6_3.s390x.rpm ruby-libs-1.8.7.352-13.el6_3.s390.rpm ruby-libs-1.8.7.352-13.el6_3.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_3.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_3.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-devel-1.8.7.352-13.el6_3.i686.rpm ruby-devel-1.8.7.352-13.el6_3.x86_64.rpm ruby-irb-1.8.7.352-13.el6_3.x86_64.rpm ruby-libs-1.8.7.352-13.el6_3.i686.rpm ruby-libs-1.8.7.352-13.el6_3.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm i386: ruby-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-irb-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-rdoc-1.8.7.352-13.el6_4.i686.rpm ppc64: ruby-1.8.7.352-13.el6_4.ppc64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_4.ppc64.rpm ruby-devel-1.8.7.352-13.el6_4.ppc.rpm ruby-devel-1.8.7.352-13.el6_4.ppc64.rpm ruby-irb-1.8.7.352-13.el6_4.ppc64.rpm ruby-libs-1.8.7.352-13.el6_4.ppc.rpm ruby-libs-1.8.7.352-13.el6_4.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_4.ppc64.rpm s390x: ruby-1.8.7.352-13.el6_4.s390x.rpm ruby-debuginfo-1.8.7.352-13.el6_4.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_4.s390x.rpm ruby-devel-1.8.7.352-13.el6_4.s390.rpm ruby-devel-1.8.7.352-13.el6_4.s390x.rpm ruby-irb-1.8.7.352-13.el6_4.s390x.rpm ruby-libs-1.8.7.352-13.el6_4.s390.rpm ruby-libs-1.8.7.352-13.el6_4.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_4.s390x.rpm x86_64: ruby-1.8.7.352-13.el6_4.x86_64.rpm ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-devel-1.8.7.352-13.el6_4.i686.rpm ruby-devel-1.8.7.352-13.el6_4.x86_64.rpm ruby-irb-1.8.7.352-13.el6_4.x86_64.rpm ruby-libs-1.8.7.352-13.el6_4.i686.rpm ruby-libs-1.8.7.352-13.el6_4.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.2): Source: ruby-1.8.7.352-13.el6_2.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-docs-1.8.7.352-13.el6_2.i686.rpm ruby-rdoc-1.8.7.352-13.el6_2.i686.rpm ruby-ri-1.8.7.352-13.el6_2.i686.rpm ruby-static-1.8.7.352-13.el6_2.i686.rpm ruby-tcltk-1.8.7.352-13.el6_2.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_2.ppc.rpm ruby-debuginfo-1.8.7.352-13.el6_2.ppc64.rpm ruby-devel-1.8.7.352-13.el6_2.ppc.rpm ruby-devel-1.8.7.352-13.el6_2.ppc64.rpm ruby-docs-1.8.7.352-13.el6_2.ppc64.rpm ruby-rdoc-1.8.7.352-13.el6_2.ppc64.rpm ruby-ri-1.8.7.352-13.el6_2.ppc64.rpm ruby-static-1.8.7.352-13.el6_2.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_2.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_2.s390.rpm ruby-debuginfo-1.8.7.352-13.el6_2.s390x.rpm ruby-devel-1.8.7.352-13.el6_2.s390.rpm ruby-devel-1.8.7.352-13.el6_2.s390x.rpm ruby-docs-1.8.7.352-13.el6_2.s390x.rpm ruby-rdoc-1.8.7.352-13.el6_2.s390x.rpm ruby-ri-1.8.7.352-13.el6_2.s390x.rpm ruby-static-1.8.7.352-13.el6_2.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_2.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_2.i686.rpm ruby-debuginfo-1.8.7.352-13.el6_2.x86_64.rpm ruby-devel-1.8.7.352-13.el6_2.i686.rpm ruby-devel-1.8.7.352-13.el6_2.x86_64.rpm ruby-docs-1.8.7.352-13.el6_2.x86_64.rpm ruby-rdoc-1.8.7.352-13.el6_2.x86_64.rpm ruby-ri-1.8.7.352-13.el6_2.x86_64.rpm ruby-static-1.8.7.352-13.el6_2.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.3): Source: ruby-1.8.7.352-13.el6_3.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_3.i686.rpm ruby-docs-1.8.7.352-13.el6_3.i686.rpm ruby-ri-1.8.7.352-13.el6_3.i686.rpm ruby-static-1.8.7.352-13.el6_3.i686.rpm ruby-tcltk-1.8.7.352-13.el6_3.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_3.ppc64.rpm ruby-docs-1.8.7.352-13.el6_3.ppc64.rpm ruby-ri-1.8.7.352-13.el6_3.ppc64.rpm ruby-static-1.8.7.352-13.el6_3.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_3.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_3.s390x.rpm ruby-docs-1.8.7.352-13.el6_3.s390x.rpm ruby-ri-1.8.7.352-13.el6_3.s390x.rpm ruby-static-1.8.7.352-13.el6_3.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_3.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_3.x86_64.rpm ruby-docs-1.8.7.352-13.el6_3.x86_64.rpm ruby-ri-1.8.7.352-13.el6_3.x86_64.rpm ruby-static-1.8.7.352-13.el6_3.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.4): Source: ruby-1.8.7.352-13.el6_4.src.rpm i386: ruby-debuginfo-1.8.7.352-13.el6_4.i686.rpm ruby-docs-1.8.7.352-13.el6_4.i686.rpm ruby-ri-1.8.7.352-13.el6_4.i686.rpm ruby-static-1.8.7.352-13.el6_4.i686.rpm ruby-tcltk-1.8.7.352-13.el6_4.i686.rpm ppc64: ruby-debuginfo-1.8.7.352-13.el6_4.ppc64.rpm ruby-docs-1.8.7.352-13.el6_4.ppc64.rpm ruby-ri-1.8.7.352-13.el6_4.ppc64.rpm ruby-static-1.8.7.352-13.el6_4.ppc64.rpm ruby-tcltk-1.8.7.352-13.el6_4.ppc64.rpm s390x: ruby-debuginfo-1.8.7.352-13.el6_4.s390x.rpm ruby-docs-1.8.7.352-13.el6_4.s390x.rpm ruby-ri-1.8.7.352-13.el6_4.s390x.rpm ruby-static-1.8.7.352-13.el6_4.s390x.rpm ruby-tcltk-1.8.7.352-13.el6_4.s390x.rpm x86_64: ruby-debuginfo-1.8.7.352-13.el6_4.x86_64.rpm ruby-docs-1.8.7.352-13.el6_4.x86_64.rpm ruby-ri-1.8.7.352-13.el6_4.x86_64.rpm ruby-static-1.8.7.352-13.el6_4.x86_64.rpm ruby-tcltk-1.8.7.352-13.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4164.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSlPJkXlSAg2UNWIIRAmGVAJ0ftFXiZwwEQYrgDr4bmR7n7pvbtQCbB8VQ Q2wQW0K2XmUcezCSz0pyQ2M= =Cisx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-04-22-1 Security Update 2014-002 Security Update 2014-002 is now available and addresses the following: CFNetwork HTTPProtocol Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: An attacker in a privileged network position can obtain web site credentials Description: Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines. CVE-ID CVE-2014-1296 : Antoine Delignat-Lavaud of Prosecco at Inria Paris CoreServicesUIAgent Available for: OS X Mavericks v10.9.2 Impact: Visiting a maliciously crafted website or URL may result in an unexpected application termination or arbitrary code execution Description: A format string issue existed in the handling of URLs. This issue was addressed through additional validation of URLs. This issue does not affect systems prior to OS X Mavericks. CVE-ID CVE-2014-1315 : Lukasz Pilorz of runic.pl, Erik Kooistra FontParser Available for: OS X Mountain Lion v10.8.5 Impact: Opening a maliciously crafted PDF file may result in an unexpected application termination or arbitrary code execution Description: A buffer underflow existed in the handling of fonts in PDF files. This issue was addressed through additional bounds checking. This issue does not affect OS X Mavericks systems. CVE-ID CVE-2013-5170 : Will Dormann of CERT/CC Heimdal Kerberos Available for: OS X Mavericks v10.9.2 Impact: A remote attacker may be able to cause a denial of service Description: A reachable abort existed in the handling of ASN.1 data. This issue was addressed through additional validation of ASN.1 data. CVE-ID CVE-2014-1316 : Joonas Kuorilehto of Codenomicon ImageIO Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ImageIO's handling of JPEG images. This issue was addressed through improved bounds checking. This issue does not affect systems prior to OS X Mavericks. CVE-ID CVE-2014-1319 : Cristian Draghici of Modulo Consulting, Karl Smith of NCC Group Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: A malicious application can take control of the system Description: A validation issue existed in the handling of a pointer from userspace. This issue was addressed through additional validation of pointers. CVE-ID CVE-2014-1318 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative IOKit Kernel Available for: OS X Mavericks v10.9.2 Impact: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization Description: A set of kernel pointers stored in an IOKit object could be retrieved from userland. This issue was addressed through removing the pointers from the object. CVE-ID CVE-2014-1320 : Ian Beer of Google Project Zero working with HP's Zero Day Initiative Kernel Available for: OS X Mavericks v10.9.2 Impact: A local user can read a kernel pointer, which can be used to bypass kernel address space layout randomization Description: A kernel pointer stored in a XNU object could be retrieved from userland. This issue was addressed through removing the pointer from the object. CVE-ID CVE-2014-1322 : Ian Beer of Google Project Zero Power Management Available for: OS X Mavericks v10.9.2 Impact: The screen might not lock Description: If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep. This issue does not affect systems prior to OS X Mavericks. CVE-ID CVE-2014-1321 : Paul Kleeberg of Stratis Health Bloomington MN, Julian Sincu at the Baden-Wuerttemberg Cooperative State University (DHBW Stuttgart), Gerben Wierda of R&A, Daniel Luz Ruby Available for: OS X Mavericks v10.9.2 Impact: Running a Ruby script that handles untrusted YAML tags may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in LibYAML's handling of YAML tags. This issue was addressed through additional validation of YAML tags. This issue does not affect systems prior to OS X Mavericks. CVE-ID CVE-2013-6393 Ruby Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: Running a Ruby script that uses untrusted input to create a Float object may lead to an unexpected application termination or arbitrary code execution Description: A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value. This issue was addressed through additional validation of floating point values. CVE-ID CVE-2013-4164 Security - Secure Transport Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL Description: In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection. This issue does not affect Mac OS X 10.7 systems and earlier. CVE-ID CVE-2014-1295 : Antoine Delignat-Lavaud, Karthikeyan Bhargavan and Alfredo Pironti of Prosecco at Inria Paris WindowServer Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2 Impact: Maliciously crafted applications can execute arbitrary code outside the sandbox Description: WindowServer sessions could be created by sandboxed applications. This issue was addressed by disallowing sandboxed applications from creating WindowServer sessions. CVE-ID CVE-2014-1314 : KeenTeam working with HP's Zero Day Initiative Note: Security Update 2014-002 for OS X Mavericks systems includes the security content of Safari 7.0.3: http://support.apple.com/kb/HT6181 Security Update 2014-002 may be obtained via the Apple Software Update application, and from the Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTVqgEAAoJEPefwLHPlZEw0L8P/RIqgQPc1/RnmPBCKVnZ0QyI 8V9jV07LyXTPySL3at/sAFac148ZYqu9cSKtRWB1oAQCnC8C20EIDLBvsysmKT/a zqLUP8ZGcd4jC4UYUleVgl4U9SXkp0L/HwpASXeRHGeUd/tN4eCBEgDfKSMdm8/s 4S70gTQPRRsQR3D8RkcOITJVFCaDFy/em3AbEJyAm7yDsDOinJdRrirRe7W1Q/p6 KBOmQYb73m0ykg08jgCjohxhTE9gpNeMeR7smN+7GsRb6XFlUOJGtnlePyLm1hN3 85e0KRnQyhTGXJ7y6MTmKzzwJ6/iVZvEeXK1IFwXEkwLLmp5uhp7wfT3DkZZSnBm +uo5g2aSQ80+7ZR9psUQwXOn8/6cFyKbG5tHxkh8IY6qLacvHP5yBcw3gqlUNPg5 2vCNWqhL8fEqncx7K1QC8CxwLQMVw9QnolukdjOxT66+kI0F/mDGeGdf/mYkGBJF ZECjWZsoekGq4TMu75MPn8BlwFpaLnObPi9pC+56BDhEz7f39bqBvkAaW61cQgj4 lRwlEHWNBFlO9XVkQwdmYrZoaeAAVxGG+iPt225dmXXZtWGMs5nYIzPj8GzRoNWQ gYAGZAOBr6pGJCQmfJIy4tLKj0H9za9pxX9RqavKrZyEtTcxpUmrh91mGZiI4eo0 7hmpILk22+6xv6pWCw8D =WWPv -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-2035-1 November 27, 2013 ruby1.8, ruby1.9.1 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 13.04 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Ruby. (CVE-2013-4164) Vit Ondruch discovered that Ruby did not perform taint checking for certain functions. An attacker could possibly use this issue to bypass certain intended restrictions. (CVE-2013-2065) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: libruby1.8 1.8.7.358-7ubuntu2.1 libruby1.9.1 1.9.3.194-8.1ubuntu2.1 ruby1.8 1.8.7.358-7ubuntu2.1 ruby1.9.1 1.9.3.194-8.1ubuntu2.1 Ubuntu 13.04: libruby1.8 1.8.7.358-7ubuntu1.2 libruby1.9.1 1.9.3.194-8.1ubuntu1.2 ruby1.8 1.8.7.358-7ubuntu1.2 ruby1.9.1 1.9.3.194-8.1ubuntu1.2 Ubuntu 12.10: libruby1.8 1.8.7.358-4ubuntu0.4 libruby1.9.1 1.9.3.194-1ubuntu1.6 ruby1.8 1.8.7.358-4ubuntu0.4 ruby1.9.1 1.9.3.194-1ubuntu1.6 Ubuntu 12.04 LTS: libruby1.8 1.8.7.352-2ubuntu1.4 libruby1.9.1 1.9.3.0-1ubuntu2.8 ruby1.8 1.8.7.352-2ubuntu1.4 ruby1.9.1 1.9.3.0-1ubuntu2.8 In general, a standard system update will make all the necessary changes. These issues were addressed by updating PostgreSQL to version 9.2.7. CVE-ID CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 Mail Service Available for: OS X Yosemite v10.10 or later Impact: Group SACL changes for Mail may not be respected until after a restart of the Mail service Description: SACL settings for Mail were cached and changes to the SACLs were not respected until after a restart of the Mail service. These issues were addressed by switching from YAML to JSON as Profile Manager's internal serialization format. CVE-ID CVE-2013-4164 CVE-2013-6393 Profile Manager Available for: OS X Yosemite v10.10 or later Impact: A local user may obtain passwords after setting up or editing profiles in Profile Manager Description: In certain circumstances, setting up or editing profiles in Profile Manager may have logged passwords to a file. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling SSL 3.0 support in Web Server, Calendar & Contacts Server, and Remote Administration

SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. SAP Web Application Server is a web application service program. The input passed to SAP Portal lacks correct validation before being used to redirect users, allowing attackers to build malicious URIs, enticing users to resolve, redirecting user communications to any WEB site, and performing phishing attacks

SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAP NetWeaver Web Application Server has an error in the HSTI_UPLOAD_XML function when parsing XML entities, allowing restricted management commands to be sent to the gateway or message server via a specially crafted XML document containing external entity references

The web interface on Cisco Wireless LAN Controller (WLC) devices does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCuf77821. This case " Cross frame scripting (XFS)" Vulnerability related to the problem. The Cisco Wireless LAN Controller is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. The vulnerability is due to insufficient protection of HTML sub-frames, allowing attackers to build malicious HTML sub-frames, enticing user parsing, and performing clickjacking or other client browser attacks. Successful exploits will allow attackers to bypass the same-origin policy and perform unauthorized actions; other attacks are possible. This issue is being tracked by Cisco Bug ID CSCuf77821

The Control and Provisioning of Wireless Access Points (CAPWAP) protocol implementation on Cisco Wireless LAN Controller (WLC) devices allows remote attackers to cause a denial of service via a crafted CAPWAP packet that triggers a buffer over-read, aka Bug ID CSCuh81880. Vendors have confirmed this vulnerability Bug ID CSCuh81880 It is released as.Skillfully crafted by a third party to induce buffer overread CAPWAP Service disruption via packets (DoS) There is a possibility of being put into a state. The vulnerability is caused by insufficient data packet verification, which allows a remote attacker to exploit a vulnerability to send a specially crafted CAPWAP message to the Cisco WLC. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCuh81880

Cisco IOS XE 3.8S(.2) and earlier does not properly use a DHCP pool during assignment of an IP address, which allows remote authenticated users to cause a denial of service (device reload) via an AAA packet that triggers an address requirement, aka Bug ID CSCuh04949. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS XE is prone to a remote denial-of-service vulnerability. Successful exploits may allow an attackers to cause the affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCuh04949

The MLDP implementation in Cisco IOS 15.3(3)S and earlier on 7600 routers, when many VRFs are configured, allows remote attackers to cause a denial of service (chunk corruption and device reload) by establishing many multicast flows, aka Bug ID CSCue22345. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. An attacker can exploit the vulnerability to reload the affected device. This issue is being tracked by Cisco Bug ID CSCue22345

The (1) Catapult DNP3 I/O driver before 7.2.0.60 and the (2) GE Intelligent Platforms Proficy DNP3 I/O driver before 7.20k, as used in DNPDrv.exe (aka the DNP master station server) in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY and iFIX, allow physically proximate attackers to cause a denial of service (infinite loop) via crafted input over a serial line. Catapult Software DNP3 Driver is a power-related industrial control software. The Catapult Software DNP3 drivers used by GE iFIX and CIMPLICITY products fail to properly verify input, allowing local attackers to exploit vulnerabilities to bring software into an infinite loop, crashing the process, and requiring a reboot to get normal functionality. Local attackers can exploit this issue to force the application to enter into an infinite loop, causing denial-of-service conditions

The (1) Catapult DNP3 I/O driver before 7.2.0.60 and the (2) GE Intelligent Platforms Proficy DNP3 I/O driver before 7.20k, as used in DNPDrv.exe (aka the DNP master station server) in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY and iFIX, allow remote attackers to cause a denial of service (infinite loop) via a crafted DNP3 TCP packet. Catapult Software DNP3 Driver is a power-related industrial control software. Attackers can exploit this issue to force the application to enter into an infinite loop, causing denial-of-service conditions

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI. nginx is prone to a remote security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. nginx 0.8.41 through 1.5.6 are vulnerable. nginx is a lightweight web server/reverse proxy server and email (IMAP/POP3) proxy server developed by Russian programmer Igor Sysoev. A security vulnerability exists in nginx versions 0.8.41 through 1.4.3 and 1.5.x prior to 1.5.7. The vulnerability stems from the program not properly validating request URIs containing unescaped space characters. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547 http://advisories.mageia.org/MGASA-2013-0349.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: ee03201627b548e26667eec1e5ac7dae mbs1/x86_64/nginx-1.0.15-3.1.mbs1.x86_64.rpm 6404dde21b871054a663171b5460fac8 mbs1/SRPMS/nginx-1.0.15-3.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2802-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst November 21, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nginx Vulnerability : restriction bypass Problem type : remote Debian-specific: no CVE ID : CVE-2013-4547 Debian Bug : 730012 Ivan Fratric of the Google Security Team discovered a bug in nginx, a web server, which might allow an attacker to bypass security restrictions by using a specially crafted request. The oldstable distribution (squeeze) is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 1.2.1-2.2+wheezy2. For the unstable distribution (sid), this problem has been fixed in version 1.4.4-1. We recommend that you upgrade your nginx packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEbBAEBAgAGBQJSjnxtAAoJEFb2GnlAHawEXtUH+MMowTZGj8ex7rSstq2uOHST q9C2JZhiAVpYdXBGOR3JHdtJcClkIVvl1cTrp1yhNImvvPWSvJHDIXDbPI7V/0jO 3h6YTZTSGUdhu8UsYGOd1GRon1lNj1Jyhch3HoIA9AAdzGY6FroZGQomsk9tC1K6 Ddh8D/4fbfAKm4RVPXV2Zd7HyDJMqFUlnUXoWuyuAQ8HAxbSrYetO3Bx24Mmt1z6 OHYKAhJYvixLYUt4BCQ3sOfN7AyRwppunjGmSH/up+uGwrgvQO2JgAt3pweYR3/f vAiAWPp5ZVDSMzEa85ZZ+XvjseNAYQBxhiMBr8urf/MmTJWxC63shRV5cBvFXw== =ttYS -----END PGP SIGNATURE-----

The Multimedia Messaging Centre (MMSC) in NowSMS Now SMS & MMS Gateway 2013.09.26 allows remote attackers to cause a denial of service via a malformed message to a MM4 connection. An attacker could use this vulnerability to cause a denial of service. Attackers can exploit these issues to cause denial-of-service conditions

The Multimedia Messaging Centre (MMSC) in NowSMS Now SMS & MMS Gateway before 2013.11.15 allows remote attackers to cause a denial of service via a malformed MM1 message that is routed to a (1) MM4 or (2) MM7 connection. An attacker could use this vulnerability to cause a denial of service. Attackers can exploit these issues to cause denial-of-service conditions

The "Files Available for Download" implementation in the Cisco Intelligent Automation for Cloud component in Cisco Services Portal 9.4(1) allows remote authenticated users to read arbitrary files via a crafted request, aka Bug ID CSCug65687. An attacker can exploit this issue to download arbitrary files. Information obtained may aid in further attacks. This issue being tracked by Cisco Bug ID CSCug65687. The solution provides effective IT management in cloud environments and supports all cloud models as well as virtual and physical infrastructures

The web interface in Cisco Server Provisioner 6.4.0 Patch 5-1301292331 and earlier does not require authentication for unspecified pages, which allows remote attackers to obtain sensitive information via a direct request, aka Bug ID CSCug65664. Vendors have confirmed this vulnerability Bug ID CSCug65664 It is released as.A third party may obtain important information through a direct request. Cisco Server Provisioner Software is prone to an access-bypass vulnerability. Successfully exploiting this issue may allow an attacker to gain access to certain arbitrary files. Information obtained may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCug65664. The software supports systems that automate provisioning, recovery, and cloning of servers, reducing deployment time and operating costs

The license-installation module on the Cisco Nexus 1000V switch 4.2(1)SV1(5.2b) and earlier for VMware vSphere, Cisco Nexus 1000V switch 5.2(1)SM1(5.1) for Microsoft Hyper-V, and Cisco Virtual Security Gateway 4.2(1)VSG1(1) for Nexus 1000V switches allows local users to gain privileges and execute arbitrary commands via crafted "install all iso" arguments, aka Bug ID CSCui21340. Because the install all iso command fails to properly filter user input, the local attacker is allowed to submit the specially configured parameters to the install all iso command to execute the shell command. Local authenticated attackers can exploit this issue to execute arbitrary commands on the underlying operating system. This issue is being tracked by Cisco bug ID CSCui21340. The software is used to replace the built-in distributed virtual switch of Vmware, and includes two components: the virtual Ethernet module (VEM) running inside the hypervisor and the external virtual control engine module (VSM) that manages the VEM

Unlock.exe in Media Encryption EPM Explorer in Check Point Endpoint Security through E80.50 does not associate password failures with a device ID, which makes it easier for physically proximate attackers to bypass the device-locking protection mechanism by overwriting DVREM.EPM with a copy of itself after each few password guesses. Check Point Media Encryption EPM Explorer is prone to a security-bypass vulnerability. An attacker with physical access may be able to exploit this issue to bypass device locking protection and aid in brute-force attacks; other attacks may also be possible. Check Point Endpoint Security Media Encryption E80.41 and E80.50 are vulnerable. This solution combines firewall, network access control, anti-virus, anti-spyware, data security and other functions to ensure that terminal PCs are free from Web-based threats. Failed password limit bypass. Risk: Low to Medium Date: 13.Nov.2013 Author: Pedro Andujar .: [ INTRO ] :. .: [ TECHNICAL DESCRIPTION ] :. When accessing an encrypted removable device from a computer without Endpoint Security installed on it, it should contains the files described below: DVREM.EPM - Encrypted Portable Media (aka the encrypted volume which contains data) Unlock.exe - EPM Explorer (software which allows you to decrypt and access the content) Despite other scenarios offers better performance (like attacking the EPM directly), less skilled attackers can take advantage of Unlock.exe to attempt to bruteforce the password. .: [ ISSUE #1 }:. Name: Multiple Unlock.exe instances Severity: Low CVE: CVE-2013-5635 CWE-372: Incomplete Internal State Distinction If password policy sets a limit of 5 failed password attempts before device is locked, executing n instances of Unlock.exe at the same time will allow you to get nx5 password attempts (5 for each instance). Some controls should be applied to prevent multiple EPM explorers being concurrently executed, or at least synchronization regarding the state of failed password attempts. .: [ ISSUE #2 }:. Name: Device link not enforced Severity: Low CVE: CVE-2013-5636 CWE-285: Improper Authorization Unlock.exe contains some restrictions that forces you to store the EPM file in the top of the directory tree, just after a unit letter and coloms (Ex: X:\DVREM.EPM), so it cannot be inside a folder. But this is not enough and still can be extracted from the removable media and be stored in a different drive. Allowing Unlock.exe to be executed and access EPM stored on a different device/drive, increase the window of time for attackers which can try to access the information without having the originally encrypted device on their hands. Additionally everytime the EPM is overwrited by a freshcopy of itself, the failed password attempts is reseted, allowing you to try another 5 times, so you can perform infinite attempts. This charasteristic open some social engineering attack scenarios, like copying the EPM and Unlock.exe before returning a lent device to it's originall owner or just taking it for few seconds when owner is not paying atention. Ideally EPM file should be associated to the device ID at its creation time, and EPM explorer should check the device ID (or other unique device identifier) to prevent it opening the EPM in a different location. .: [ CHANGELOG ] :. * 16/Dec/2012: - Issue found * 25/Aug/2013: - Vendor contacted * 26/Aug/2013: - Vendor Ack * 11/Nov/2013: - Vendor finished the Fix for Issue #1 - Issue #2 considered not fixeable * 14/Nov/2013: - Public Disclosure .: [ SOLUTIONS ] :. Check Point offers an improved client for this issue. Solution ID: sk96589 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk96589 .: [ REFERENCES ] :

Media Encryption EPM Explorer in Check Point Endpoint Security through E80.50 does not properly maintain the state of password failures, which makes it easier for physically proximate attackers to bypass the device-locking protection mechanism by entering password guesses within multiple Unlock.exe processes that are running simultaneously. Check Point Media Encryption EPM Explorer is prone to a security-bypass vulnerability. An attacker with physical access may be able to exploit this issue to bypass device locking protection and aid in brute-force attacks; other attacks may also be possible. Check Point Endpoint Security Media Encryption E80.41 and E80.50 are vulnerable. This solution combines firewall, network access control, anti-virus, anti-spyware, data security and other functions to ensure that terminal PCs are free from Web-based threats. The vulnerability is caused by the application not properly saving the expiration state of the password. Failed password limit bypass. Risk: Low to Medium Date: 13.Nov.2013 Author: Pedro Andujar .: [ INTRO ] :. .: [ TECHNICAL DESCRIPTION ] :. When accessing an encrypted removable device from a computer without Endpoint Security installed on it, it should contains the files described below: DVREM.EPM - Encrypted Portable Media (aka the encrypted volume which contains data) Unlock.exe - EPM Explorer (software which allows you to decrypt and access the content) Despite other scenarios offers better performance (like attacking the EPM directly), less skilled attackers can take advantage of Unlock.exe to attempt to bruteforce the password. .: [ ISSUE #1 }:. Name: Multiple Unlock.exe instances Severity: Low CVE: CVE-2013-5635 CWE-372: Incomplete Internal State Distinction If password policy sets a limit of 5 failed password attempts before device is locked, executing n instances of Unlock.exe at the same time will allow you to get nx5 password attempts (5 for each instance). Some controls should be applied to prevent multiple EPM explorers being concurrently executed, or at least synchronization regarding the state of failed password attempts. .: [ ISSUE #2 }:. Name: Device link not enforced Severity: Low CVE: CVE-2013-5636 CWE-285: Improper Authorization Unlock.exe contains some restrictions that forces you to store the EPM file in the top of the directory tree, just after a unit letter and coloms (Ex: X:\DVREM.EPM), so it cannot be inside a folder. But this is not enough and still can be extracted from the removable media and be stored in a different drive. Allowing Unlock.exe to be executed and access EPM stored on a different device/drive, increase the window of time for attackers which can try to access the information without having the originally encrypted device on their hands. Additionally everytime the EPM is overwrited by a freshcopy of itself, the failed password attempts is reseted, allowing you to try another 5 times, so you can perform infinite attempts. This charasteristic open some social engineering attack scenarios, like copying the EPM and Unlock.exe before returning a lent device to it's originall owner or just taking it for few seconds when owner is not paying atention. Ideally EPM file should be associated to the device ID at its creation time, and EPM explorer should check the device ID (or other unique device identifier) to prevent it opening the EPM in a different location. .: [ CHANGELOG ] :. * 16/Dec/2012: - Issue found * 25/Aug/2013: - Vendor contacted * 26/Aug/2013: - Vendor Ack * 11/Nov/2013: - Vendor finished the Fix for Issue #1 - Issue #2 considered not fixeable * 14/Nov/2013: - Public Disclosure .: [ SOLUTIONS ] :. Check Point offers an improved client for this issue. Solution ID: sk96589 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk96589 .: [ REFERENCES ] :