VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201311-0354 CVE-2013-6798 Windows Or Mac OS X Run on BlackBerry Link Vulnerabilities that allow remote file access folder restrictions to be bypassed CVSS V2: 5.8
CVSS V3: -
Severity: MEDIUM
BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not properly determine the user account for execution of Peer Manager in certain situations involving successive logins with different accounts, which allows context-dependent attackers to bypass intended restrictions on remote file-access folders via IPv6 WebDAV requests, a different vulnerability than CVE-2013-3694. This vulnerability CVE-2013-3694 Is a different vulnerability.By the attacker, IPv6 WebDAV A remote file access folder restriction may be circumvented via a request. BlackBerry Link is prone to a remote security-bypass vulnerability. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and gain unauthorized access. BlackBerry Link is a mobile phone synchronization software developed by BlackBerry Canada. This software can synchronize music, pictures, videos and other data between BlackBerry mobile phone and computer via USB or Wi-Fi. The vulnerability stems from the program not properly identifying the user account that executes the Peer Manager component
VAR-201311-0167 CVE-2013-5329 Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Adobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11.9.900.152 on Windows and Mac OS X and before 11.2.202.327 on Linux, Adobe AIR before 3.9.0.1210, Adobe AIR SDK before 3.9.0.1210, and Adobe AIR SDK & Compiler before 3.9.0.1210 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-5330. This vulnerability CVE-2013-5330 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will result in a denial-of-service condition. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2013:1518-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1518.html Issue date: 2013-11-13 CVE Names: CVE-2013-5329 CVE-2013-5330 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed in the Adobe Security bulletin APSB13-26, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1029692 - CVE-2013-5329 CVE-2013-5330 flash-plugin: multiple code execution flaws (APSB13-26) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.327-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.327-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.327-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.327-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.327-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.327-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.327-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.327-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.327-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.327-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5329.html https://www.redhat.com/security/data/cve/CVE-2013-5330.html https://access.redhat.com/security/updates/classification/#critical https://www.adobe.com/support/security/bulletins/apsb13-26.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSg8uMXlSAg2UNWIIRAtEAAKDDrKBaGnCcC0EQOr4jUcOA4YBJpwCgngTF kVbR6FWNRaPAjtWuYd/Rhp4= =iBmt -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted SWF file using Adobe Flash Player, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-11.2.202.336" References ========== [ 1 ] CVE-2013-5329 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5329 [ 2 ] CVE-2013-5330 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5330 [ 3 ] CVE-2013-5331 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5331 [ 4 ] CVE-2013-5332 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5332 [ 5 ] CVE-2014-0491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0491 [ 6 ] CVE-2014-0492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0492 [ 7 ] CVE-2014-0497 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0497 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201402-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201311-0168 CVE-2013-5330 Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Adobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11.9.900.152 on Windows and Mac OS X and before 11.2.202.327 on Linux, Adobe AIR before 3.9.0.1210, Adobe AIR SDK before 3.9.0.1210, and Adobe AIR SDK & Compiler before 3.9.0.1210 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-5329. This vulnerability CVE-2013-5329 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within processing of certain AVM2 instructions, allowing direct memory access outside of the domain memory. Failed exploit attempts will result in a denial-of-service condition. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2013:1518-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1518.html Issue date: 2013-11-13 CVE Names: CVE-2013-5329 CVE-2013-5330 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed in the Adobe Security bulletin APSB13-26, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1029692 - CVE-2013-5329 CVE-2013-5330 flash-plugin: multiple code execution flaws (APSB13-26) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.327-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.327-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.327-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.327-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.327-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.327-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.327-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.327-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.327-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.327-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5329.html https://www.redhat.com/security/data/cve/CVE-2013-5330.html https://access.redhat.com/security/updates/classification/#critical https://www.adobe.com/support/security/bulletins/apsb13-26.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSg8uMXlSAg2UNWIIRAtEAAKDDrKBaGnCcC0EQOr4jUcOA4YBJpwCgngTF kVbR6FWNRaPAjtWuYd/Rhp4= =iBmt -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted SWF file using Adobe Flash Player, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-11.2.202.336" References ========== [ 1 ] CVE-2013-5329 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5329 [ 2 ] CVE-2013-5330 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5330 [ 3 ] CVE-2013-5331 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5331 [ 4 ] CVE-2013-5332 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5332 [ 5 ] CVE-2014-0491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0491 [ 6 ] CVE-2014-0492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0492 [ 7 ] CVE-2014-0497 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0497 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201402-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201311-0076 CVE-2013-3694 Windows Or Mac OS X Run on BlackBerry Link Vulnerable to reading arbitrary files CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not require authentication for remote file-access folders, which allows remote attackers to read or create arbitrary files via IPv6 WebDAV requests, as demonstrated by a CSRF attack involving DNS rebinding. BlackBerry Link is prone to a remote privilege-escalation vulnerability. An attacker can exploit this issue to execute arbitrary code with elevated privileges within the context of user running the affected application. BlackBerry Link is a mobile phone synchronization software developed by BlackBerry Canada. This software can synchronize music, pictures, videos and other data between BlackBerry mobile phone and computer via USB or Wi-Fi. The vulnerability stems from the fact that the program does not require authentication for remote file access
VAR-201311-0293 CVE-2013-5552 Cisco IOS Content Services Gateway Security Bypass Vulnerability CVSS V2: 6.4
CVSS V3: -
Severity: MEDIUM
Cisco IOS 12.4(24)MDB9 and earlier on Content Services Gateway (CSG) devices does not properly implement the "parse error drop" feature, which allows remote attackers to bypass intended access restrictions via a crafted series of packets, aka Bug ID CSCug90143. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is caused by the failure of the function to properly handle illegal messages. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and gain access to the sensitive information. This issue is being tracked by Cisco Bug ID CSCug90143. This solution provides functions such as statistical billing, billing records, and content filtering for data traffic
VAR-201311-0300 CVE-2013-5560 Cisco Adaptive Security Appliance Software IPv6 Service disruption in implementations (DoS) Vulnerabilities CVSS V2: 5.4
CVSS V3: -
Severity: MEDIUM
The IPv6 implementation in Cisco Adaptive Security Appliance (ASA) Software 9.1.3 and earlier, when NAT64 or NAT66 is enabled, does not properly process NAT rules, which allows remote attackers to cause a denial of service (device reload) via crafted packets, aka Bug ID CSCue34342. Vendors have confirmed this vulnerability Bug ID CSCue34342 It is released as.Denial of service operation via a packet crafted by a third party ( Device reload ) There is a possibility of being put into a state. Cisco Adaptive Security Appliance is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCue34342
VAR-201311-0288 CVE-2013-5223 D-Link DSL-2760U Gateway cross-site scripting vulnerability

Related entries in the VARIoT exploits database: VAR-E-201311-0046, VAR-E-201311-0047
CVSS V2: 3.5
CVSS V3: 5.4
Severity: MEDIUM
D-Link DSL-2760U The gateway contains a cross-site scripting vulnerability.By the remotely authenticated user via the following parameters Web Script or HTML May be inserted. (1) sntpcfg.cgi of ntpServer1 Parameters (2) ddnsmngr.cmd of username Parameters (3) todmngr.tod of username Parameters (4) urlfilter.cmd of TodUrlAdd Parameters (5) scprttrg.cmd of appName Parameters (6) scoutflt.cmd of add In action fltName Parameters (7) scoutflt.cmd of remove In action rmLst Parameters (8) portmapcfg.cmd of groupName Parameters (9) snmpconfig.cgi of snmpRoCommunity Parameters (10) scinflt.cmd of fltName Parameters (11) prmngr.cmd of add In action PolicyName Parameters (12) prmngr.cmd of remove In action rmLst Parameters (13) ippcfg.cmd of ippName Parameters (14) samba.cgi of smbNetBiosName Parameters (15) samba.cgi of smbDirName Parameters (16) wlcfg.wl of wlSsid Parameters. The D-Link Router 2760N is a router device. There are multiple cross-site scripting and HTML injection vulnerabilities in the D-Link DSL-2760U-BN. Since the D-Link Router 2760N is handling NTS settings, dynamic DNS settings, URL filtering. NAT port processing, IP filtering, interface group, import IP filter, policy routing add, print server, SAMBA configuration, WIFI SSID incorrectly filter input, allowing remote attackers to exploit vulnerabilities for cross-site scripting attacks when malicious data is viewed When it can lead to sensitive information leakage or session hijacking. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. E1). The vulnerability is caused by (1) the sntpcfg.cgi script does not filter the 'ntpServer1' parameter correctly (2) the ddnsmngr.cmd or todmngr.tod script does not correctly Filter the 'username' parameter (3) The urlfilter.cmd script does not correctly filter the 'TodUrlAdd' parameter (4) The scprttrg.cmd script does not correctly filter the 'appName' parameter (5) The scoutflt.cmd script does not correctly filter the 'fltName' in the add operation 'rmLst' parameter in parameters and delete operations (6) portmapcfg.cmd script does not filter 'groupName' parameter correctly (7) snmpconfig.cgi script does not filter 'snmpRoCommunity' parameter correctly (8) scinflt.cmd script does not filter 'fltName' correctly 'Parameter (9) The prmngr.cmd script does not correctly filter the 'PolicyName' parameter in the add operation and the 'rmLst' parameter in the delete operation (10) The ippcfg.cmd script does not correctly filter the 'ippName' parameter (11) The samba.cgi script The 'smbNetBiosName' and 'smbDirName' parameters are not filtered correctly (12) The wlcfg.wl script does not filter the 'wlSsid' parameter correctly. A remote attacker could exploit this vulnerability to inject arbitrary web script or HTML by using a specially crafted URL. Advisory: D-Link Router 2760N (DSL-2760U-BN) Multiple XSS Author: Liad Mizrachi Vendor URL: http://www.dlink.com Status: Fixed CVE-ID: CVE-2013-5223 ========================== Vulnerability Description ========================== Multiple Cross-Site Scripting (XSS) vulnerabilities present in D-Link Router 2760N, both stored and reflected in various sections of the router Web-UI. 23-Aug-2013 - Vendor Re-Informed - No response. 01-Sep-2013 - Vendor Re-Informed - No response. 10-Sep-2013 - Vendor Re-Informed - No response. 10-Oct-2013 - Vendor Re-Informed - No response. ========================== References ========================== http://www.dlink.com http://www.dlink.com.tr/en/arts/117.html http://www.netcheif.com/downloads/DSL-2760U_user_manual.pdf
VAR-201311-0457 No CVE Belkin NetCam Wi-Fi Camera with Night Vision Video Stream Backdoor Security Bypass Vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
The Belkin NetCam Wi-Fi Camera online video stream is accessible to the admin/admin account via a username and password, allowing an attacker to exploit the vulnerability to gain unauthorized access to sensitive information. This account information cannot be changed by the user. Belkin NetCam Wi-Fi Camera with Night Vision is a wireless network camera product with night vision function from Belkin. A security bypass vulnerability exists in Belkin NetCam Wi-Fi Camera with Night Vision, which originates from the use of hard-coded certificates for programs. A remote attacker could use this vulnerability to bypass security restrictions and gain access
VAR-201311-0513 No CVE MikroTik RouterOS Default Management Account Vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
The MikroTik RouterOS software turns a standard PC into a network router. MikroTik RouterOS has a default administrative account 'admin' with a blank password that allows remote attackers to use this account to gain unauthorized access to this setting.
VAR-201311-0514 No CVE NEC VOIP Phones default management account vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
NEC VOIP Phones is a VoIP phone device. NEC VOIP Phones has a default management account 'ADMIN' and a password of '632379', which allows remote attackers to use this account to gain unauthorized access to this setting.
VAR-201311-0157 CVE-2013-5442 XGS 5100 Run on IBM Security Network Protection Firmware cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in the Local Management Interface (LMI) in IBM Security Network Protection on XGS 5100 devices with firmware 5.1 before 5.1.0.6 and 5.1.1 before 5.1.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM Security Network Protection is a device of the IBM Security Intrusion Prevention product portfolio. An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The system can monitor application usage, website access and operation execution within the network to avoid threats such as malware and botnets
VAR-201311-0290 CVE-2013-5568 Cisco Adaptive Security Appliance Auto-Update Remote Denial of Service Vulnerability CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
The auto-update implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0.3.6 and earlier allows remote attackers to cause a denial of service (device reload) via crafted update data, aka Bug ID CSCui33308. Attackers can exploit this issue to cause an affected device to reload, resulting in a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCui33308
VAR-201311-0236 CVE-2013-6682 Cisco Adaptive Security Appliance Phone Proxy Database Security Bypass Vulnerability CVSS V2: 6.4
CVSS V3: -
Severity: MEDIUM
The phone-proxy implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0.3.6 and earlier does not properly validate X.509 certificates, which allows remote attackers to cause a denial of service (connection-database corruption) via an invalid entry, aka Bug ID CSCui33299. Vendors have confirmed this vulnerability Bug ID CSCui33299 It is released as.Denial of service operation by a third party via invalid entry ( Connection database corruption ) There is a possibility of being put into a state. Cisco Adaptive Security Appliance (ASA) is prone to a security-bypass vulnerability. Successfully exploiting this issue will allow attackers to bypass security restrictions like insert an invalid entry into the phone proxy connection database. This issue is tracked by Cisco Bug ID's CSCui33299. The vulnerability stems from the fact that the phone proxy connection database does not properly handle untrusted certificates
VAR-201311-0355 CVE-2013-6799 Apple Mac OS X Service disruption in (DoS) Vulnerabilities CVSS V2: 4.7
CVSS V3: -
Severity: MEDIUM
Apple Mac OS X 10.9 allows local users to cause a denial of service (memory corruption or panic) by creating a hard link to a directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0105. Exploiting this issue allows local, unprivileged users to crash the affected system, denying further service to legitimate users. MacOSX/XNU HFS Multiple Vulnerabilities Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/ =================== On November 8th, I've reported vulnerability in hard links for HFS+ (CVE-2013-6799) http://cxsecurity.com/issue/WLB-2013110059 The HFS+ file system does not apply strict privilege rules during the creating of hard links. The ability to create hard links to directories is wrong implemented and such an issue is affecting os versions greater or equal to 10.5. Officially Apple allows you to create hard links only for your time machine. To create N hard links, you must use a special algorithm which creates links from the top of the file system tree. This means that first we create the directory structure and once created we need to go from up to down by creating hard links. The last time I've mentioned of the possibility of a kernel crash by performing the 'ls' command. This situation occurs in conjunction with the 'find' application. Commands such as 'ls' behave in unexpected ways. Apple are going find this crash point in code. To create huge hard links structure, use this code http://cert.cx/stuff/l2.c ----------------------------------- h1XSS:tysiak cx$ uname -a Darwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16 19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64 h1xss:tysiak cx$ gcc -o l2 l2.c h1xss:tysiak cx$ ./l2 1000 ... h1xss:tysiak cx$ cat loop.sh #!/bin/bash while [ 1 ] ; do ls -laR B > /dev/null done h1xss:tysiak cx$ sh ./loop.sh ls: B: No such file or directory ls: X1: No such file or directory ... ls: X8: Bad address ls: X1: Bad address ls: X2: Bad address ... ls: X8: No such file or directory ./loop.sh: line 4: 8816 Segmentation fault: 11 ls -laR B > /dev/null ./loop.sh: line 4: 8818 Segmentation fault: 11 ls -laR B > /dev/null ls: B: No such file or directory ls: X1: No such file or directory ls: X2: No such file or directory ... ls: X1: No such file or directory ls: X2: No such file or directory ----------- ... ----------- Feb 9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for ls[9418] version 230 to /Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash ----------- That what we can see here is unexpected behavior of LS command. LS process is also affected for infinite loop (recursion?). ----------- h1xss:tysiak cx$ ps -fp 8822 UID PID PPID C STIME TTY TIME CMD 501 8822 8810 0 7:36 ttys002 62:19.65 ls -laR B ----------- or used parallely with (find . > /dev/null) command cause a kernel crash ----------- Mon Mar 31 20:30:41 2014 panic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838, type 13=general protection, registers: CR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c, CR4: 0x00000000001606e0 RAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000, RDX: 0x0000000000000000 RSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018, RDI: 0xffffff802f23bcd0 R8: 0xffffff8140d9bc1c, R9: 0xffffff802f26e960, R10: 0xffffff8140d9ba2c, R11: 0x0000000000000f92 R12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0, R15: 0xffffff802f26e960 RFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS: 0x0000000000000008, SS: 0x0000000000000010 Fault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU: 0x0 Backtrace (CPU 0), Frame : Return Address 0xffffff811eee8c50 : 0xffffff8004422fa9 BSD process name corresponding to current thread: ls ----------- XNU is the computer operating system kernel that Apple Inc. acquired and developed for use in the Mac OS X operating system and released as free and open source software as part of the Darwin operating system. We can try to see HFS implementation code. Let's start static code analysys using cifrex.org tool! -1.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c --- hfs_vfsops.c ---------------------------- /* * HFS filesystem related variables. */ int hfs_sysctl(int *name, __unused u_int namelen, user_addr_t oldp, size_t *oldlenp, user_addr_t newp, size_t newlen, vfs_context_t context) { ... if ((newlen <= 0) || (newlen > MAXPATHLEN)) return (EINVAL); bufsize = MAX(newlen * 3, MAXPATHLEN); MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK); if (filename == NULL) { <===================================== filename CHECK error = ENOMEM; goto encodinghint_exit; } MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK); if (filename == NULL) { <====================================== double CHECK? error = ENOMEM; goto encodinghint_exit; } error = copyin(newp, (caddr_t)filename, newlen); if (error == 0) { error = utf8_decodestr((u_int8_t *)filename, newlen - 1, unicode_name, &bytes, bufsize, 0, UTF_DECOMPOSED); if (error == 0) { hint = hfs_pickencoding(unicode_name, bytes / 2); error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0, (int32_t *)&hint); } } --- hfs_vfsops.c---------------------------- Twice checking of 'filename' has no sense. Probably 'unicode_name' should be checked in second condition. -2.--------------------------------------------------------- Possible Buffer Overflow in resource fork (hfs_vnops.c) Unverified value returned by snprintf() may be bigger as a declared buffer (MAXPATHLEN). https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html --- The snprintf() and vsnprintf() functions will write at most n-1 of the characters printed into the out-put output put string (the n'th character then gets the terminating `\0'); if the return value is greater than or equal to the n argument, the string was too short and some of the printed characters were discarded. The output is always null-terminated. --- Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c --- hfs_vnops.c ---------------------------- ... /* * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode that is * found in 'vp'. The rsrc fork vnode is returned with the cnode locked and iocount * on the rsrc vnode. * ... */ int hfs_vgetrsrc(struct hfsmount *hfsmp, struct vnode *vp, struct vnode **rvpp, int can_drop_lock, int error_on_unlinked) { ... /* * Supply hfs_getnewvnode with a component name. */ cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <================ "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); } dvp = vnode_getparent(vp); error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? &cn : NULL, <================ descptr, GNV_WANTRSRC | GNV_SKIPLOCK, &cp->c_attr, &rsrcfork, &rvp, &newvnode_flags); --- hfs_vnops.c ---------------------------- Pattern is '%s%s' where sum of length descptr->cd_nameptr and _PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN). Size of descptr->cd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is #define _PATH_RSRCFORKSPEC "/..namedfork/rsrc" where length is 17 chars. Possible up to 17 chars overflow here?. Now let's see hfs_getnewvnode function http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c --- hfs_cnode.c ---------------------------- hfs_getnewvnode( struct hfsmount *hfsmp, struct vnode *dvp, struct componentname *cnp, <======== WATCH THIS struct cat_desc *descp, int flags, struct cat_attr *attrp, struct cat_fork *forkp, struct vnode **vpp, int *out_flags) { ... if ((*vpp != NULL) && (cnp)) { /* we could be requesting the rsrc of a hardlink file... */ vnode_update_identity (*vpp, dvp, cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, <== NAMELEN HERE (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME)); ... --- hfs_cnode.c ---------------------------- and call to vnode_update_indentity() http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c --- vfs_cache.c ---------------------------- void vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, uint32_t name_hashval, int flags) { ... if ( (flags & VNODE_UPDATE_NAME) ) { if (name != vp->v_name) { if (name && *name) { if (name_len == 0) name_len = strlen(name); tname = vfs_addname(name, name_len, name_hashval, 0); <== NAMELEN HERE } } else flags &= ~VNODE_UPDATE_NAME; } ... const char * vfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags) { return (add_name_internal(name, len, hashval, FALSE, flags)); <== CALL } --- vfs_cache.c ---------------------------- And invalid memory reference in add_name_internal() --- vfs_cache.c ---------------------------- static const char * add_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t need_extra_ref, __unused u_int flags) { struct stringhead *head; string_t *entry; uint32_t chain_len = 0; uint32_t hash_index; uint32_t lock_index; char *ptr; /* * if the length already accounts for the null-byte, then * subtract one so later on we don't index past the end * of the string. */ if (len > 0 && name[len-1] == '\0') { <===== INVALID MEMORY REFERENCE len--; } if (hashval == 0) { hashval = hash_string(name, len); } --- vfs_cache.c ---------------------------- -3.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not only Please pay attention that a buffer length check (stored in some variable) should be performed; also return from *alloc() function family should be verified for possible NULL pointers. Here are a few FALSE / POSITIVE examples. http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c --- hfs_catalog.c ---------------------------- /* * builddesc - build a cnode descriptor from an HFS+ key */ static int builddesc(const HFSPlusCatalogKey *key, cnid_t cnid, u_int32_t hint, u_int32_t encoding, int isdir, struct cat_desc *descp) { int result = 0; unsigned char * nameptr; size_t bufsize; size_t utf8len; unsigned char tmpbuff[128]; /* guess a size... */ bufsize = (3 * key->nodeName.length) + 1; if (bufsize >= sizeof(tmpbuff) - 1) { <============================ MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <= MALLOC FAIL } else { nameptr = &tmpbuff[0]; } result = utf8_encodestr(key->nodeName.unicode, key->nodeName.length * sizeof(UniChar), nameptr, (size_t *)&utf8len, <============================ ... maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) / SMALL_DIRENTRY_SIZE)); bufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(*iterator); if (extended) { bufsize += 2*sizeof(struct direntry); } MALLOC(buffer, void *, bufsize, M_TEMP, M_WAITOK); <============================ bzero(buffer, bufsize); ... FREE(nameptr, M_TEMP); MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <============== result = utf8_encodestr(key->nodeName.unicode, key->nodeName.length * sizeof(UniChar), nameptr, (size_t *)&utf8len, bufsize, ':', 0); } ... cnp = (const CatalogName *)&ckp->hfsPlus.nodeName; bufsize = 1 + utf8_encodelen(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), ':', 0); MALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); <======== result = utf8_encodestr(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), new_nameptr, &tmp_namelen, bufsize, ':', 0); --- hfs_catalog.c ---------------------------- The above examples does not look nice, too. Are you among them is the crux of the problem applications and kernel crash? I informed Apple of those possible errors, it has passed more than a month and I still have not received any comment nor solution. --- 1. References --- http://cxsecurity.com/issue/WLB-2014040027 http://cxsecurity.com/cveshow/CVE-2013-6799/ http://cxsecurity.com/cveshow/CVE-2010-0105/ --- 2. Greetz --- Kacper George and Michal --- 3. Credit --- Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/ http://cert.cx/ Best regards, CXSEC TEAM http://cxsec.org/
VAR-201311-0405 No CVE SAP Product CRM Internet Sales / CRM Internet Service Web Application There is an Unknown SQL Injection Vulnerability CVSS V2: 9.0
CVSS V3: -
Severity: HIGH
SAP is a world-renowned provider of enterprise management and collaborative business solutions. SQL injection attacks exist for multiple SAP products. The vulnerability is due to the incorrect filtering of user-submitted input by CRM Internet Sales and CRM Internet Service web applications, allowing remote attackers to exploit or exploit SQL queries to the back-end database to manipulate or retrieve database information
VAR-201312-0070 CVE-2013-3707 Novell Open Enterprise Server of novell-nrm Service operation disruption in packages (DoS) Vulnerabilities CVSS V2: 4.3
CVSS V3: -
Severity: Medium
The HTTPSTK service in the novell-nrm package before 2.0.2-297.305.302.3 in Novell Open Enterprise Server 2 (OES 2) Linux, and OES 11 Linux Gold and SP1, does not make the intended SSL_free and SSL_shutdown calls for the close of a TCP connection, which allows remote attackers to cause a denial of service (service crash) by establishing many TCP connections to port 8009. Novell Remote Manager is prone to a vulnerability that may allow attackers to cause a denial-of-service condition. Successful exploits may allow the attacker to crash the affected application causing denial-of-service conditions. Versions prior to Novell Remote Manager 2.0.2-297.305.302.3 are vulnerable
VAR-201311-0287 CVE-2013-5215 FOSCAM Wireless IP Camera Cross-Site Scripting Vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in the web interface "WiFi scan" option in FOSCAM Wireless IP Cameras allows remote attackers to inject arbitrary web script or HTML via the SSID. The FOSCAM Wireless IP Camera is a wireless IP camera. FOSCAM Wireless IP Camera is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks
VAR-201311-0282 CVE-2013-4740 MSM For devices Qualcomm Innovation Center Android Used for contributions etc. Linux Kernel for Goodix gt915 Vulnerability of obtaining privilege in touch screen driver CVSS V2: 6.9
CVSS V3: -
Severity: MEDIUM
goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, relies on user-space length values for kernel-memory copies of procfs file content, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that provides crafted values. Android For MSM is prone to multiple local memory-corruption vulnerabilities that occur in the Goodix GT915 touchscreen driver because it fails to properly bounds-check user-supplied data. Local attackers can exploit these issues to execute arbitrary code. Failed exploit attempts may cause a denial-of-service condition. The Linux kernel is the kernel used by the open source operating system Linux released by the American Linux Foundation. The NFSv4 implementation is one of the distributed file system protocols. There is a security vulnerability in the goodix_tool.c file in the goodix gt915 touch screen driver of the Linux kernel 3.x version using the Android system. The issues were found in the write handler of the procfs entry created by the driver, which by default is readable and writeable to users without any specific privileges. CVE-2013-4740 ------------- When processing data written to the procfs file, the Goodix gt915 touchscreen driver is using user space supplied content as length values in subsequent memory manipulation operations without bounds checking. This can lead to multiple memory corruption issues. An application with access to the respective file can use this flaw to, e.g., elevate privileges. Access Vector: local Security Risk: high Vulnerability: CWE-20 (Improper Input Validation) CVE-2013-6122 ------------- When processing arguments passed to the procfs write handler of the Goodix gt915 touchscreen driver, user space data is copied to a global variable and used without a mutual-exclusion mechanism. The global structure used by the procfs write handler can be accessed concurrently by more than one process. This would allow local attackers to bypass the input validation checks (such as introduced by the fix for CVE-2013-4740). An application with access to the respective file can use this flaw to, e.g., alter the internal state of the handler, bypass security checks, or create a denial-of-service condition. Access Vector: local Security Risk: medium Vulnerability: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) Affected versions ----------------- All Android releases from CAF using a Linux kernel from the following heads: - jb_3* - msm-3.10 Patch ----- We advise customers to apply the following patches: https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f53bcf29a6e7a66b3d935b8d562fa00829261f05 Acknowledgement =============== Qualcomm Innovation Center, Inc. (QuIC) thanks Jonathan Salwan of the Sysdream Security Lab for reporting the related issues and working with QuIC to help improve Android device security. https://www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler
VAR-201311-0208 CVE-2013-6122 MSM For devices Qualcomm Innovation Center Android Used for contributions etc. Linux Kernel for Goodix gt915 Vulnerability that can prevent access restriction in touch screen driver CVSS V2: 6.9
CVSS V3: -
Severity: MEDIUM
goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly synchronize updates to a global variable, which allows local users to bypass intended access restrictions or cause a denial of service (memory corruption) via crafted arguments to the procfs write handler. Android For MSM project is prone to a local security-bypass vulnerability because it fails to sufficiently validate user-supplied input. An attacker with physical access to the computer can exploit this issue to bypass security restrictions that may aid in further attacks. The Linux kernel is the kernel used by the open source operating system Linux released by the American Linux Foundation. The NFSv4 implementation is one of the distributed file system protocols. There is a buffer overflow vulnerability in the goodix_tool.c file in the goodix gt915 touch screen driver of the Linux kernel 3.x version using the Android system. The vulnerability comes from the fact that the program does not correctly synchronize the updated global variables. Description =========== Multiple issues have been identified in the Goodix gt915 touchscreen driver for Android. The issues were found in the write handler of the procfs entry created by the driver, which by default is readable and writeable to users without any specific privileges. CVE-2013-4740 ------------- When processing data written to the procfs file, the Goodix gt915 touchscreen driver is using user space supplied content as length values in subsequent memory manipulation operations without bounds checking. This can lead to multiple memory corruption issues. An application with access to the respective file can use this flaw to, e.g., elevate privileges. The global structure used by the procfs write handler can be accessed concurrently by more than one process. This would allow local attackers to bypass the input validation checks (such as introduced by the fix for CVE-2013-4740). An application with access to the respective file can use this flaw to, e.g., alter the internal state of the handler, bypass security checks, or create a denial-of-service condition. Access Vector: local Security Risk: medium Vulnerability: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) Affected versions ----------------- All Android releases from CAF using a Linux kernel from the following heads: - jb_3* - msm-3.10 Patch ----- We advise customers to apply the following patches: https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f53bcf29a6e7a66b3d935b8d562fa00829261f05 Acknowledgement =============== Qualcomm Innovation Center, Inc. (QuIC) thanks Jonathan Salwan of the Sysdream Security Lab for reporting the related issues and working with QuIC to help improve Android device security. https://www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler
VAR-201311-0295 CVE-2013-5554 Cisco Wide Area Application Services Mobile Server Web Management interface directory traversal vulnerability CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
Directory traversal vulnerability in the web-management interface in the server in Cisco Wide Area Application Services (WAAS) Mobile before 3.5.5 allows remote attackers to upload and execute arbitrary files via a crafted POST request, aka Bug ID CSCuh69773. Vendors have confirmed this vulnerability Bug ID CSCuh69773 It is released as.Skillfully crafted by a third party POST Any file may be uploaded and executed via a request. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of CAB files uploaded through ReportReceiver. By uploading a crafted CAB file, an attacker is able to add a hostile web page to the web server. Using this, an attacker is able to run arbitrary code as either DefaultAppPool or NetworkService, depending on the operating system version. Failed exploit attempts may result in a denial-of-service condition. This issue is being tracked by Cisco bug ID CSCuh69773. The vulnerability stems from the fact that the program does not correctly handle HTTP POST requests