VARIoT IoT vulnerabilities database
| VAR-201311-0354 | CVE-2013-6798 | Windows Or Mac OS X Run on BlackBerry Link Vulnerabilities that allow remote file access folder restrictions to be bypassed |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not properly determine the user account for execution of Peer Manager in certain situations involving successive logins with different accounts, which allows context-dependent attackers to bypass intended restrictions on remote file-access folders via IPv6 WebDAV requests, a different vulnerability than CVE-2013-3694. This vulnerability CVE-2013-3694 Is a different vulnerability.By the attacker, IPv6 WebDAV A remote file access folder restriction may be circumvented via a request. BlackBerry Link is prone to a remote security-bypass vulnerability.
Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and gain unauthorized access. BlackBerry Link is a mobile phone synchronization software developed by BlackBerry Canada. This software can synchronize music, pictures, videos and other data between BlackBerry mobile phone and computer via USB or Wi-Fi. The vulnerability stems from the program not properly identifying the user account that executes the Peer Manager component
| VAR-201311-0167 | CVE-2013-5329 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11.9.900.152 on Windows and Mac OS X and before 11.2.202.327 on Linux, Adobe AIR before 3.9.0.1210, Adobe AIR SDK before 3.9.0.1210, and Adobe AIR SDK & Compiler before 3.9.0.1210 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-5330. This vulnerability CVE-2013-5330 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will result in a denial-of-service condition. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:1518-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1518.html
Issue date: 2013-11-13
CVE Names: CVE-2013-5329 CVE-2013-5330
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes two security issues is now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-26,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
1029692 - CVE-2013-5329 CVE-2013-5330 flash-plugin: multiple code execution flaws (APSB13-26)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.327-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.327-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.327-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.327-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.327-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.327-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.327-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.327-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.327-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.327-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-5329.html
https://www.redhat.com/security/data/cve/CVE-2013-5330.html
https://access.redhat.com/security/updates/classification/#critical
https://www.adobe.com/support/security/bulletins/apsb13-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFSg8uMXlSAg2UNWIIRAtEAAKDDrKBaGnCcC0EQOr4jUcOA4YBJpwCgngTF
kVbR6FWNRaPAjtWuYd/Rhp4=
=iBmt
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites. Please review the CVE identifiers referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted SWF
file using Adobe Flash Player, possibly resulting in execution of
arbitrary code with the privileges of the process or a Denial of
Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-11.2.202.336"
References
==========
[ 1 ] CVE-2013-5329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5329
[ 2 ] CVE-2013-5330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5330
[ 3 ] CVE-2013-5331
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5331
[ 4 ] CVE-2013-5332
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5332
[ 5 ] CVE-2014-0491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0491
[ 6 ] CVE-2014-0492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0492
[ 7 ] CVE-2014-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0497
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201402-06.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201311-0168 | CVE-2013-5330 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11.9.900.152 on Windows and Mac OS X and before 11.2.202.327 on Linux, Adobe AIR before 3.9.0.1210, Adobe AIR SDK before 3.9.0.1210, and Adobe AIR SDK & Compiler before 3.9.0.1210 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-5329. This vulnerability CVE-2013-5329 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within processing of certain AVM2 instructions, allowing direct memory access outside of the domain memory. Failed exploit attempts will result in a denial-of-service condition. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:1518-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1518.html
Issue date: 2013-11-13
CVE Names: CVE-2013-5329 CVE-2013-5330
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes two security issues is now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-26,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
1029692 - CVE-2013-5329 CVE-2013-5330 flash-plugin: multiple code execution flaws (APSB13-26)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.327-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.327-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.327-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.327-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.327-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.327-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.327-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.327-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.327-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.327-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-5329.html
https://www.redhat.com/security/data/cve/CVE-2013-5330.html
https://access.redhat.com/security/updates/classification/#critical
https://www.adobe.com/support/security/bulletins/apsb13-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFSg8uMXlSAg2UNWIIRAtEAAKDDrKBaGnCcC0EQOr4jUcOA4YBJpwCgngTF
kVbR6FWNRaPAjtWuYd/Rhp4=
=iBmt
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites. Please review the CVE identifiers referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted SWF
file using Adobe Flash Player, possibly resulting in execution of
arbitrary code with the privileges of the process or a Denial of
Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-11.2.202.336"
References
==========
[ 1 ] CVE-2013-5329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5329
[ 2 ] CVE-2013-5330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5330
[ 3 ] CVE-2013-5331
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5331
[ 4 ] CVE-2013-5332
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5332
[ 5 ] CVE-2014-0491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0491
[ 6 ] CVE-2014-0492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0492
[ 7 ] CVE-2014-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0497
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201402-06.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201311-0076 | CVE-2013-3694 | Windows Or Mac OS X Run on BlackBerry Link Vulnerable to reading arbitrary files |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not require authentication for remote file-access folders, which allows remote attackers to read or create arbitrary files via IPv6 WebDAV requests, as demonstrated by a CSRF attack involving DNS rebinding. BlackBerry Link is prone to a remote privilege-escalation vulnerability.
An attacker can exploit this issue to execute arbitrary code with elevated privileges within the context of user running the affected application. BlackBerry Link is a mobile phone synchronization software developed by BlackBerry Canada. This software can synchronize music, pictures, videos and other data between BlackBerry mobile phone and computer via USB or Wi-Fi. The vulnerability stems from the fact that the program does not require authentication for remote file access
| VAR-201311-0293 | CVE-2013-5552 | Cisco IOS Content Services Gateway Security Bypass Vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Cisco IOS 12.4(24)MDB9 and earlier on Content Services Gateway (CSG) devices does not properly implement the "parse error drop" feature, which allows remote attackers to bypass intended access restrictions via a crafted series of packets, aka Bug ID CSCug90143. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is caused by the failure of the function to properly handle illegal messages.
Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and gain access to the sensitive information.
This issue is being tracked by Cisco Bug ID CSCug90143. This solution provides functions such as statistical billing, billing records, and content filtering for data traffic
| VAR-201311-0300 | CVE-2013-5560 | Cisco Adaptive Security Appliance Software IPv6 Service disruption in implementations (DoS) Vulnerabilities |
CVSS V2: 5.4 CVSS V3: - Severity: MEDIUM |
The IPv6 implementation in Cisco Adaptive Security Appliance (ASA) Software 9.1.3 and earlier, when NAT64 or NAT66 is enabled, does not properly process NAT rules, which allows remote attackers to cause a denial of service (device reload) via crafted packets, aka Bug ID CSCue34342. Vendors have confirmed this vulnerability Bug ID CSCue34342 It is released as.Denial of service operation via a packet crafted by a third party ( Device reload ) There is a possibility of being put into a state. Cisco Adaptive Security Appliance is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCue34342
| VAR-201311-0288 | CVE-2013-5223 |
D-Link DSL-2760U Gateway cross-site scripting vulnerability
Related entries in the VARIoT exploits database: VAR-E-201311-0046, VAR-E-201311-0047 |
CVSS V2: 3.5 CVSS V3: 5.4 Severity: MEDIUM |
D-Link DSL-2760U The gateway contains a cross-site scripting vulnerability.By the remotely authenticated user via the following parameters Web Script or HTML May be inserted. (1) sntpcfg.cgi of ntpServer1 Parameters (2) ddnsmngr.cmd of username Parameters (3) todmngr.tod of username Parameters (4) urlfilter.cmd of TodUrlAdd Parameters (5) scprttrg.cmd of appName Parameters (6) scoutflt.cmd of add In action fltName Parameters (7) scoutflt.cmd of remove In action rmLst Parameters (8) portmapcfg.cmd of groupName Parameters (9) snmpconfig.cgi of snmpRoCommunity Parameters (10) scinflt.cmd of fltName Parameters (11) prmngr.cmd of add In action PolicyName Parameters (12) prmngr.cmd of remove In action rmLst Parameters (13) ippcfg.cmd of ippName Parameters (14) samba.cgi of smbNetBiosName Parameters (15) samba.cgi of smbDirName Parameters (16) wlcfg.wl of wlSsid Parameters. The D-Link Router 2760N is a router device. There are multiple cross-site scripting and HTML injection vulnerabilities in the D-Link DSL-2760U-BN. Since the D-Link Router 2760N is handling NTS settings, dynamic DNS settings, URL filtering. NAT port processing, IP filtering, interface group, import IP filter, policy routing add, print server, SAMBA configuration, WIFI SSID incorrectly filter input, allowing remote attackers to exploit vulnerabilities for cross-site scripting attacks when malicious data is viewed When it can lead to sensitive information leakage or session hijacking.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. E1). The vulnerability is caused by (1) the sntpcfg.cgi script does not filter the 'ntpServer1' parameter correctly (2) the ddnsmngr.cmd or todmngr.tod script does not correctly Filter the 'username' parameter (3) The urlfilter.cmd script does not correctly filter the 'TodUrlAdd' parameter (4) The scprttrg.cmd script does not correctly filter the 'appName' parameter (5) The scoutflt.cmd script does not correctly filter the 'fltName' in the add operation 'rmLst' parameter in parameters and delete operations (6) portmapcfg.cmd script does not filter 'groupName' parameter correctly (7) snmpconfig.cgi script does not filter 'snmpRoCommunity' parameter correctly (8) scinflt.cmd script does not filter 'fltName' correctly 'Parameter (9) The prmngr.cmd script does not correctly filter the 'PolicyName' parameter in the add operation and the 'rmLst' parameter in the delete operation (10) The ippcfg.cmd script does not correctly filter the 'ippName' parameter (11) The samba.cgi script The 'smbNetBiosName' and 'smbDirName' parameters are not filtered correctly (12) The wlcfg.wl script does not filter the 'wlSsid' parameter correctly. A remote attacker could exploit this vulnerability to inject arbitrary web script or HTML by using a specially crafted URL. Advisory: D-Link Router 2760N (DSL-2760U-BN) Multiple XSS
Author: Liad Mizrachi
Vendor URL: http://www.dlink.com
Status: Fixed
CVE-ID: CVE-2013-5223
==========================
Vulnerability Description
==========================
Multiple Cross-Site Scripting (XSS) vulnerabilities present in D-Link Router 2760N, both stored and reflected in various sections of the router Web-UI.
23-Aug-2013 - Vendor Re-Informed - No response.
01-Sep-2013 - Vendor Re-Informed - No response.
10-Sep-2013 - Vendor Re-Informed - No response.
10-Oct-2013 - Vendor Re-Informed - No response.
==========================
References
==========================
http://www.dlink.com
http://www.dlink.com.tr/en/arts/117.html
http://www.netcheif.com/downloads/DSL-2760U_user_manual.pdf
| VAR-201311-0457 | No CVE | Belkin NetCam Wi-Fi Camera with Night Vision Video Stream Backdoor Security Bypass Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The Belkin NetCam Wi-Fi Camera online video stream is accessible to the admin/admin account via a username and password, allowing an attacker to exploit the vulnerability to gain unauthorized access to sensitive information. This account information cannot be changed by the user. Belkin NetCam Wi-Fi Camera with Night Vision is a wireless network camera product with night vision function from Belkin.
A security bypass vulnerability exists in Belkin NetCam Wi-Fi Camera with Night Vision, which originates from the use of hard-coded certificates for programs. A remote attacker could use this vulnerability to bypass security restrictions and gain access
| VAR-201311-0513 | No CVE | MikroTik RouterOS Default Management Account Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The MikroTik RouterOS software turns a standard PC into a network router. MikroTik RouterOS has a default administrative account 'admin' with a blank password that allows remote attackers to use this account to gain unauthorized access to this setting.
| VAR-201311-0514 | No CVE | NEC VOIP Phones default management account vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
NEC VOIP Phones is a VoIP phone device. NEC VOIP Phones has a default management account 'ADMIN' and a password of '632379', which allows remote attackers to use this account to gain unauthorized access to this setting.
| VAR-201311-0157 | CVE-2013-5442 | XGS 5100 Run on IBM Security Network Protection Firmware cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Local Management Interface (LMI) in IBM Security Network Protection on XGS 5100 devices with firmware 5.1 before 5.1.0.6 and 5.1.1 before 5.1.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM Security Network Protection is a device of the IBM Security Intrusion Prevention product portfolio.
An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The system can monitor application usage, website access and operation execution within the network to avoid threats such as malware and botnets
| VAR-201311-0290 | CVE-2013-5568 | Cisco Adaptive Security Appliance Auto-Update Remote Denial of Service Vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The auto-update implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0.3.6 and earlier allows remote attackers to cause a denial of service (device reload) via crafted update data, aka Bug ID CSCui33308.
Attackers can exploit this issue to cause an affected device to reload, resulting in a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCui33308
| VAR-201311-0236 | CVE-2013-6682 | Cisco Adaptive Security Appliance Phone Proxy Database Security Bypass Vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
The phone-proxy implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0.3.6 and earlier does not properly validate X.509 certificates, which allows remote attackers to cause a denial of service (connection-database corruption) via an invalid entry, aka Bug ID CSCui33299. Vendors have confirmed this vulnerability Bug ID CSCui33299 It is released as.Denial of service operation by a third party via invalid entry ( Connection database corruption ) There is a possibility of being put into a state. Cisco Adaptive Security Appliance (ASA) is prone to a security-bypass vulnerability.
Successfully exploiting this issue will allow attackers to bypass security restrictions like insert an invalid entry into the phone proxy connection database.
This issue is tracked by Cisco Bug ID's CSCui33299. The vulnerability stems from the fact that the phone proxy connection database does not properly handle untrusted certificates
| VAR-201311-0355 | CVE-2013-6799 | Apple Mac OS X Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.7 CVSS V3: - Severity: MEDIUM |
Apple Mac OS X 10.9 allows local users to cause a denial of service (memory corruption or panic) by creating a hard link to a directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0105.
Exploiting this issue allows local, unprivileged users to crash the affected system, denying further service to legitimate users. MacOSX/XNU HFS Multiple Vulnerabilities
Maksymilian Arciemowicz
http://cxsecurity.com/
http://cifrex.org/
===================
On November 8th, I've reported vulnerability in hard links for HFS+
(CVE-2013-6799)
http://cxsecurity.com/issue/WLB-2013110059
The HFS+ file system does not apply strict privilege rules during the
creating of hard links. The ability to create hard links to directories is
wrong implemented and such an issue is affecting os versions greater or
equal to 10.5. Officially Apple allows you to create hard links only for
your time machine. To create N hard links, you must use a
special algorithm which creates links from the top of the file system tree.
This means that first we create the directory structure and once created we
need to go from up to down by creating hard links. The last time I've
mentioned of the possibility of a kernel crash by performing the 'ls'
command. This situation occurs in conjunction with the 'find' application.
Commands such as 'ls' behave in unexpected ways. Apple are going find this
crash point in code. To create huge hard links structure, use this code
http://cert.cx/stuff/l2.c
-----------------------------------
h1XSS:tysiak cx$ uname -a
Darwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16
19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64
h1xss:tysiak cx$ gcc -o l2 l2.c
h1xss:tysiak cx$ ./l2 1000
...
h1xss:tysiak cx$ cat loop.sh
#!/bin/bash
while [ 1 ] ; do
ls -laR B > /dev/null
done
h1xss:tysiak cx$ sh ./loop.sh
ls: B: No such file or directory
ls: X1: No such file or directory
...
ls: X8: Bad address
ls: X1: Bad address
ls: X2: Bad address
...
ls: X8: No such file or directory
./loop.sh: line 4: 8816 Segmentation fault: 11 ls -laR B > /dev/null
./loop.sh: line 4: 8818 Segmentation fault: 11 ls -laR B > /dev/null
ls: B: No such file or directory
ls: X1: No such file or directory
ls: X2: No such file or directory
...
ls: X1: No such file or directory
ls: X2: No such file or directory
-----------
...
-----------
Feb 9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for
ls[9418] version 230 to
/Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash
-----------
That what we can see here is unexpected behavior of LS command. LS process
is also affected for infinite loop (recursion?).
-----------
h1xss:tysiak cx$ ps -fp 8822
UID PID PPID C STIME TTY TIME CMD
501 8822 8810 0 7:36 ttys002 62:19.65 ls -laR B
-----------
or used parallely with (find . > /dev/null) command cause a kernel crash
-----------
Mon Mar 31 20:30:41 2014
panic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838,
type 13=general protection, registers:
CR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c,
CR4: 0x00000000001606e0
RAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000,
RDX: 0x0000000000000000
RSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018,
RDI: 0xffffff802f23bcd0
R8: 0xffffff8140d9bc1c, R9: 0xffffff802f26e960, R10: 0xffffff8140d9ba2c,
R11: 0x0000000000000f92
R12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0,
R15: 0xffffff802f26e960
RFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS: 0x0000000000000008,
SS: 0x0000000000000010
Fault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU:
0x0
Backtrace (CPU 0), Frame : Return Address
0xffffff811eee8c50 : 0xffffff8004422fa9
BSD process name corresponding to current thread: ls
-----------
XNU is the computer operating system kernel that Apple Inc. acquired and
developed for use in the Mac OS X operating system and released as free and
open source software as part of the Darwin operating system. We can try to
see HFS implementation code. Let's start static code analysys using
cifrex.org tool!
-1.---------------------------------------------------------
Unchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c
Code:
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c
--- hfs_vfsops.c ----------------------------
/*
* HFS filesystem related variables.
*/
int
hfs_sysctl(int *name, __unused u_int namelen, user_addr_t oldp, size_t
*oldlenp,
user_addr_t newp, size_t newlen, vfs_context_t context)
{
...
if ((newlen <= 0) || (newlen > MAXPATHLEN))
return (EINVAL);
bufsize = MAX(newlen * 3, MAXPATHLEN);
MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK);
if (filename == NULL) { <=====================================
filename CHECK
error = ENOMEM;
goto encodinghint_exit;
}
MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK);
if (filename == NULL) { <======================================
double CHECK?
error = ENOMEM;
goto encodinghint_exit;
}
error = copyin(newp, (caddr_t)filename, newlen);
if (error == 0) {
error = utf8_decodestr((u_int8_t *)filename, newlen - 1,
unicode_name,
&bytes, bufsize, 0, UTF_DECOMPOSED);
if (error == 0) {
hint = hfs_pickencoding(unicode_name, bytes / 2);
error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0,
(int32_t *)&hint);
}
}
--- hfs_vfsops.c----------------------------
Twice checking of 'filename' has no sense. Probably 'unicode_name' should
be checked in second condition.
-2.---------------------------------------------------------
Possible Buffer Overflow in resource fork (hfs_vnops.c)
Unverified value returned by snprintf() may be bigger as a declared buffer
(MAXPATHLEN).
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html
---
The snprintf() and vsnprintf() functions will write at most n-1 of the
characters printed into the out-put output
put string (the n'th character then gets the terminating `\0'); if the
return value is greater than or
equal to the n argument, the string was too short and some of the
printed characters were discarded.
The output is always null-terminated.
---
Code:
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c
--- hfs_vnops.c ----------------------------
...
/*
* hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode
that is
* found in 'vp'. The rsrc fork vnode is returned with the cnode locked
and iocount
* on the rsrc vnode.
*
...
*/
int
hfs_vgetrsrc(struct hfsmount *hfsmp, struct vnode *vp, struct vnode **rvpp,
int can_drop_lock, int error_on_unlinked)
{
...
/*
* Supply hfs_getnewvnode with a component name.
*/
cn.cn_pnbuf = NULL;
if (descptr->cd_nameptr) {
MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI,
M_WAITOK);
cn.cn_nameiop = LOOKUP;
cn.cn_flags = ISLASTCN | HASBUF;
cn.cn_context = NULL;
cn.cn_pnlen = MAXPATHLEN;
cn.cn_nameptr = cn.cn_pnbuf;
cn.cn_hash = 0;
cn.cn_consume = 0;
cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN,
<================
"%s%s", descptr->cd_nameptr,
_PATH_RSRCFORKSPEC);
}
dvp = vnode_getparent(vp);
error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? &cn : NULL,
<================
descptr, GNV_WANTRSRC | GNV_SKIPLOCK,
&cp->c_attr,
&rsrcfork, &rvp, &newvnode_flags);
--- hfs_vnops.c ----------------------------
Pattern is '%s%s' where sum of length descptr->cd_nameptr and
_PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN).
Size of descptr->cd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is
#define _PATH_RSRCFORKSPEC "/..namedfork/rsrc"
where length is 17 chars. Possible up to 17 chars overflow here?.
Now let's see hfs_getnewvnode function
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c
--- hfs_cnode.c ----------------------------
hfs_getnewvnode(
struct hfsmount *hfsmp,
struct vnode *dvp,
struct componentname *cnp, <======== WATCH THIS
struct cat_desc *descp,
int flags,
struct cat_attr *attrp,
struct cat_fork *forkp,
struct vnode **vpp,
int *out_flags)
{
...
if ((*vpp != NULL) && (cnp)) {
/* we could be requesting the rsrc of a hardlink
file... */
vnode_update_identity (*vpp, dvp, cnp->cn_nameptr,
cnp->cn_namelen, cnp->cn_hash, <== NAMELEN HERE
(VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME));
...
--- hfs_cnode.c ----------------------------
and call to vnode_update_indentity()
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c
--- vfs_cache.c ----------------------------
void
vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int
name_len, uint32_t name_hashval, int flags)
{
...
if ( (flags & VNODE_UPDATE_NAME) ) {
if (name != vp->v_name) {
if (name && *name) {
if (name_len == 0)
name_len = strlen(name);
tname = vfs_addname(name, name_len, name_hashval, 0); <==
NAMELEN HERE
}
} else
flags &= ~VNODE_UPDATE_NAME;
}
...
const char *
vfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags)
{
return (add_name_internal(name, len, hashval, FALSE, flags)); <== CALL
}
--- vfs_cache.c ----------------------------
And invalid memory reference in add_name_internal()
--- vfs_cache.c ----------------------------
static const char *
add_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t
need_extra_ref, __unused u_int flags)
{
struct stringhead *head;
string_t *entry;
uint32_t chain_len = 0;
uint32_t hash_index;
uint32_t lock_index;
char *ptr;
/*
* if the length already accounts for the null-byte, then
* subtract one so later on we don't index past the end
* of the string.
*/
if (len > 0 && name[len-1] == '\0') { <===== INVALID MEMORY REFERENCE
len--;
}
if (hashval == 0) {
hashval = hash_string(name, len);
}
--- vfs_cache.c ----------------------------
-3.---------------------------------------------------------
Unchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not
only
Please pay attention that a buffer length check (stored in some variable)
should be performed; also return from *alloc() function family should be
verified for possible NULL pointers.
Here are a few FALSE / POSITIVE examples.
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c
--- hfs_catalog.c ----------------------------
/*
* builddesc - build a cnode descriptor from an HFS+ key
*/
static int
builddesc(const HFSPlusCatalogKey *key, cnid_t cnid, u_int32_t hint,
u_int32_t encoding,
int isdir, struct cat_desc *descp)
{
int result = 0;
unsigned char * nameptr;
size_t bufsize;
size_t utf8len;
unsigned char tmpbuff[128];
/* guess a size... */
bufsize = (3 * key->nodeName.length) + 1;
if (bufsize >= sizeof(tmpbuff) - 1) { <============================
MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <=
MALLOC FAIL
} else {
nameptr = &tmpbuff[0];
}
result = utf8_encodestr(key->nodeName.unicode,
key->nodeName.length * sizeof(UniChar),
nameptr, (size_t *)&utf8len, <============================
...
maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) /
SMALL_DIRENTRY_SIZE));
bufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(*iterator);
if (extended) {
bufsize += 2*sizeof(struct direntry);
}
MALLOC(buffer, void *, bufsize, M_TEMP, M_WAITOK);
<============================
bzero(buffer, bufsize);
...
FREE(nameptr, M_TEMP);
MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <==============
result = utf8_encodestr(key->nodeName.unicode,
key->nodeName.length * sizeof(UniChar),
nameptr, (size_t *)&utf8len,
bufsize, ':', 0);
}
...
cnp = (const CatalogName *)&ckp->hfsPlus.nodeName;
bufsize = 1 + utf8_encodelen(cnp->ustr.unicode,
cnp->ustr.length * sizeof(UniChar),
':', 0);
MALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); <========
result = utf8_encodestr(cnp->ustr.unicode,
cnp->ustr.length * sizeof(UniChar),
new_nameptr, &tmp_namelen, bufsize, ':', 0);
--- hfs_catalog.c ----------------------------
The above examples does not look nice, too. Are you among them is the crux
of the problem applications and kernel crash?
I informed Apple of those possible errors, it has passed more than a month
and I still have not received any comment nor solution.
--- 1. References ---
http://cxsecurity.com/issue/WLB-2014040027
http://cxsecurity.com/cveshow/CVE-2013-6799/
http://cxsecurity.com/cveshow/CVE-2010-0105/
--- 2. Greetz ---
Kacper George and Michal
--- 3. Credit ---
Maksymilian Arciemowicz
http://cxsecurity.com/
http://cifrex.org/
http://cert.cx/
Best regards,
CXSEC TEAM
http://cxsec.org/
| VAR-201311-0405 | No CVE | SAP Product CRM Internet Sales / CRM Internet Service Web Application There is an Unknown SQL Injection Vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
SAP is a world-renowned provider of enterprise management and collaborative business solutions. SQL injection attacks exist for multiple SAP products. The vulnerability is due to the incorrect filtering of user-submitted input by CRM Internet Sales and CRM Internet Service web applications, allowing remote attackers to exploit or exploit SQL queries to the back-end database to manipulate or retrieve database information
| VAR-201312-0070 | CVE-2013-3707 | Novell Open Enterprise Server of novell-nrm Service operation disruption in packages (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: Medium |
The HTTPSTK service in the novell-nrm package before 2.0.2-297.305.302.3 in Novell Open Enterprise Server 2 (OES 2) Linux, and OES 11 Linux Gold and SP1, does not make the intended SSL_free and SSL_shutdown calls for the close of a TCP connection, which allows remote attackers to cause a denial of service (service crash) by establishing many TCP connections to port 8009. Novell Remote Manager is prone to a vulnerability that may allow attackers to cause a denial-of-service condition.
Successful exploits may allow the attacker to crash the affected application causing denial-of-service conditions.
Versions prior to Novell Remote Manager 2.0.2-297.305.302.3 are vulnerable
| VAR-201311-0287 | CVE-2013-5215 | FOSCAM Wireless IP Camera Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the web interface "WiFi scan" option in FOSCAM Wireless IP Cameras allows remote attackers to inject arbitrary web script or HTML via the SSID. The FOSCAM Wireless IP Camera is a wireless IP camera. FOSCAM Wireless IP Camera is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks
| VAR-201311-0282 | CVE-2013-4740 | MSM For devices Qualcomm Innovation Center Android Used for contributions etc. Linux Kernel for Goodix gt915 Vulnerability of obtaining privilege in touch screen driver |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, relies on user-space length values for kernel-memory copies of procfs file content, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that provides crafted values. Android For MSM is prone to multiple local memory-corruption vulnerabilities that occur in the Goodix GT915 touchscreen driver because it fails to properly bounds-check user-supplied data.
Local attackers can exploit these issues to execute arbitrary code. Failed exploit attempts may cause a denial-of-service condition. The Linux kernel is the kernel used by the open source operating system Linux released by the American Linux Foundation. The NFSv4 implementation is one of the distributed file system protocols. There is a security vulnerability in the goodix_tool.c file in the goodix gt915 touch screen driver of the Linux kernel 3.x version using the Android system. The issues were found in the write handler of the
procfs entry created by the driver, which by default is readable and
writeable to users without any specific privileges.
CVE-2013-4740
-------------
When processing data written to the procfs file, the Goodix gt915
touchscreen driver is using user space supplied content as length
values in subsequent memory manipulation operations without
bounds checking. This can lead to multiple memory corruption issues.
An application with access to the respective file can use this flaw
to, e.g., elevate privileges.
Access Vector: local
Security Risk: high
Vulnerability: CWE-20 (Improper Input Validation)
CVE-2013-6122
-------------
When processing arguments passed to the procfs write handler of
the Goodix gt915 touchscreen driver, user space data is copied to
a global variable and used without a mutual-exclusion mechanism.
The global structure used by the procfs write handler can be accessed
concurrently by more than one process. This would allow local attackers
to bypass the input validation checks (such as introduced by the fix for
CVE-2013-4740). An application with access to the respective file can use
this flaw to, e.g., alter the internal state of the handler, bypass security
checks, or create a denial-of-service condition.
Access Vector: local
Security Risk: medium
Vulnerability: CWE-362 (Concurrent Execution using Shared Resource
with Improper Synchronization)
Affected versions
-----------------
All Android releases from CAF using a Linux kernel from the following heads:
- jb_3*
- msm-3.10
Patch
-----
We advise customers to apply the following patches:
https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f53bcf29a6e7a66b3d935b8d562fa00829261f05
Acknowledgement
===============
Qualcomm Innovation Center, Inc. (QuIC) thanks Jonathan Salwan of the
Sysdream Security Lab for reporting the related issues and working with
QuIC to help improve Android device security.
https://www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler
| VAR-201311-0208 | CVE-2013-6122 | MSM For devices Qualcomm Innovation Center Android Used for contributions etc. Linux Kernel for Goodix gt915 Vulnerability that can prevent access restriction in touch screen driver |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly synchronize updates to a global variable, which allows local users to bypass intended access restrictions or cause a denial of service (memory corruption) via crafted arguments to the procfs write handler. Android For MSM project is prone to a local security-bypass vulnerability because it fails to sufficiently validate user-supplied input.
An attacker with physical access to the computer can exploit this issue to bypass security restrictions that may aid in further attacks. The Linux kernel is the kernel used by the open source operating system Linux released by the American Linux Foundation. The NFSv4 implementation is one of the distributed file system protocols. There is a buffer overflow vulnerability in the goodix_tool.c file in the goodix gt915 touch screen driver of the Linux kernel 3.x version using the Android system. The vulnerability comes from the fact that the program does not correctly synchronize the updated global variables. Description
===========
Multiple issues have been identified in the Goodix gt915 touchscreen
driver for Android. The issues were found in the write handler of the
procfs entry created by the driver, which by default is readable and
writeable to users without any specific privileges.
CVE-2013-4740
-------------
When processing data written to the procfs file, the Goodix gt915
touchscreen driver is using user space supplied content as length
values in subsequent memory manipulation operations without
bounds checking. This can lead to multiple memory corruption issues.
An application with access to the respective file can use this flaw
to, e.g., elevate privileges.
The global structure used by the procfs write handler can be accessed
concurrently by more than one process. This would allow local attackers
to bypass the input validation checks (such as introduced by the fix for
CVE-2013-4740). An application with access to the respective file can use
this flaw to, e.g., alter the internal state of the handler, bypass security
checks, or create a denial-of-service condition.
Access Vector: local
Security Risk: medium
Vulnerability: CWE-362 (Concurrent Execution using Shared Resource
with Improper Synchronization)
Affected versions
-----------------
All Android releases from CAF using a Linux kernel from the following heads:
- jb_3*
- msm-3.10
Patch
-----
We advise customers to apply the following patches:
https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f53bcf29a6e7a66b3d935b8d562fa00829261f05
Acknowledgement
===============
Qualcomm Innovation Center, Inc. (QuIC) thanks Jonathan Salwan of the
Sysdream Security Lab for reporting the related issues and working with
QuIC to help improve Android device security.
https://www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler
| VAR-201311-0295 | CVE-2013-5554 | Cisco Wide Area Application Services Mobile Server Web Management interface directory traversal vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in the web-management interface in the server in Cisco Wide Area Application Services (WAAS) Mobile before 3.5.5 allows remote attackers to upload and execute arbitrary files via a crafted POST request, aka Bug ID CSCuh69773. Vendors have confirmed this vulnerability Bug ID CSCuh69773 It is released as.Skillfully crafted by a third party POST Any file may be uploaded and executed via a request. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of CAB files uploaded through ReportReceiver. By uploading a crafted CAB file, an attacker is able to add a hostile web page to the web server. Using this, an attacker is able to run arbitrary code as either DefaultAppPool or NetworkService, depending on the operating system version. Failed exploit attempts may result in a denial-of-service condition.
This issue is being tracked by Cisco bug ID CSCuh69773. The vulnerability stems from the fact that the program does not correctly handle HTTP POST requests