VARIoT IoT vulnerabilities database

Open redirect vulnerability in Dell OpenManage Server Administrator (OMSA) before 7.3.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the file parameter to HelpViewer. Dell OpenManage Server Administrator is prone to an open-redirection vulnerability. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. Dell OpenManage Server Administrator 7.2.0 is vulnerable; other versions may also be affected. The solution supports online diagnosis, system operation detection, equipment management, etc

mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors. Apache HTTP Server is prone to an unspecified remote security vulnerability. Little is known about this issue or its effects at this time. We will update this BID as more information emerges. Apache HTTP Server versions prior to 2.4.6 are vulnerable. The server is fast, reliable and extensible through a simple API. An attacker could exploit this vulnerability for impact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] httpd (SSA:2013-218-02) New httpd packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.6-i486-1_slack14.0.txz: Upgraded. This update addresses two security issues: * SECURITY: CVE-2013-1896 (cve.mitre.org) Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. * SECURITY: CVE-2013-2249 (cve.mitre.org) mod_session_dbd: Make sure that dirty flag is respected when saving sessions, and ensure the session ID is changed each time the session changes. This changes the format of the updatesession SQL statement. Existing configurations must be changed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.25-i486-1_slack12.1.tgz Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.25-i486-1_slack12.2.tgz Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.25-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.25-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.25-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.25-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.25-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.25-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.6-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.6-x86_64-1_slack14.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.6-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.6-x86_64-1.txz MD5 signatures: +-------------+ Slackware 12.1 package: 49e1243c36da3a80140ca7759d2f6dd8 httpd-2.2.25-i486-1_slack12.1.tgz Slackware 12.2 package: 467c75fe864bc88014e9501329a75285 httpd-2.2.25-i486-1_slack12.2.tgz Slackware 13.0 package: b96877782fd2f86204fdd3950b3a77bf httpd-2.2.25-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 392410fffbb3e4e4795e61a5b7d4fc50 httpd-2.2.25-x86_64-1_slack13.0.txz Slackware 13.1 package: 71a682673a4dcca9be050a4719accbf7 httpd-2.2.25-i486-1_slack13.1.txz Slackware x86_64 13.1 package: a76f23ceb9189ecb99c04b3b2d3e2e2d httpd-2.2.25-x86_64-1_slack13.1.txz Slackware 13.37 package: 704bccc4757c957a1ed30c4ffce19394 httpd-2.2.25-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 0cdea77935eeb983e368401856ec2e3c httpd-2.2.25-x86_64-1_slack13.37.txz Slackware 14.0 package: 37736614680f786b4cc0a8faa095d885 httpd-2.4.6-i486-1_slack14.0.txz Slackware x86_64 14.0 package: d8901630ba6ecfd020a53512c5f63fc8 httpd-2.4.6-x86_64-1_slack14.0.txz Slackware -current package: 649f30c4e51e6230fbe247664e0faa9c n/httpd-2.4.6-i486-1.txz Slackware x86_64 -current package: b3caf5504257c1172a2768ab114a9ee5 n/httpd-2.4.6-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.4.6-i486-1_slack14.0.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIAnpMACgkQakRjwEAQIjM10gCgkmtxZKnHyFXGi8CbGmy4LfRQ gL8AnjhciRUOBFU8ydK8gMvbfeZuU46c =TDGS -----END PGP SIGNATURE-----

The DMCRUIS/0.1 web server on the Samsung PS50C7700 TV allows remote attackers to cause a denial of service (daemon crash) via a long URI to TCP port 5600. Samsung is a South Korean Samsung Electronics company, founded in 1969. Samsung PS50C7700 3D Plasma-TV is prone to denial-of-service vulnerability. Attackers can exploit this issue to cause a crash, denying service to legitimate users

main_internet.php on the Western Digital My Net N600 and N750 with firmware 1.03.12 and 1.04.16, and the N900 and N900C with firmware 1.05.12, 1.06.18, and 1.06.28, allows remote attackers to discover the cleartext administrative password by reading the "var pass=" line within the HTML source code. Western Digital My Net is a series of router products from Western Digital, USA. An information disclosure vulnerability exists in a number of Western Digital My Net devices that can expose administrator credentials. This vulnerability could be used by unauthorized attackers to gain sensitive information that can help launch further attacks. There is a security hole in the main_internet.php file

The Cisco Unified IP Conference Station 7937G allows remote attackers to cause a denial of service (networking outage) via a flood of TCP packets, aka Bug ID CSCuh42052. Attackers can exploit this issue to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCuh42052. This product has the functions of information service and custom XML-based service

SQL injection vulnerability in the management application in Cisco Unified Operations Manager allows remote authenticated users to execute arbitrary SQL commands via an entry field, aka Bug ID CSCud80179. Exploiting this issue could allow an authenticated attacker to compromise the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco Bug ID CSCud80179. Other versions may also be affected. It provides a real-time service status view of the entire Cisco Unified Communications system, showing the current operational status of each component

ASUS multiple routers have security vulnerabilities that allow remote attackers to exploit vulnerabilities to obtain sensitive information. The problem is that the device sends authentication credentials in clear text over the network, allowing an attacker to sniff sensitive information through the sniffing network.

Huawei E587 3G Mobile Hotspot is a wireless router device that supports 3G. Huawei E587 3G Mobile Hotspot incorrectly verifies certain inputs in SMS messages, allowing remote attackers to build special SMS requests, entice users to resolve, obtain targeted user sensitive information or hijack user sessions.

The ASUS RT-N16 and RT-N16R are wireless router devices. ASUS RT-N16 and RT-N16R incorrectly restrict access to users, allowing remote attackers to directly request index.asp scripts, bypass administrator authentication, and gain unauthorized access to the management console.

The default configuration of the Group Encrypted Transport VPN (GET VPN) feature on Cisco IOS uses an improper mechanism for enabling Group Domain of Interpretation (GDOI) traffic flow, which allows remote attackers to bypass the encryption policy via certain uses of UDP port 848, aka Bug ID CSCui07698. Vendors have confirmed this vulnerability Bug ID CSCui07698 It is released as.By a third party UDP port 848 Could bypass the encryption policy. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS is prone to a security-bypass vulnerability. Exploiting this issue could allow an attacker to bypass certain security restrictions and perform unauthorized actions on the affected device. This issue is being tracked by Cisco Bug ID CSCui07698. This solution is mainly used to encrypt data transmitted over a wide area network

The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allows remote attackers to execute arbitrary commands by injecting a command into an application script. Symantec Web Gateway is prone to a remote command-injection vulnerability. Successful exploits will result in the execution of arbitrary commands with elevated privileges in the context of the affected appliance. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. A security vulnerability exists in the management console of SWG Appliance 5.1 and earlier. SEC Consult Vulnerability Lab Security Advisory < 20130726-0 > ======================================================================= title: Multiple vulnerabilities - Surveillance via Symantec Web Gateway product: Symantec Web Gateway vulnerable version: <= 5.1.0.* fixed version: 5.1.1 CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672 impact: Critical homepage: https://www.symantec.com/ found: 2012-12-18 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Web Gateway protects organizations against multiple types of Web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation based malware filtering technology, Web Gateway relies on a global network of greater than 210 million systems to identify new threats before they cause disruption in organizations." URL: https://www.symantec.com/web-gateway Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of Symantec Web Gateway in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/LDAP credentials) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible. If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (further MITM attacks, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) A reflected cross site scripting vulnerability was found. This allows effective session hijacking attacks of administrator session cookies. 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) Moreover a persistent cross site scripting vulnerability allows an unauthenticated user to inject script code into the administration interface. This script code will be executed once an administrator visits the administration interface. 3) OS Command Injection (CVE-2013-1616) Multiple OS command injection vulnerabilities were discovered. Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "apache" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds of locally stored information or interception of web traffic that passes through the appliance. 4) Security Misconfiguration (CVE-2013-4672) Unprivileged operating system users (eg. apache) can gain root privileges due to a misconfiguration of the sudo program. 5) SQL Injection (CVE-2013-1617) Several SQL injection vulnerabilities were identified that allow an authenticated administrator to issue manipulated SQL commands. 6) Cross Site Request Forgery (CVE-2013-4671) The cross site request forgery protection implemented can be bypassed easily. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) The following URL demonstrates a reflected cross site scripting vulnerability: https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) The "blocked.php" page which is accessible without authentication allows to inject script code to the "Blocking Feedback" functionality on the administration interface. The following URL demonstrates this issue. The payload of the parameter "u" will be stored permanently: https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E 3) OS Command Injection (CVE-2013-1616) The functionality to change the hostname as well as the "Test Ping" functionality allow to inject commands enclosed in backticks (`). These commands are run as the system user "apache". Affected scripts: /spywall/nameConfig.php /spywall/networkConfig.php Detailed proof of concept exploits have beem removed for this vulnerability. 4) Security Misconfiguration (CVE-2013-4672) The /etc/sudoers file allows the users "apache" and "admin" to run several critical commands with root privileges. As the user "apache" is able to run commands like "chmod", "chown" and "insmod" without the need of a password, an attacker that is able to issue commands as this user (see 3) can effectively gain root privileges. 5) SQL Injection (CVE-2013-1617) The following URLs demonstrate the SQL injection flaws found by printing the username and password hash of all users: https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20 6) Cross Site Request Forgery (CVE-2013-4671) As an example, the following request configures a LDAP server to authenticate administrative users: POST /spywall/ldapConfig.php HTTP/1.1 Host: <host> Cookie: PHPSESSID=<valid-cookie> Content-Type: application/x-www-form-urlencoded Content-Length: 247 posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168 The sole CSRF protection is the "posttime" parameter that contains a unix timestamp that has to be greater than the one in the last request. Using the value of eg. "9999999999" would always succeed. Attack scenario: ---------------- Using the vulnerabilities mentioned above, the following attack has been implemented (the exploit code will not be published): 1) A user protected by Symantec Web Gateway visits a website that embeds an image (possible in most web forums), a URL or an IFrame. The URL of the resource points to a blocked page (eg. the EICAR test file) and also includes script code (Persistent XSS). If the blocked URL contains the parameter "history=-2" (which has been added by the attacker) the URL/script (Persistent XSS) is automatically stored as a "Blocking Feedback" entry in the admin interface 3) When the administrator visits the "Blocking Feedback" page, the injected script is executed. Using the OS command injection flaw, the script now automatically downloads and executes a shell script. 4) As the user "apache" has permission to execute "chmod" and "chown" as root, the shell script can now create a SUID binary and run a reverse shell as root. 5) The attacker can now access the system with highest (root) privileges Note: This attack only requires a user (protected by the Symantec Web Gateway) to visit a "malicious" page. This can be achieved by sending phishing mails to employees, or embedding images, URLs or IFrames in websites employees would likely visit. If the attacker has already access to the target network, this is of course not necessary - the persistent XSS vulnerability can be exploited directly. Note: No prior knowledge about hostnames or internal IP addresses in the target network is needed! A detailed proof of concept exploit has been created but will not be published. Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-22: Vendor acknowledges receipt of advisory. 2013-03-05: Requesting status update. 2013-03-05: Vendor confirms vulnerabilities, is working on solutions. 2013-03-22: Requesting status update. 2013-03-22: Vendor is still working on solutions. 2013-04-19: Requesting status update and release schedule. 2013-04-19: Vendor is in the "final phases" of releasing an update. 2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy. 2013-06-05: Vendor will release an update in "Mid-July". 2013-07-16: Vendor postpones update to timeframe beween July 22 and 25. 2013-07-25: Vendor releases advisory and product update (version 5.1.1). 2013-07-26: SEC Consult releases coordinated security advisory. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Wolfgang Ettlinger / @2013

Multiple SQL injection vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allow remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors. Symantec Web Gateway is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. SEC Consult Vulnerability Lab Security Advisory < 20130726-0 > ======================================================================= title: Multiple vulnerabilities - Surveillance via Symantec Web Gateway product: Symantec Web Gateway vulnerable version: <= 5.1.0.* fixed version: 5.1.1 CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672 impact: Critical homepage: https://www.symantec.com/ found: 2012-12-18 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Web Gateway protects organizations against multiple types of Web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation based malware filtering technology, Web Gateway relies on a global network of greater than 210 million systems to identify new threats before they cause disruption in organizations." URL: https://www.symantec.com/web-gateway Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of Symantec Web Gateway in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. Several of the discovered vulnerabilities below can be chained together in order to run arbitrary commands with the privileges of the "root" user on the appliance. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/LDAP credentials) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible. If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (further MITM attacks, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) A reflected cross site scripting vulnerability was found. This allows effective session hijacking attacks of administrator session cookies. 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) Moreover a persistent cross site scripting vulnerability allows an unauthenticated user to inject script code into the administration interface. This script code will be executed once an administrator visits the administration interface. 3) OS Command Injection (CVE-2013-1616) Multiple OS command injection vulnerabilities were discovered. Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "apache" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds of locally stored information or interception of web traffic that passes through the appliance. 4) Security Misconfiguration (CVE-2013-4672) Unprivileged operating system users (eg. apache) can gain root privileges due to a misconfiguration of the sudo program. 6) Cross Site Request Forgery (CVE-2013-4671) The cross site request forgery protection implemented can be bypassed easily. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. Several of the vulnerabilities above can be chained together by an unauthenticated attacker in order to run arbitrary commands with the privileges of the "root" operating system user on the appliance. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) The following URL demonstrates a reflected cross site scripting vulnerability: https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) The "blocked.php" page which is accessible without authentication allows to inject script code to the "Blocking Feedback" functionality on the administration interface. The following URL demonstrates this issue. The payload of the parameter "u" will be stored permanently: https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E 3) OS Command Injection (CVE-2013-1616) The functionality to change the hostname as well as the "Test Ping" functionality allow to inject commands enclosed in backticks (`). These commands are run as the system user "apache". Affected scripts: /spywall/nameConfig.php /spywall/networkConfig.php Detailed proof of concept exploits have beem removed for this vulnerability. 4) Security Misconfiguration (CVE-2013-4672) The /etc/sudoers file allows the users "apache" and "admin" to run several critical commands with root privileges. As the user "apache" is able to run commands like "chmod", "chown" and "insmod" without the need of a password, an attacker that is able to issue commands as this user (see 3) can effectively gain root privileges. 5) SQL Injection (CVE-2013-1617) The following URLs demonstrate the SQL injection flaws found by printing the username and password hash of all users: https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20 6) Cross Site Request Forgery (CVE-2013-4671) As an example, the following request configures a LDAP server to authenticate administrative users: POST /spywall/ldapConfig.php HTTP/1.1 Host: <host> Cookie: PHPSESSID=<valid-cookie> Content-Type: application/x-www-form-urlencoded Content-Length: 247 posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168 The sole CSRF protection is the "posttime" parameter that contains a unix timestamp that has to be greater than the one in the last request. Using the value of eg. "9999999999" would always succeed. Attack scenario: ---------------- Using the vulnerabilities mentioned above, the following attack has been implemented (the exploit code will not be published): 1) A user protected by Symantec Web Gateway visits a website that embeds an image (possible in most web forums), a URL or an IFrame. The URL of the resource points to a blocked page (eg. the EICAR test file) and also includes script code (Persistent XSS). If the blocked URL contains the parameter "history=-2" (which has been added by the attacker) the URL/script (Persistent XSS) is automatically stored as a "Blocking Feedback" entry in the admin interface 3) When the administrator visits the "Blocking Feedback" page, the injected script is executed. Using the OS command injection flaw, the script now automatically downloads and executes a shell script. 4) As the user "apache" has permission to execute "chmod" and "chown" as root, the shell script can now create a SUID binary and run a reverse shell as root. 5) The attacker can now access the system with highest (root) privileges Note: This attack only requires a user (protected by the Symantec Web Gateway) to visit a "malicious" page. This can be achieved by sending phishing mails to employees, or embedding images, URLs or IFrames in websites employees would likely visit. If the attacker has already access to the target network, this is of course not necessary - the persistent XSS vulnerability can be exploited directly. Note: No prior knowledge about hostnames or internal IP addresses in the target network is needed! A detailed proof of concept exploit has been created but will not be published. Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-22: Vendor acknowledges receipt of advisory. 2013-03-05: Requesting status update. 2013-03-05: Vendor confirms vulnerabilities, is working on solutions. 2013-03-22: Requesting status update. 2013-03-22: Vendor is still working on solutions. 2013-04-19: Requesting status update and release schedule. 2013-04-19: Vendor is in the "final phases" of releasing an update. 2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy. 2013-06-05: Vendor will release an update in "Mid-July". 2013-07-16: Vendor postpones update to timeframe beween July 22 and 25. 2013-07-25: Vendor releases advisory and product update (version 5.1.1). 2013-07-26: SEC Consult releases coordinated security advisory. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Wolfgang Ettlinger / @2013

Multiple cross-site scripting (XSS) vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. The software provides web content filtering, data loss prevention, and more. SEC Consult Vulnerability Lab Security Advisory < 20130726-0 > ======================================================================= title: Multiple vulnerabilities - Surveillance via Symantec Web Gateway product: Symantec Web Gateway vulnerable version: <= 5.1.0.* fixed version: 5.1.1 CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672 impact: Critical homepage: https://www.symantec.com/ found: 2012-12-18 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Web Gateway protects organizations against multiple types of Web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation based malware filtering technology, Web Gateway relies on a global network of greater than 210 million systems to identify new threats before they cause disruption in organizations." URL: https://www.symantec.com/web-gateway Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of Symantec Web Gateway in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. Several of the discovered vulnerabilities below can be chained together in order to run arbitrary commands with the privileges of the "root" user on the appliance. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible. If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (further MITM attacks, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) A reflected cross site scripting vulnerability was found. This allows effective session hijacking attacks of administrator session cookies. 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) Moreover a persistent cross site scripting vulnerability allows an unauthenticated user to inject script code into the administration interface. This script code will be executed once an administrator visits the administration interface. 3) OS Command Injection (CVE-2013-1616) Multiple OS command injection vulnerabilities were discovered. Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "apache" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds of locally stored information or interception of web traffic that passes through the appliance. 4) Security Misconfiguration (CVE-2013-4672) Unprivileged operating system users (eg. apache) can gain root privileges due to a misconfiguration of the sudo program. 5) SQL Injection (CVE-2013-1617) Several SQL injection vulnerabilities were identified that allow an authenticated administrator to issue manipulated SQL commands. 6) Cross Site Request Forgery (CVE-2013-4671) The cross site request forgery protection implemented can be bypassed easily. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. Several of the vulnerabilities above can be chained together by an unauthenticated attacker in order to run arbitrary commands with the privileges of the "root" operating system user on the appliance. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) The following URL demonstrates a reflected cross site scripting vulnerability: https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) The "blocked.php" page which is accessible without authentication allows to inject script code to the "Blocking Feedback" functionality on the administration interface. The following URL demonstrates this issue. The payload of the parameter "u" will be stored permanently: https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E 3) OS Command Injection (CVE-2013-1616) The functionality to change the hostname as well as the "Test Ping" functionality allow to inject commands enclosed in backticks (`). These commands are run as the system user "apache". Affected scripts: /spywall/nameConfig.php /spywall/networkConfig.php Detailed proof of concept exploits have beem removed for this vulnerability. 4) Security Misconfiguration (CVE-2013-4672) The /etc/sudoers file allows the users "apache" and "admin" to run several critical commands with root privileges. As the user "apache" is able to run commands like "chmod", "chown" and "insmod" without the need of a password, an attacker that is able to issue commands as this user (see 3) can effectively gain root privileges. 5) SQL Injection (CVE-2013-1617) The following URLs demonstrate the SQL injection flaws found by printing the username and password hash of all users: https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20 6) Cross Site Request Forgery (CVE-2013-4671) As an example, the following request configures a LDAP server to authenticate administrative users: POST /spywall/ldapConfig.php HTTP/1.1 Host: <host> Cookie: PHPSESSID=<valid-cookie> Content-Type: application/x-www-form-urlencoded Content-Length: 247 posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168 The sole CSRF protection is the "posttime" parameter that contains a unix timestamp that has to be greater than the one in the last request. Using the value of eg. "9999999999" would always succeed. Attack scenario: ---------------- Using the vulnerabilities mentioned above, the following attack has been implemented (the exploit code will not be published): 1) A user protected by Symantec Web Gateway visits a website that embeds an image (possible in most web forums), a URL or an IFrame. The URL of the resource points to a blocked page (eg. the EICAR test file) and also includes script code (Persistent XSS). If the blocked URL contains the parameter "history=-2" (which has been added by the attacker) the URL/script (Persistent XSS) is automatically stored as a "Blocking Feedback" entry in the admin interface 3) When the administrator visits the "Blocking Feedback" page, the injected script is executed. Using the OS command injection flaw, the script now automatically downloads and executes a shell script. 4) As the user "apache" has permission to execute "chmod" and "chown" as root, the shell script can now create a SUID binary and run a reverse shell as root. 5) The attacker can now access the system with highest (root) privileges Note: This attack only requires a user (protected by the Symantec Web Gateway) to visit a "malicious" page. This can be achieved by sending phishing mails to employees, or embedding images, URLs or IFrames in websites employees would likely visit. If the attacker has already access to the target network, this is of course not necessary - the persistent XSS vulnerability can be exploited directly. Note: No prior knowledge about hostnames or internal IP addresses in the target network is needed! A detailed proof of concept exploit has been created but will not be published. Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-22: Vendor acknowledges receipt of advisory. 2013-03-05: Requesting status update. 2013-03-05: Vendor confirms vulnerabilities, is working on solutions. 2013-03-22: Requesting status update. 2013-03-22: Vendor is still working on solutions. 2013-04-19: Requesting status update and release schedule. 2013-04-19: Vendor is in the "final phases" of releasing an update. 2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy. 2013-06-05: Vendor will release an update in "Mid-July". 2013-07-16: Vendor postpones update to timeframe beween July 22 and 25. 2013-07-25: Vendor releases advisory and product update (version 5.1.1). 2013-07-26: SEC Consult releases coordinated security advisory. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Wolfgang Ettlinger / @2013

Cross-site request forgery (CSRF) vulnerability in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. Other attacks are also possible. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. SEC Consult Vulnerability Lab Security Advisory < 20130726-0 > ======================================================================= title: Multiple vulnerabilities - Surveillance via Symantec Web Gateway product: Symantec Web Gateway vulnerable version: <= 5.1.0.* fixed version: 5.1.1 CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672 impact: Critical homepage: https://www.symantec.com/ found: 2012-12-18 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Web Gateway protects organizations against multiple types of Web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation based malware filtering technology, Web Gateway relies on a global network of greater than 210 million systems to identify new threats before they cause disruption in organizations." URL: https://www.symantec.com/web-gateway Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of Symantec Web Gateway in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. Several of the discovered vulnerabilities below can be chained together in order to run arbitrary commands with the privileges of the "root" user on the appliance. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible. If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (further MITM attacks, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) A reflected cross site scripting vulnerability was found. This allows effective session hijacking attacks of administrator session cookies. 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) Moreover a persistent cross site scripting vulnerability allows an unauthenticated user to inject script code into the administration interface. This script code will be executed once an administrator visits the administration interface. 3) OS Command Injection (CVE-2013-1616) Multiple OS command injection vulnerabilities were discovered. Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "apache" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds of locally stored information or interception of web traffic that passes through the appliance. 4) Security Misconfiguration (CVE-2013-4672) Unprivileged operating system users (eg. apache) can gain root privileges due to a misconfiguration of the sudo program. 5) SQL Injection (CVE-2013-1617) Several SQL injection vulnerabilities were identified that allow an authenticated administrator to issue manipulated SQL commands. 6) Cross Site Request Forgery (CVE-2013-4671) The cross site request forgery protection implemented can be bypassed easily. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. Several of the vulnerabilities above can be chained together by an unauthenticated attacker in order to run arbitrary commands with the privileges of the "root" operating system user on the appliance. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) The following URL demonstrates a reflected cross site scripting vulnerability: https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) The "blocked.php" page which is accessible without authentication allows to inject script code to the "Blocking Feedback" functionality on the administration interface. The following URL demonstrates this issue. The payload of the parameter "u" will be stored permanently: https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E 3) OS Command Injection (CVE-2013-1616) The functionality to change the hostname as well as the "Test Ping" functionality allow to inject commands enclosed in backticks (`). These commands are run as the system user "apache". Affected scripts: /spywall/nameConfig.php /spywall/networkConfig.php Detailed proof of concept exploits have beem removed for this vulnerability. 4) Security Misconfiguration (CVE-2013-4672) The /etc/sudoers file allows the users "apache" and "admin" to run several critical commands with root privileges. As the user "apache" is able to run commands like "chmod", "chown" and "insmod" without the need of a password, an attacker that is able to issue commands as this user (see 3) can effectively gain root privileges. 5) SQL Injection (CVE-2013-1617) The following URLs demonstrate the SQL injection flaws found by printing the username and password hash of all users: https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20 6) Cross Site Request Forgery (CVE-2013-4671) As an example, the following request configures a LDAP server to authenticate administrative users: POST /spywall/ldapConfig.php HTTP/1.1 Host: <host> Cookie: PHPSESSID=<valid-cookie> Content-Type: application/x-www-form-urlencoded Content-Length: 247 posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168 The sole CSRF protection is the "posttime" parameter that contains a unix timestamp that has to be greater than the one in the last request. Using the value of eg. "9999999999" would always succeed. Attack scenario: ---------------- Using the vulnerabilities mentioned above, the following attack has been implemented (the exploit code will not be published): 1) A user protected by Symantec Web Gateway visits a website that embeds an image (possible in most web forums), a URL or an IFrame. The URL of the resource points to a blocked page (eg. the EICAR test file) and also includes script code (Persistent XSS). If the blocked URL contains the parameter "history=-2" (which has been added by the attacker) the URL/script (Persistent XSS) is automatically stored as a "Blocking Feedback" entry in the admin interface 3) When the administrator visits the "Blocking Feedback" page, the injected script is executed. Using the OS command injection flaw, the script now automatically downloads and executes a shell script. 4) As the user "apache" has permission to execute "chmod" and "chown" as root, the shell script can now create a SUID binary and run a reverse shell as root. 5) The attacker can now access the system with highest (root) privileges Note: This attack only requires a user (protected by the Symantec Web Gateway) to visit a "malicious" page. This can be achieved by sending phishing mails to employees, or embedding images, URLs or IFrames in websites employees would likely visit. If the attacker has already access to the target network, this is of course not necessary - the persistent XSS vulnerability can be exploited directly. Note: No prior knowledge about hostnames or internal IP addresses in the target network is needed! A detailed proof of concept exploit has been created but will not be published. Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-22: Vendor acknowledges receipt of advisory. 2013-03-05: Requesting status update. 2013-03-05: Vendor confirms vulnerabilities, is working on solutions. 2013-03-22: Requesting status update. 2013-03-22: Vendor is still working on solutions. 2013-04-19: Requesting status update and release schedule. 2013-04-19: Vendor is in the "final phases" of releasing an update. 2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy. 2013-06-05: Vendor will release an update in "Mid-July". 2013-07-16: Vendor postpones update to timeframe beween July 22 and 25. 2013-07-25: Vendor releases advisory and product update (version 5.1.1). 2013-07-26: SEC Consult releases coordinated security advisory. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Wolfgang Ettlinger / @2013

The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 does not properly implement RADIUS authentication, which allows remote attackers to execute arbitrary code by leveraging access to the login prompt. Successful exploits will result in the execution of arbitrary commands in the context of the affected appliance. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. There is a vulnerability in the management console of SWG Appliance versions earlier than 5.1. The vulnerability is caused by the program not implementing RADIUS authentication correctly

Cisco Intrusion Prevention System (IPS) Software in ASA 5500-X IPS-SSP software modules before 7.1(7)sp1E4 allows remote attackers to cause a denial of service (Analysis Engine process hang or device reload) via fragmented (1) IPv4 or (2) IPv6 packets, aka Bug ID CSCue51272. Cisco IPS Software is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCue51272. Cisco Intrusion Prevention System (IPS) is an intrusion prevention system of Cisco (Cisco). The system can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behaviors. A buffer overflow vulnerability exists in the IPS software in versions prior to 7.1(7)sp1E4 of the ASA 5500-X IPS-SSP software module

The IP stack in Cisco Intrusion Prevention System (IPS) Software in ASA 5500-X IPS-SSP software and hardware modules before 7.1(5)E4, IPS 4500 sensors before 7.1(6)E4, and IPS 4300 sensors before 7.1(5)E4 allows remote attackers to cause a denial of service (MainApp process hang) via malformed IPv4 packets, aka Bug ID CSCtx18596. Vendors have confirmed this vulnerability Bug ID CSCtx18596 It is released as.Malformed by a third party IPv4 Service disruption via packets (MainApp Process hang ) There is a possibility of being put into a state. Cisco IPS Software is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCtx18596. Cisco Intrusion Prevention System (IPS) is an intrusion prevention system of Cisco (Cisco). The system can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behaviors. A remote attacker can send malformed IP packets to exploit this vulnerability to cause denial of service (MainApp process hangs)

An unspecified function in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) allows remote authenticated users to execute arbitrary commands via unknown vectors, aka Bug ID CSCuh73440. Vendors have confirmed this vulnerability Bug ID CSCuh73440 It is released as.An arbitrary command may be executed by a remotely authenticated user. Successfully exploiting this issue may allow an attacker to execute arbitrary OS commands with the privileges of the database user in context of the affected application. This issue is being tracked by Cisco bug ID CSCuh73440. Versions prior to Unified Communications Manager 9.1(2) are affected. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Multiple untrusted search path vulnerabilities in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allow local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCuh73454. Vendors have confirmed this vulnerability Bug ID CSCuh73454 It is released as. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. Local attackers can exploit these issues to gain elevated privileges. Successful exploits will result in the complete compromise of affected computers. This issue is being tracked by Cisco Bug IDs CSCuh73454 and CSCuh87042. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, leading to discovery of encrypted credentials by leveraging metadata, aka Bug ID CSCuh01051. Vendors have confirmed this vulnerability Bug ID CSCuh01051 It is released as.An authentication information encrypted using metadata by a third party can be broken. SQL The command may be executed. Exploiting this issue could allow an authenticated attacker to compromise the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco Bug ID CSCuh01051. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution