VARIoT IoT vulnerabilities database

Parallels Plesk Panel is prone to an unspecified vulnerability. Little is known about this issue or its effects at this time. We will update this BID as more information emerges.

Hitachi JP1 / File Transmission Server / FTP is a FTP-based file transfer server designed by Hitachi. There is an unknown error during Hitachi JP1 / File Transmission Server / FTP file transfer, which allows an attacker to exploit the vulnerability to perform a buffer overflow attack, which can execute arbitrary code in the application context. Hitachi JP1/File Transmission Server/FTP is prone to multiple security vulnerabilities including: 1. A security bypass vulnerability 2. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Hitachi JP1/File Transmission Server/FTP Security Bypass and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA51148 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51148/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51148 RELEASE DATE: 2012-11-01 DISCUSS ADVISORY: http://secunia.com/advisories/51148/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51148/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51148 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Hitachi JP1/File Transmission Server/FTP, which can be exploited by malicious users to bypass certain security restrictions and potentially compromise a vulnerable system. 1) An unspecified error within the user authentication functionality can be exploited to gain access to otherwise restricted files. Successful exploitation of this vulnerability may allow execution of arbitrary code. Please see the vendor's advisory for a list of affected versions. SOLUTION: Apply updates (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi (HS12-022): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-022/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

eosfailoverservice.exe in C3-ilex EOScada before 11.0.19.2 allows remote attackers to cause a denial of service by sending a large amount of data to TCP port 12000. C3-ilex EOScada is a real-time Windows-based energy management system for SCADA systems such as hydropower and oil and gas. C3-ilex EOScada is prone to multiple security vulnerabilities. Attackers can exploit these issues to cause denial-of-service conditions and disclose sensitive information; other attacks are also possible. C3-ilex EOScada versions prior to 11.0.19.2 are vulnerable. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: EOScada Information Disclosure and Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA51171 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51171/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51171 RELEASE DATE: 2012-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/51171/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51171/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51171 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in EOScada, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service). 4) An error in eosfailoverservice.exe can be exploited to cause the service to return unspecified data in clear text. SOLUTION: Update to version 11.0.19.2. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dale Peterson, Digital Bond. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-271-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

eosfailoverservice.exe in C3-ilex EOScada before 11.0.19.2 allows remote attackers to obtain sensitive cleartext information via a session on TCP port 12000. C3-ilex EOScada is a real-time Windows-based energy management system for SCADA systems such as hydropower and oil and gas. C3-ilex EOScada is prone to multiple security vulnerabilities. Attackers can exploit these issues to cause denial-of-service conditions and disclose sensitive information; other attacks are also possible. C3-ilex EOScada versions prior to 11.0.19.2 are vulnerable. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: EOScada Information Disclosure and Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA51171 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51171/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51171 RELEASE DATE: 2012-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/51171/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51171/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51171 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in EOScada, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service). 1) An error in "EOS Core Scada.exe" when processing certain data can be exploited to cause a crash via random data sent to TCP port 5050 or 24004. 2) An error in EOSDataServer.exe when processing certain data can be exploited to cause a resource management error via large amount of data sent to TCP port 24006. 3) An error in eosfailoverservice.exe when processing certain data can be exploited to cause a resource management error via large amount of data sent to TCP port 12000. 4) An error in eosfailoverservice.exe can be exploited to cause the service to return unspecified data in clear text. SOLUTION: Update to version 11.0.19.2. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dale Peterson, Digital Bond. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-271-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

EOSDataServer.exe in C3-ilex EOScada before 11.0.19.2 allows remote attackers to cause a denial of service by sending a large amount of data to TCP port 24006. C3-ilex EOScada is a real-time Windows-based energy management system for SCADA systems such as hydropower and oil and gas. C3-ilex EOScada is prone to multiple security vulnerabilities. Attackers can exploit these issues to cause denial-of-service conditions and disclose sensitive information; other attacks are also possible. C3-ilex EOScada versions prior to 11.0.19.2 are vulnerable. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: EOScada Information Disclosure and Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA51171 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51171/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51171 RELEASE DATE: 2012-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/51171/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51171/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51171 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in EOScada, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service). 4) An error in eosfailoverservice.exe can be exploited to cause the service to return unspecified data in clear text. SOLUTION: Update to version 11.0.19.2. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dale Peterson, Digital Bond. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-271-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

EOSCoreScada.exe in C3-ilex EOScada before 11.0.19.2 allows remote attackers to cause a denial of service (daemon restart) by sending data to TCP port (1) 5050 or (2) 24004. C3-ilex EOScada is a real-time Windows-based energy management system for SCADA systems such as hydropower and oil and gas. C3-ilex EOScada is prone to multiple security vulnerabilities. Attackers can exploit these issues to cause denial-of-service conditions and disclose sensitive information; other attacks are also possible. C3-ilex EOScada versions prior to 11.0.19.2 are vulnerable. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: EOScada Information Disclosure and Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA51171 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51171/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51171 RELEASE DATE: 2012-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/51171/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51171/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51171 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in EOScada, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service). 4) An error in eosfailoverservice.exe can be exploited to cause the service to return unspecified data in clear text. SOLUTION: Update to version 11.0.19.2. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dale Peterson, Digital Bond. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-271-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Passcode Lock implementation in Apple iOS before 6.0.1 does not properly manage the lock state, which allows physically proximate attackers to bypass an intended passcode requirement and access Passbook passes via unspecified vectors. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a local security-bypass vulnerability. An attacker with physical access to the affected device can exploit this issue to access user data without entering a passcode. The issue is fixed in Apple iOS 6.0.1. Adjacent attackers could exploit this vulnerability to gain access to Passbooks via an unknown vector, bypassing the destination password requirement. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-11-01-1 iOS 6.0.1 iOS 6.0.1 is now available and addresses the following: Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Maliciously crafted or compromised iOS applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to access Passbook passes without entering a passcode Description: A state management issue existed in the handling of Passbook passes at the lock screen. This issue was addressed through improved handling of Passbook passes. CVE-ID CVE-2012-3750 : Anton Tsviatkou WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A time of check to time of use issue existed in the handling of JavaScript arrays. This issue was addressed through additional validation of JavaScript arrays. CVE-ID CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working with HP TippingPoint's Zero Day Initiative WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of SVG images. This issue was addressed through improved memory handling. CVE-ID CVE-2012-5112 : Pinkie Pie working with Google's Pwnium 2 contest Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. The version after applying this update will be "6.0.1". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQkZabAAoJEPefwLHPlZEwr00P/204OjJMiHe2I/bhwLanLfxw NEm7Ds0rBTZo7pA2mjeabUO1QpjeIZptMxtAD3p769KVd+eF9NO8ap3OaKzzhb2B uKvaiyLRcUG0mQh87e0K9hiZdU6N8yyBpoodK4/7vJFVDqxqlanmS/ewIPtG+a4L aIZcuy7ats8djpTd2tjVUGHhvtkX5exzU8+/F+ajISYMxQqYa26sAvAobJTvQWAx v9fanfgpE+hVXSH879yJlHIh7H64YhA8M+qQEzW2fz/YRXP/YC2tlFxvVUzB5Lyj uR2ER9MLi02rbJQbYzMEooWq2niPlh+c2LG+5KAqCGUGHWomTbeWui/yS27uQLrJ sbkpkaZuJPL5d1Mn9x70hlWyB6jpbfwsBw+H9XPYtHk1YhslYofNCdShJc8RNtME NSXjU2MBnga1KcQI9Kyyt6OfmGYqRKWqcX+xPuPhKdTCM3S4c6M1UgiVJgeQh5+f Wu87jgZ45CSiu28M2XN6wNKJflhrGpxBYdIGJHsYxu9lfh3WUFpr14NFpe//MChS Xhtiq9Neo+UqcYH1xV40FESHRy3iSe3jj2kJceUxvu0juLEdkYZu4aVp+2nCQokl akQ7iOvcE4l42LpO9GiVfo2PgtyH4vq5gyzpWRWtjhi3F6HDWY3yFBciYlzy0qsu am5QBITYy5QuxM/Pg+MO =eLYi -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA51162 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51162/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51162 RELEASE DATE: 2012-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/51162/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51162/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51162 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people with physical access to bypass certain security restrictions and by malicious people to disclose certain system information and compromise a vulnerable device. 1) The weakness is caused due to an error within the kernel when handling certain APIs and can be exploited to disclose the OSBundleMachOHeaders key, which includes kernel addresses. 3) Some vulnerabilities exist due to a bundled vulnerable version of the WebKit component. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Mark Dowd of Azimuth Security, Eric Monti of Square, and anonymous people 2) Anton Tsviatkou ORIGINAL ADVISORY: APPLE-SA-2012-11-01-1: http://support.apple.com/kb/HT5567 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Race condition in WebKit in Apple iOS before 6.0.1 and Safari before 6.0.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving JavaScript arrays. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of Array objects. When splicing a sparse array, the size of a sparse array is not properly validated. In addition, parameters checked at the beginning of a function are never again validated despite being modified later on. By abusing this behavior an attacker can ensure this memory is under control and leverage the situation to achieve remote code execution. WebKit is prone to remote code-execution vulnerability. Failed exploit attempts may result in a denial-of-service condition. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A race condition vulnerability exists in WebKit in Apple iOS versions prior to 6.0.1 and Safari versions prior to 6.0.2. CVE-ID CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working with HP TippingPoint's Zero Day Initiative Installation note: Apple TV will periodically check for software updates. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-11-01-1 iOS 6.0.1 iOS 6.0.1 is now available and addresses the following: Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Maliciously crafted or compromised iOS applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to access Passbook passes without entering a passcode Description: A state management issue existed in the handling of Passbook passes at the lock screen. This issue was addressed through improved handling of Passbook passes. CVE-ID CVE-2012-3750 : Anton Tsviatkou WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A time of check to time of use issue existed in the handling of JavaScript arrays. This issue was addressed through additional validation of JavaScript arrays. CVE-ID CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working with HP TippingPoint's Zero Day Initiative WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of SVG images. This issue was addressed through improved memory handling. CVE-ID CVE-2012-5112 : Pinkie Pie working with Google's Pwnium 2 contest Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "6.0.1". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQkZabAAoJEPefwLHPlZEwr00P/204OjJMiHe2I/bhwLanLfxw NEm7Ds0rBTZo7pA2mjeabUO1QpjeIZptMxtAD3p769KVd+eF9NO8ap3OaKzzhb2B uKvaiyLRcUG0mQh87e0K9hiZdU6N8yyBpoodK4/7vJFVDqxqlanmS/ewIPtG+a4L aIZcuy7ats8djpTd2tjVUGHhvtkX5exzU8+/F+ajISYMxQqYa26sAvAobJTvQWAx v9fanfgpE+hVXSH879yJlHIh7H64YhA8M+qQEzW2fz/YRXP/YC2tlFxvVUzB5Lyj uR2ER9MLi02rbJQbYzMEooWq2niPlh+c2LG+5KAqCGUGHWomTbeWui/yS27uQLrJ sbkpkaZuJPL5d1Mn9x70hlWyB6jpbfwsBw+H9XPYtHk1YhslYofNCdShJc8RNtME NSXjU2MBnga1KcQI9Kyyt6OfmGYqRKWqcX+xPuPhKdTCM3S4c6M1UgiVJgeQh5+f Wu87jgZ45CSiu28M2XN6wNKJflhrGpxBYdIGJHsYxu9lfh3WUFpr14NFpe//MChS Xhtiq9Neo+UqcYH1xV40FESHRy3iSe3jj2kJceUxvu0juLEdkYZu4aVp+2nCQokl akQ7iOvcE4l42LpO9GiVfo2PgtyH4vq5gyzpWRWtjhi3F6HDWY3yFBciYlzy0qsu am5QBITYy5QuxM/Pg+MO =eLYi -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------------+ | Packet Storm Advisory 2013-0903-1 | | http://packetstormsecurity.com/ | +------------------------------------------------------------------------------+ | Title: Apple Safari Heap Buffer Overflow | +--------------------+---------------------------------------------------------+ | Release Date | 2013/09/03 | | Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) | | Researcher | Vitaliy Toropov | +--------------------+---------------------------------------------------------+ | System Affected | Apple Safari | | Versions Affected | 6.0.1 for iOS 6.0 and OS X 10.7/8, possibly earlier | | Related Advisory | APPLE-SA-2012-11-01-2 | | Related CVE Number | CVE-2012-3748 | | Vendor Patched | 2012/11/01 | | Classification | 1-day | +--------------------+---------------------------------------------------------+ +----------+ | OVERVIEW | +----------+ The release of this advisory provides exploitation details in relation to a known patched vulnerability in Apple Safari. These details were obtained through the Packet Storm Bug Bounty program and are being released to the community. +------------------------------------------------------------------------------+ +---------+ | DETAILS | +---------+ The heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption. The exploit for this vulnerability is a JavaScript code which shows how to use it for memory corruption of internal JS objects (Unit32Array and etc.) and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted into the JS code). +------------------------------------------------------------------------------+ +------------------+ | PROOF OF CONCEPT | +------------------+ The full exploit code is available here: http://packetstormsecurity.com/files/123088/ +------------------------------------------------------------------------------+ +---------------+ | RELATED LINKS | +---------------+ http://lists.apple.com/archives/security-announce/2012/Nov/msg00001.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748 +------------------------------------------------------------------------------+ +----------------+ | SHAMELESS PLUG | +----------------+ The Packet Storm Bug Bounty program gives researchers the ability to profit from their discoveries. You can get paid thousands of dollars for one day and zero day exploits. In certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning. CVE-ID CVE-2012-2824 : miaubiz CVE-2012-2857 : Arthur Gerkis CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working with HP TippingPoint's Zero Day Initiative CVE-2012-5112 : Pinkie Pie working with Google's Pwnium 2 contest CVE-2013-0879 : Atte Kettunen of OUSPG CVE-2013-0912 : Nils and Jon from MWR Labs working with HP TippingPoint's Zero Day Initiative CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0951 : Apple CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team CVE-2013-0955 : Apple CVE-2013-0956 : Apple Product Security CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0960 : Apple CVE-2013-0961 : wushi of team509 working with iDefense VCP CVE-2013-0991 : Jay Civelli of the Chromium development community CVE-2013-0992 : Google Chrome Security Team (Martin Barbella) CVE-2013-0993 : Google Chrome Security Team (Inferno) CVE-2013-0994 : David German of Google CVE-2013-0995 : Google Chrome Security Team (Inferno) CVE-2013-0996 : Google Chrome Security Team (Inferno) CVE-2013-0997 : Vitaliy Toropov working with HP TippingPoint's Zero Day Initiative CVE-2013-0998 : pa_kt working with HP TippingPoint's Zero Day Initiative CVE-2013-0999 : pa_kt working with HP TippingPoint's Zero Day Initiative CVE-2013-1000 : Fermin J. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple Safari Two Vulnerabilities SECUNIA ADVISORY ID: SA51157 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51157/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51157 RELEASE DATE: 2012-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/51157/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51157/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51157 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to compromise a user's system. 2) A use-after-free error exists in the handling of SVG images. For more information see vulnerability #1 in: SA50954 The vulnerabilities are reported in versions prior to 6.0.2 running on OS X Lion and OS X Mountain Lion. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Joost Pol and Daan Keuper, Certified Secure via ZDI ORIGINAL ADVISORY: APPLE-SA-2012-11-01-2: http://support.apple.com/kb/HT5568 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The extensions APIs in the kernel in Apple iOS before 6.0.1 provide kernel addresses in responses that contain an OSBundleMachOHeaders key, which makes it easier for remote attackers to bypass the ASLR protection mechanism via a crafted app. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to an information-disclosure vulnerability. Attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. The issue is fixed in Apple iOS 6.0.1. A vulnerability exists in the extension APIs in the kernel in Apple iOS versions prior to 6.0.1. The vulnerability stems from providing a kernel address containing the OSBundleMachOHeaders keyword in the response. CVE-ID CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working with HP TippingPoint's Zero Day Initiative Installation note: Apple TV will periodically check for software updates. For more information: SA51162 The vulnerabilities are reported in versions prior to 5.1.1. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. The version after applying this update will be "6.0.1". ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA51162 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51162/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51162 RELEASE DATE: 2012-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/51162/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51162/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51162 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people with physical access to bypass certain security restrictions and by malicious people to disclose certain system information and compromise a vulnerable device. 1) The weakness is caused due to an error within the kernel when handling certain APIs and can be exploited to disclose the OSBundleMachOHeaders key, which includes kernel addresses. 2) An error within the passcode lock component can be exploited to gain access to Passbook passes. 3) Some vulnerabilities exist due to a bundled vulnerable version of the WebKit component. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Mark Dowd of Azimuth Security, Eric Monti of Square, and anonymous people 2) Anton Tsviatkou ORIGINAL ADVISORY: APPLE-SA-2012-11-01-1: http://support.apple.com/kb/HT5567 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001 OS X Mountain Lion v10.8.3 and Security Update 2013-001 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker may be able to access directories that are protected with HTTP authentication without knowing the correct credentials Description: A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. CVE-ID CVE-2013-0966 : Clint Ruoho of Laconic Security CoreTypes Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. CVE-ID CVE-2013-0967 International Components for Unicode Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Identity Services Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 ImageIO Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. CVE-ID CVE-2012-2088 IOAcceleratorFamily Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted image may lead to an unexpected system termination or arbitrary code execution Description: A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0976 : an anonymous researcher Kernel Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2012-3749 : Mark Dowd of Azimuth Security, Eric Monti of Square, and additional anonymous researchers Login Window Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with keyboard access may modify the system configuration Description: A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. CVE-ID CVE-2013-0969 : Eric A. Schulman of Purpletree Labs Messages Available for: OS X Mountain Lion v10.8 to v10.8.2 Impact: Clicking a link from Messages may initiate a FaceTime call without prompting Description: Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs. CVE-ID CVE-2013-0970 : Aaron Sigel of vtty.com Messages Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may reroute federated Jabber messages Description: An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. CVE-ID CVE-2012-3525 PDFKit Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management. CVE-ID CVE-2013-0971 : Tobias Klein working with HP TippingPoint's Zero Day Initiative Podcast Producer Server Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0156 Podcast Producer Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Podcast Producer Server. CVE-ID CVE-2013-0333 PostgreSQL Available for: Mac OS X Server 10.6.8, OS X Lion Server v10.7 to v10.7.5 Impact: Multiple vulnerabilities in PostgreSQL Description: PostgreSQL was updated to version 9.1.5 to address multiple vulnerabilities, the most serious of which may allow database users to read files from the file system with the privileges of the database server role account. Further information is available via the PostgreSQL web site at http://www.postgresql.org/docs/9.1/static/release-9-1-5.html CVE-ID CVE-2012-3488 CVE-2012-3489 Profile Manager Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Profile Manager. CVE-ID CVE-2013-0156 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2012-3756 : Kevin Szkudlapski of QuarksLab Ruby Available for: Mac OS X Server 10.6.8 Impact: A remote attacker may be able to cause arbitrary code execution if a Rails application is running Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling YAML and symbols in XML parameters in Rails. CVE-ID CVE-2013-0156 Security Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: Several intermediate CA certificates were mistakenly issued by TURKTRUST. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. Software Update Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5 Impact: An attacker with a privileged network position may be able to cause arbitrary code execution Description: Software Update allowed a man in the middle attacker to insert plugin content into the marketing text displayed for updates. This may allow the exploitation of a vulnerable plugin, or facilitate social engineering attacks involving plugins. This issue does not affect OS X Mountain Lion systems. This issue was addressed by preventing plugins from being loaded in Software Update's marketing text WebView. CVE-ID CVE-2013-0973 : Emilio Escobar Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0156 Wiki Server Available for: OS X Lion Server v10.7 to v10.7.5 Impact: A remote attacker may be able to cause arbitrary code execution Description: A type casting issue existed in Ruby on Rails' handling of JSON data. This issue was addressed by switching to using the JSONGem backend for JSON parsing in the Rails implementation used by Wiki Server. CVE-ID CVE-2013-0333 Malware removal Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Description: This update runs a malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. Note: OS X Mountain Lion v10.8.3 includes the content of Safari 6.0.3. For further details see "About the security content of Safari 6.0.3" at http://http//support.apple.com/kb/HT5671 OS X Mountain Lion v10.8.3 and Security Update 2013-001 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.3, or Security Update 2013-001. For OS X Mountain Lion v10.8.2 The download file is named: OSXUpd10.8.3.dmg Its SHA-1 digest is: e6165572e9145ea05aac23fa30372a9b0a0bbf3c For OS X Mountain Lion v10.8 and v10.8.1 The download file is named: OSXUpdCombo10.8.3.dmg Its SHA-1 digest is: 1bc49fde5ff6e252aa7908b4cb1f9cb9c8a5fa29 For OS X Lion v10.7.5 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: 5bc540a208c720fce3448f853d852336781e1a17 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: e88ff36fc8e88c4c995422d3f2364c56ebe51b07 For Mac OS X v10.6.8 The download file is named: SecUpd2013-001.dmg Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-001.dmg Its SHA-1 digest is: fd7946f8d1f1bce0394b6e56c8d7387812e14694 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRQiuBAAoJEPefwLHPlZEwGfgP/0UDCn2KBop3IJ4Ad31yiG3N gH+yQl4GDONhm/HgrPWGQgcuVI69FmAqk+7arwOL7+7hlsSDQ5uSWDraRdd0EPmO aq2DxPxt6bYi4fHSrfkvRblVr/PcPxswEEshM82JU60Oy88EDA87bI8yy4qi8KJ4 E8+6O31vLuUeAaHf0SNE8y1p2iKpdmHH/Afo0iAVx3ddm8e8wMVPZ9XbR02pe8MV qmMWj8icBLNyHGoSl48zm5t4Ah4MS9qgXNjsYY+Mq2AcrqQI5EFTbdWpKFM7SQ1G UcM6zmeHtKNz8H21MDYKg1UHjo49MZnFb6ahRXN0E3jsPrfO4Co/2t6ogOLRZ90X 2Sd1RfwqYnRZRfwyOAe3htBYDpVEfvU1eaNMoTTHLRKWgarxUoXvww2cjnomAg5y tg+btVeQfzdHu+yClvioCbYqblKKxJf8lmhiLEgoH2bRaz2L+fluWW9yGQarxmrb vQ+cMKuy7heyLpNhwRHZioo4/b2K/IZBnkKwH76Ey3yAXnSSAD9xwbFZZAU5J8YQ liULOm9tv1sUlNHMyTsjplIsFkAIrkl+H43hn3/A+q4TIsDkmtPvOOl4Rc9/5w8H ZibyLnmr1XgXvd6CgFzIvl7Ink+d/xGHTnlybHszCMzR5o6Rg7sTeQsD34aNymcc Lz1nnBtRAbfDgARdRX4e =WUBR -----END PGP SIGNATURE-----

Buffer overflow in Cisco Unified MeetingPlace Web Conferencing before 7.1MR1 Patch 1, 8.0 before 8.0MR1 Patch 1, and 8.5 before 8.5MR3 allows remote attackers to cause a denial of service (daemon hang) via unspecified parameters in a POST request, aka Bug ID CSCua66341. Cisco Unified MeetingPlace Web Conferencing Contains a buffer overflow vulnerability. The problem is Bug ID CSCua66341 It is a problem.Service disruption by a third party ( Daemon hang ) There is a possibility of being put into a state. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. Note: This BID initially referenced CVE-2012-0337. This issue was already described in BID 53431. This solution provides a user environment that integrates voice, video and Web conferencing. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Cisco Unified MeetingPlace Web Conferencing SQL Injection and Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA51103 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51103/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51103 RELEASE DATE: 2012-11-01 DISCUSS ADVISORY: http://secunia.com/advisories/51103/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51103/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51103 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Cisco Unified MeetingPlace, which can be exploited by malicious people to conduct SQL injection attacks and cause a DoS (Denial of Service). 1) Certain input is not properly sanitised before being used in SQL queries. The vulnerabilities are reported in versions prior to 7.0, 7.0, 7.1, 8.0, and 8.5. SOLUTION: Update to version 7.1MR1 Patch 1, 8.0MR1 Patch 1, or 8.5MR3. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Daniel Mende, ERNW GmbH. 2) Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-mp OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Prime Data Center Network Manager (DCNM) before 6.1(1) does not properly restrict access to certain JBoss MainDeployer functionality, which allows remote attackers to execute arbitrary commands via JBoss Application Server Remote Method Invocation (RMI) services, aka Bug ID CSCtz44924. An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application. This issue is tracked by Cisco Bug IDs CSCtz44924 and CSCua31204. The manager provides multi-protocol management of the network and provides troubleshooting capabilities for switch health and performance. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Cisco Prime Data Center Network Manager JBoss Application Server Security Issue SECUNIA ADVISORY ID: SA51129 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51129/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51129 RELEASE DATE: 2012-11-01 DISCUSS ADVISORY: http://secunia.com/advisories/51129/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51129/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51129 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in Cisco Prime Data Center Network Manager (DCNM), which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code with privileges of SYSTEM or root user. The security issue is reported in versions prior to 6.1(1). SOLUTION: Update to version 6.1(1). PROVIDED AND/OR DISCOVERED BY: The vendor credits Paul O'Grady, Security Compass. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-dcnm OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The D-Link Wireless N300 Cloud Router is a cloud router product. There is an error in the WEB server when processing CAPTCHA data, allowing an attacker to submit a specially crafted HTTP POST request to trigger a stack-based buffer overflow, which can cause the service to crash or execute arbitrary code. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: D-Link Wireless N300 Cloud Router CAPTCHA Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA51075 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51075/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51075 RELEASE DATE: 2012-10-30 DISCUSS ADVISORY: http://secunia.com/advisories/51075/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51075/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51075 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Craig has reported a vulnerability in D-Link Wireless N300 Cloud Router, which can be exploited by malicious people to compromise a vulnerable device. Successful exploitation allows execution of arbitrary code. The vulnerability is reported in firmware version 1.10 and 1.12. Other versions may also be affected. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: Craig, /dev/ttyS0 ORIGINAL ADVISORY: http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in the web-based management feature on the TP-LINK TL-WR841N router with firmware 3.13.9 build 120201 Rel.54965n and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to the help/ URI. The TP-LINK TL-WR841N is a router device. The TP-LINK TL-WR841N WEB management interface incorrectly filters URL parameters, allowing an attacker to exploit the vulnerability to view system file contents with WEB permissions. TP-LINK TL-WR841N router is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the affected device. This may aid in further attacks. TP-LINK TL-WR841N 3.13.9 Build 120201 Rel.54965n is vulnerable; other versions may also be affected. TP-LINK TL-WR841N is a wireless router product of China Pulian (TP-LINK) company

The CoDeSys Runtime Toolkit’s file transfer functionality does not perform input validation, which allows an attacker to access files and directories outside the intended scope. This may allow an attacker to upload and download any file on the device. This could allow the attacker to affect the availability, integrity, and confidentiality of the device. CODESYS Runtime System of Runtime Toolkit Contains a directory traversal vulnerability.By a third party TCP Listener service .. ( Dot dot ) Any file may be read, overwritten, or created via a request containing. CoDeSys has an unexplained directory traversal vulnerability. CoDeSys is a PLC software programming tool that supports IEC61131-3 standard IL, ST, FBD, LD, CFC, SFC six PLC programming languages. An unknown access control vulnerability exists in CoDeSys. Allows an attacker to exploit the vulnerability to obtain a PLC shell and control the application device. CoDeSys is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. Directory traversal vulnerability in the Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x allows remote attackers to read, overwrite, or create arbitrary files via a .. 3S-Smart Software Solutions CoDeSys is a set of PLC (Programmable Logic Controller) software programming tools from 3S-Smart Software Solutions in Germany. Runtime Toolkit is the runtime toolkit of CoDeSys. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: CoDeSys Authentication Bypass and Directory Traversal Vulnerabilities SECUNIA ADVISORY ID: SA51847 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51847/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51847 RELEASE DATE: 2013-01-14 DISCUSS ADVISORY: http://secunia.com/advisories/51847/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51847/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51847 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Digital Bond has reported two vulnerabilities in CoDeSys, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system. 1) An error within the authentication mechanism does not properly restrict access to the device and can be exploited to perform certain administrative tasks. The vulnerabilities are reported in versions 2.3.x and 2.4.x. SOLUTION: Apply patches (please contact the vendor for more information). PROVIDED AND/OR DISCOVERED BY: Reid Wightman, Digital Bond. ORIGINAL ADVISORY: ICS-CERT (ICSA-13-011-01): http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf CoDeSys: http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . SEC Consult Vulnerability Lab Security Advisory < 20171130-0 > ======================================================================= title: Critical CODESYS vulnerabilities product: WAGO PFC 200 Series, see "Vulnerable / tested versions" vulnerable version: plclinux_rt 2.4.7.0, see "Vulnerable / tested versions" fixed version: PFC200 FW11 CVE number: - impact: critical homepage: https://www.codesys.com found: 2017-07-28 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for decentralized automation tasks. With the relay, function and interface modules, as well as overvoltage protection, WAGO provides a suitable interface for any application." Source: http://global.wago.com/en/products/product-catalog/ components-automation/overview/index.jsp "The PFC family of controllers offers advanced compact, computing power for PLC programming and process visualization. Programmable in accordance with IEC 61131-3 600, PFC controllers feature a 600 MHz ARM Cortex A8 processor that offers high speed processing and support of 64 bit variables." Source: http://www.wago.us/products/components-for-automation/modular-io-system-series-750-753/programmable-fieldbus-controller/pfc200/index.jsp Business recommendation: ------------------------ Because of the use in industrial and safety-critical environments the patch has to be applied as soon as it is available. We explicitly point out to all users in this sector that this device series in the mentioned device series with firmware 02.07.07(10) should not be connected directly to the internet (or even act as gateway) since it is very likely that an attacker can compromise the whole network via such an device. SEC Consult recommends not to use this product in a production environment until a thorough security review has been performed by security professionals. Vulnerability overview/description: ----------------------------------- The "plclinux_rt" service accepts different unauthenticated actions. This vulnerability contains the architectural security problems described by Reid Wightman. The SDK of "plclinux_rt" is written by the same vendor (3S). Therefore, the file commands of "Digital Bond's 3S CODESYS Tools", created around 2012 are applicable. (See https://ics-cert.us-cert.gov/advisories/ICSA-13-011-01) The CODESYS command-line is protected with login credentials, that's why the shell of the mentioned tools does not provide root access out of the box. But after some investigation it was clear that there are further functions which are reachable without using the command-line and without any authentication. These functions in "plclinux_rt" can be triggered by sending the correct TCP payload on the bound port (by default 2455). Some of the triggerable functions are: * Arbitrary file read/write/delete (also covered by "Digital Bond's Tools") * Step over a function in the currently executed PLC program * Cycle step any function in the currently executed PLC program * Delete the current variable list of the currently executed PLC program * And more functions... Since SSH is activated by default, an unauthenticated attacker can rewrite "/etc/shadow" and gain root privileges easily via these attack vectors! 1) Critical Improper Authentication / Design Issue Files can be fetched, written and deleted. Running tasks on the PLC can be restarted, stepped and crashed. A memory corruption (and potential reverse-shell) is also possible via arbitrary TCP packets. There are potentially more commands which can be triggered, but this was not covered by the short security crash test. Proof of concept: ----------------- As there is no patch available yet, the detailed proof of concept information has been removed from this advisory. 1) Critical Improper Authentication / Design Issue Two payloads are specified here as proof of concept for file manipulation. Four payloads for live program manipulation are also listed. File read and delete without any authentication. Read "/etc/shadow": echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port> Delete "/etc/test": echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port> Runnning PLC tasks could be modified with the following payloads: Step over function: echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port> Cycle step function: echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port> Delete variable list (produces stack-trace / denial of service): echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port> The actual function is chosen by the 7th byte in the latter payloads. E.g.: 0x31 -> read file 0x36 -> delete file 0x0a -> step over 0x24 -> cycle step 0x15 -> delete variable list There are much more functions hidden in the "plclinux_rt" binary. This is just an excerpt of a few available functions. These functions can be examined from "SrvComputeService". Two pseudo code snippets generated by IDA Pro shows some examples (the functionality can be quickly determined from the corresponding debug message): [PoC removed from this advisory] Vulnerable / tested versions: ----------------------------- WAGO PFC200 Series / Firmware 02.07.07(10) (17 affected devices) 750-8202 750-8202/025-000 750-8202/025-001 750-8202/025-002 750-8202/040-001 750-8203 750-8203/025-000 750-8204 750-8204/025-000 750-8206 750-8206/025-000 750-8206/025-001 750-8207 750-8207/025-000 750-8207/025-001 750-8208 750-8208/025-000 The WAGO contact stated during a call that all PLCs of the 750-88X Series are not vulnerable due to a custom fix from WAGO. The contact also stated that the PLCs of the 750-810X (PFC100) series are also not vulnerable because they have CODESYS 3.5 deployed. Devices of any other vendor which use the CODESYS 2.3.X/2.4.X runtime are potentially prone to the same vulnerability. Vendor contact timeline: ------------------------ 2017-08-02: Contacting vendor through info@wago.com and set the publication date to 2017-09-21. 2017-08-09: Sending a reminder to info@wago.com 2017-08-16: Found a dedicated security contact of WAGO. Contacting this employee via e-mail. 2017-08-17: Contact responds that he will read the redirected e-mail from info@wago.com. Sending e-mail to contact that the message sent to info@wago.com does not contain the actual advisory and that an encrypted channel should be used for transmission. 2017-08-22: Sending reminder to contact and re-transmitting the responsible disclosure policy and all possible ways to transmit the advisory. 2017-08-29: Uploading advisory to WAGO ShareFile. 2017-09-15: Telephone call with WAGO contact. Discussion about the vulnerability. Fix will be available in the next firmware version. Vendor clarified that series 750-88X is not prone to the reported vulnerability. Set the publication date to 2017-09-28. 2017-09-26: Telephone call with vendor. Vendor is working on a fix of the vulnerabilities. Set the publication date to 2017-10-12. 2017-10-06: Sending a reminder to the vendor; No answer. 2017-10-11: Sending a reminder to the vendor. Vendor states that they are working on an update and a timeline for the fix will be provided on 2017-10-13. 2017-10-13: Asked for an update; No answer. 2017-10-17: Informing the vendor that the publication date was set to 2017-10-23. 2017-10-19: Vendor responds that vulnerability in PFC200 series will be patched in firmware version FW12. Set publication date to 2017-10-27 and asked the vendor for a time-line regarding the PFC100 series. 2017-10-20: Vendor responds that PFC100 series is not vulnerable since it does not contain CODESYS 2.4 run-time. Vendor corrected the firmware to version FW11. The patch will be available in January 2018. 2017-10-30: Informed vendor that the advisory will be published on 2017-11-30. 2017-11-30: Advisory release Solution: --------- Update your WAGO PFC200 Series to firmware version FW11 as soon as it is available. In the meantime, see the workaround section. Workaround: ----------- Delete "plclinux_rt" or close the programming port (2455). Network access to the device should be restricted. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF T. Weber / @2017

SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. When SAP NetWeaver verifies the XML request, the PMI XML parser has an error. The attacker can exploit the vulnerability to construct a malicious XML document to induce the user to parse and obtain local file sensitive information. SAP NetWeaver is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: SAP NetWeaver XML External Entity Vulnerability SECUNIA ADVISORY ID: SA51063 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51063/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51063 RELEASE DATE: 2012-10-26 DISCUSS ADVISORY: http://secunia.com/advisories/51063/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51063/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51063 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: ERPScan has reported a vulnerability in SAP NetWeaver, which can be exploited by malicious people to disclose potentially sensitive information. disclose local files. SOLUTION: Reportedly a fix has been released. Contact the vendor for further information. PROVIDED AND/OR DISCOVERED BY: Dmitry Chastukhin, ERPScan. ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1721309 ERPScan (DSECRG-12-037): http://erpscan.com/advisories/dsecrg-12-037-sap-netweaver-pmi-agent-configuration-xml-external-entity/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Tor before 0.2.3.24-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) by performing link protocol negotiation incorrectly. Tor (The Onion Router) is an implementation of the second generation of onion routing, mainly used for anonymous access to the Internet. The application is prone to a remote denial-of-service vulnerability. Attackers may exploit this issue to cause an affected application to crash, resulting in a denial-of-service condition. Versions prior to Tor 0.2.4.4-alpha are vulnerable

The Broadcom BCM4325 and BCM4329 Wi-Fi chips, as used in certain Acer, Apple, Asus, Ford, HTC, Kyocera, LG, Malata, Motorola, Nokia, Pantech, Samsung, and Sony products, allow remote attackers to cause a denial of service (out-of-bounds read and Wi-Fi outage) via an RSN 802.11i information element. Broadcom BCM4325 and BCM4329 wireless chipsets have been reported to contain an out-of-bounds read error condition that may be exploited to produce a denial-of-service condition. Broadcom Multiple products that use wireless chipset made of service disruption (DoS) Vulnerabilities exist. Broadcom Multiple wireless chipset firmware provided by the (DoS) Vulnerabilities exist.Service disruption by a third party (DoS) There is a possibility of being attacked. The BCM4325 and BCM4329 chips are used in a variety of mobile device chips. An attacker can send an RSN (802.11i) information element that can cause the Wi-Fi NIC to stop responding. The following products use BCM4325 and BCM4329 chips: BCM4325 Apple iPhone 3GS Apple iPod 2GHTC Touch Pro 2HTC Droid IncredibleSamsung SpicaAcer LiquidMotorola DevourFord Edge BCM4329Apple iPhone 4Apple iPhone 4 VerizonApple iPod 3GApple iPad Wi-FiApple iPad 3GApple iPad 2Apple Tv 2GMotorola XoomMotorola Droid X2Motorola AtrixSamsung Galaxy TabSamsung Galaxy S 4GSamsung Nexus SSamsung StratosphereSamsung FascinateHTC Nexus OneHTC Evo 4GHTC ThunderBoltHTC Droid Incredible 2LG RevolutionSony Ericsson Xperia PlayPantech BreakoutNokia Lumina 800Kyocera EchoAsus Transformer PrimeMalata ZPad. Broadcom BCM4325 and BCM4329 Wireless Chipsets are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to crash, denying service to legitimate users. Due to the nature of this issue, sensitive information may be obtained. The following Chipsets are vulnerable: BCM4325 BCM4329. Broadcom is the world's leading semiconductor company for wired and wireless communications. Vulnerabilities exist in Chipsets BCM4325 and BCM4329 versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-01-28-1 iOS 6.1 Software Update iOS 6.1 Software Update is now available and addresses the following: Identity Services Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 International Components for Unicode Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A user-mode process may be able to access the first page of kernel memory Description: The iOS kernel has checks to validate that the user- mode pointer and length passed to the copyin and copyout functions would not result in a user-mode process being able to directly access kernel memory. The checks were not being used if the length was smaller than one page. This issue was addressed through additional validation of the arguments to copyin and copyout. CVE-ID CVE-2013-0964 : Mark Dowd of Azimuth Security Security Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: Several intermediate CA certificates were mistakenly issued by TURKTRUST. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. StoreKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: JavaScript may be enabled in Mobile Safari without user interaction Description: If a user disabled JavaScript in Safari Preferences, visiting a site which displayed a Smart App Banner would re-enable JavaScript without warning the user. This issue was addressed by not enabling JavaScript when visiting a site with a Smart App Banner. CVE-ID CVE-2013-0974 : Andrew Plotkin of Zarfhome Software Consulting, Ben Madison of BitCloud, Marek Durcek WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2012-2824 : miaubiz CVE-2012-2857 : Arthur Gerkis CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3621 : Skylined of the Google Chrome Security Team CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3687 : kuzzcc CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0951 : Apple CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team CVE-2013-0955 : Apple CVE-2013-0956 : Apple Product Security CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0968 : Aaron Nelson WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Copying and pasting content on a malicious website may lead to a cross-site scripting attack Description: A cross-site scripting issue existed in the handling of content pasted from a different origin. This issue was addressed through additional validation of pasted content. CVE-ID CVE-2013-0962 : Mario Heiderich of Cure53 WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-site scripting issue existed in the handling of frame elements. This issue was addressed through improved origin tracking. CVE-ID CVE-2012-2889 : Sergey Glazunov WiFi Available for: iPhone 3GS, iPhone 4, iPod touch (4th generation), iPad 2 Impact: A remote attacker on the same WiFi network may be able to temporarily disable WiFi Description: An out of bounds read issue exists in Broadcom's BCM4325 and BCM4329 firmware's handling of 802.11i information elements. This issue was addressed through additional validation of 802.11i information elements. CVE-ID CVE-2012-2619 : Andres Blanco and Matias Eissler of Core Security Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "6.1". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRBffvAAoJEPefwLHPlZEwzYgP/0qhsTft9TUGuphoY9tth5WB D0+8pAKs+1HU+nMOaEKPbK+zdMxblhRNPQyhMuTAQaY5Z/iGn1EXVCTlQBO8esRW epxNZuhFoaW4wzK9kvw5d/HZ9tfq059ozlFOp1TI2D6J5RwNgxDfigt2PUKCTV4X u/BONQHIfINYMofgf5897LHYYFSU2+NJj5ouM5dY4Y/kfJkwAnG5AWCAGlEt3QOo MZdaVv3/itPj4te838FYCVAepel3xBWX0Hhuu87+waHslRrIfQl+EvNk3YZXxWiF O5Hw9Ng/H8n0sbeA39w0U8tw+q/wPhVexdULgRjBH65+6g7Cu5u+rMuYuRjl8fO/ glLhKZNSrQDa5ZNOraOrF62AFVByHaSxv4cZwo262/6uH93FIBtklMt947GMVQLC 1FT0CIGNJb1/0156bvsABfRScBtK9ZdIUjXhOHMinhQJX3qiBqyKc4/juYPmC9VC KXk2/K8b0sGWQRc5RuQsSpzkZF9WcrwmgGOBIghp2DLmbAAj0uh2Ttf1GdrOaajR XpZ2TTJ5qE+IHNU0/etroTYnzjKVjQ0pODrPZj7ALLXULTraXJRJy7fqraUzsHbi AZiRca+3x/S9nqV0NpTNPZgTwxenox10t0w5vhcBK+SPGga1oVRbtOjGtVIkgoG4 KI3sdgb6PtpZWuIJ6iZA =J2jv -----END PGP SIGNATURE-----

F5's FirePass server is a powerful network device that provides users with secure access to corporate networks through any standard web browser. When some of the input is passed to the FirePass controller, the correct filtering is missing before being used for SQL queries. The remote attacker exploits the vulnerability to obtain database sensitive information or control the application system. FirePass is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Versions prior to FirePass 7.0.0 HF-70-7 and 6.1.0 HF-610-9 are vulnerable. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: F5 FirePass SQL Injection and Redirection Vulnerabilities SECUNIA ADVISORY ID: SA51045 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51045/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51045 RELEASE DATE: 2012-10-23 DISCUSS ADVISORY: http://secunia.com/advisories/51045/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51045/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51045 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and a vulnerability has been reported in F5 FirePass, which can be exploited by malicious people to conduct spoofing and SQL injection attacks. 1) Input passed via the "refreshURL" parameter to my.activation.cns.php3 is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. SOLUTION: Update to version 7.0.0 HF-70-7 or 6.1.0 HF-610-9. PROVIDED AND/OR DISCOVERED BY: 1) Aung Khant, YGN Ethical Hacker Group 2) The vendor credits Tal Zeltzer ORIGINAL ADVISORY: http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13826.html http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13818.html http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13656.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Certain HP Access Controller, Fabric Module, Firewall, Router, Switch, and UTM Appliance products; certain HP 3Com Access Controller, Router, and Switch products; certain HP H3C Access Controller, Firewall, Router, Switch, and Switch and Route Processing Unit products; and certain Huawei Firewall/Gateway, Router, Switch, and Wireless products do not properly implement access control as defined in h3c-user.mib 2.0 and hh3c-user.mib 2.0, which allows remote authenticated users to discover credentials in UserInfoEntry values via an SNMP request with the read-only community. HP/H3C Made and Huawei There are vulnerabilities in network devices that lack access restrictions. HP/H3C Made and Huawei Network devices SNMP There is a problem with request processing and there is a vulnerability with insufficient access restrictions.A remote attacker may gain access to the management functions of the product. Multiple HP products have security vulnerabilities that allow attackers to exploit vulnerabilities to obtain sensitive information. No detailed vulnerability details are currently available. Hewlett-Packard (HP) is the world's leading high-tech provider, providing a full range of products such as notebooks, desktop computers, and workstations. The vulnerability is caused by the program not implementing access control correctly as defined in h3c-user.mib 2.0 and hh3c-user.mib 2.0. Through SNMP requests with read-only communities, remote authentication attackers exploit this vulnerability to discover credentials in UserInfoEntry values. Identifiers - ----------- US-CERT VU#225404 CVE-2012-3268 Vendor release - -------------- HP/H3C: https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685&ac.admitted=1350939600802.876444892.492883150 Huawei: In the works Researcher - ---------- Kurt Grutzmacher grutz <at> jingojango dot net http://grutztopia.jingojango.net/ twitter: @grutz Details - ------- Huawei/H3C have two OIDs, 'old' and 'new': old: 1.3.6.1.4.1.2011.10 new: 1.3.6.1.4.1.25506 Most devices support both formats. The MIBs h3c-user.mib and hh3c-user.mib, for the purpose of this document, will be referred to as (h)h3c-user.mib. This MIB defines the internal table and objects to "Manage configuration and Monitor running state for userlog feature." This means there are some cool objects with data in this MIB penetration testers or malicious actors would want to get their dirty little hands on. Most objects are only accessible with the read/write community string. In the revision history of (h)h3c-user.mib, version 2.0 modified the MAX-ACCESS from read-only to read-create the following objects within the (h)h3cUserInfoEntry sequence: (h)h3cUserName (h)h3cUserPassword (h)h3cAuthMode (h)h3cUserLevel The purpose of these objects are to provide the locally configured users to those with a valid SNMP community. After the change only those with the read-write community string should have access, however this was not the case and the code still retained the earlier access of read-only. So if you have the SNMP public community string then you have the ability to view these entries. Why this is impactful - --------------------- The (h)h3cUserPassword is presented in one of three formats as defined in the (h)h3cAuthMode object and mirrors how passwords are stored in the device configuration: 0 -- password simple, meaning cleartext 7 -- password cipher, meaning ciphertext 9 -- password sha-256, meaning one-way sha-256 hash SHA-256 is a recent addition and is not supported on all devices yet. Globbing some users - ------------------- You must have an SNMP read-only or read-write string and access to the SNMP port (udp/161) for this to work: $ snmpwalk ?c public ?v 1 $IP 1.3.6.1.4.1.2011.10.2.12.1.1.1 or $ snmpwalk ?c public ?v 1 $IP 1.3.6.1.4.1.25506.2.12.1.1.1 Weaponizing - ----------- Files relevant to this disclosure: hh3c-localuser-enum.rb - Metasploit auxiliary scanner module snmp-h3c-login.nse - Nmap Scripting Engine module These will soon be posted to https://github.com/grutz/h3c-pt-tools and requested to be added to each tool. Mitigation - ---------- By itself this is already bad but most users who do any of the following may already be protected: 1. Use complex SNMP community strings or disable SNMPv1 2. Have disabled the mib entries for (h)h3c-user 3. Do not define local users, use RADIUS or TACACS+ More specific routines can be found in the vendor's release. Why this is a bigger problem - ---------------------------- People make poor choices. They like to think their equipment won't rat them out so they use cleartext passwords on networking equipment. The cipher is an interesting one because it's basically an unknown... What, you think the only thing I had to share at Toorcon was SNMP and some cleartext credentials? Timeline - -------- June-ish 2012: Research begins after seeing something cool on a penetration test August 6, 2012: Contacted US-CERT to coordinate vendor disclosure, VU#225404 September 5, 2012: No response from H3C, contacted US-CERT again September 6, 2012: H3C (through US-CERT) requests more time, I state intention to present findings at Toorcon (Oct 19/20, 2012) or disclose if talk not accepted. September 18, 2012: Approved for Toorcon! Information goes up not long after on Toorcon website. September 18-October 16, 2012: Build slides, work on tools, no contact with US-CERT or vendors. October 16, 2012: HP contacts me directly asking that I not present this information at Toorcon October 18, 2012: Publicly state agreement to cancel the Toorcon talk October 22, 2012: HP discloses! What what? Why bother putting any pressure not to give the talk if you're gonna give everything out 2 days later? October 23, 2012: So I publish. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03515685 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03515685 Version: 2 HPSBHF02819 SSRT100920 rev.2 - HP, 3COM, and H3C Routers & Switches, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-10-25 Last Updated: 2012-10-25 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP, 3COM, and H3C routers and switches. The vulnerabilities could be remotely exploited resulting in disclosure of information. For more information, refer to CERT VU#225404 on the CERT website. References: SSRT100962, CVE-2012-3268, CERT VU#225404 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Vendor Product Name Product Number HP 10500/7500 Advanced VPN Firewall Module JD249A H3C S7500E SecBlade VPN Firewall Module 0231A832, LSQ1FWBSC0 HP 10504 Switch Chassis JC613A HP 10508 Switch Chassis JC612A HP 10508-V Switch Chassis JC611A HP 10512 Switch Chassis JC748A HP 12500 VPN Firewall Module JC635A HP 12508 DC Switch Chassis JC652A HP 12508 Switch Chassis JC086A H3C S12508 Chassis 0235A38N HP 12508 Switch Chassis JF431A HP A12508 Switch Chassis H3C S12508 Chassis 0235A0E6 HP 12508 Switch Chassis JF431B HP A12508 Switch Chassis H3C S12508 (AC-1) Routing Switch 0235A0GE HP 12508 Switch Chassis JF431C HP 12518 DC Switch Chassis JC653A HP 12518 DC Switch Chassis JC653A HP 12518 Switch Chassis JC085A HP A12518 Switch Chassis H3C S12518 Chassis 0235A38M HP 12518 Switch Chassis JF430A HP A12518 Switch Chassis H3C S12518 Chassis 0235A0E7 HP 12518 Switch Chassis JF430B HP A12518 Switch Chassis H3C S12518 (AC-1) Routing Switch 0235A0GF HP 12518 Switch Chassis JF430C HP 1910-16G Switch JE005A 3Com Baseline Plus 2900G Switch - 20 port 3CRBSG2093 HP 1910-24G Switch JE006A 3Com Baseline Plus 2900G Switch - 28 port 3CRBSG2893 HP 1910-24G-PoE (365W) Switch JE007A 3Com Baseline Plus 2900G Switch - 28HPWR 3CRBSG28HPWR93 HP 1910-24G-PoE (170W) Switch JE008A HP V1910-24G-PoE (170W) Switch 3Com Baseline Plus 2900G Switch - 28PWR 3CRBSG28PWR93 HP 1910-48G Switch JE009A 3Com Baseline Plus 2900 Switch Gigabit Family - 52 port 3CRBSG5293 HP 1910-8G Switch JG348A HP 1910-8G-PoE+ (180W) Switch JG350A HP 1910-8G-PoE+ (65W) Switch JG349A HP 200-CS UTM Appliance JD268A H3C SecPath U200-CS 0235A0CT HP 200-M UTM Appliance JD274A HP 3000-10G-PoE+ Wireless Switch JD450A HP A3000-10G-PoE+ Wireless Switch H3C WX3010,8 PoEPlus 0235A37U HP 3000-24G-PoE+ Wireless Switch JD449A HP A3000-24G-PoE+ Wireless Switch H3C WX3024,4SFPCombo Plus Slot Plus PoEPlus 0235A37T HP 3000-8G-PoE+ Wireless Switch JD444A H3C WX3008, 4 POE Plus 0235A0AS HP 3012 Router JD916A 3Com 3012 Router 3C13612 HP 3013 Router JD917A 3Com 3013 Router 3C13613 HP 3016 Router JD918A 3Com 3016 Router 3C13616 HP 3036 Router JD921A 3Com 3036 Router 3C13636 HP 3040 Router JD922A 3Com 3040 Router 3C13640 HP 3041 Router JD923A 3Com 3041 Router 3C13641 HP 3100-16 DC EI Switch JD314A HP A3100-16 DC EI Switch H3C S3100-16TP-EI - model LS-3100-16TP-EI-H3-D-O 0235A23H HP 3100-16 EI Switch JD319A H3C S3100-16TP-EI - model LS-3100-16TP-EI-H3-A-O 0235A300 HP 3100-16 SI Switch JD305A H3C S3100-16T-SI - model LS-S3100-16T-SI-AC-OVS 0235A15C HP 3100-16 v2 EI Switch JD319B HP 3100-16 v2 SI Switch JG222A HP 3100-16-PoE EI Switch JD312A H3C S3100-16TP-PWR-EI - model LS-3100-16TP-PWR-EI-H3 0235A19C HP 3100-24 DC EI Switch JD315A HP A3100-24 DC EI Switch H3C S3100-26TP-EI - model LS-3100-26TP-EI-H3-D-O 0235A23P HP 3100-24 EI Switch JD320A HP A3100-24 EI Switch H3C S3100-26TP-EI - model LS-3100-26TP-EI-H3-A-O 0235A301 HP 3100-24 SI Switch JD306A HP A3100-24 SI Switch H3C S3100-26T-SI - model LS-S3100-26T-SI-AC-OVS 0235A15D HP 3100-24 v2 EI Switch JD320B HP 3100-24 v2 SI Switch JG223A HP 3100-24-PoE EI Switch JD313A HP A3100-24-PoE EI Switch H3C S3100-26TP-PWR-EI - model LS-3100-26TP-PWR-EI-H3 0235A19D HP 3100-24-PoE v2 EI Switch JD313B HP 3100-48 Switch JD317A H3C S3100-52P - model LS-3100-52P-OVS-H3 0235A248 HP 3100-48 v2 Switch JG315A HP 3100-8 DC EI Switch JD316A H3C S3100-8TP-EI - model LS-3100-8TP-EI-H3-D-O 0235A23T HP 3100-8 EI Switch JD318A H3C S3100-8TP-EI - model LS-3100-8TP-EI-H3-A-O 0235A29Y HP 3100-8 SI Switch JD304A HP A3100-8 SI Switch H3C S3100-8T-SI - model LS-S3100-8T-SI-AC-OVS 0235A15B HP 3100-8 SI Switch JD307A H3C S3100-8C-SI - model LS-S3100-8C-SI-AC-OVS 0235A15F HP 3100-8 v2 EI Switch JD318B HP 3100-8 v2 SI Switch JG221A HP 3100-8-PoE EI Switch JD311A H3C S3100-8TP-PWR-EI - model LS-3100-8TP-PWR-EI-H3 0235A19B HP 3600-24 EI Switch JD331A HP A3600-24 EI Switch H3C S3600-28P-EI - model LS-3600-28P-EI-OVS 0235A10H HP 3600-24 SI Switch JD330A HP A3600-24 SI Switch H3C S3600-28P-SI - model LS-3600-28P-SI-OVS 0235A10G HP 3600-24 v2 EI Switch JG299A HP 3600-24 v2 SI Switch JG304A HP 3600-24-PoE EI Switch JD326A HP A3600-24-PoE EI Switch H3C S3600-28P-PWR-EI - model LS-3600-28P-PWR-EI-OVS 0235A10C HP 3600-24-PoE SI Switch JD325A HP A3600-24-PoE SI Switch H3C S3600-28P-PWR-SI - model LS-3600-28P-PWR-SI-OVS 0235A10B HP 3600-24-PoE+ v2 EI Switch JG301A HP 3600-24-SFP EI Switch JD334A HP A3600-24-SFP EI Switch H3C S3600-28F-EI - model LS-3600-28F-EI-OVS 0235A10L HP 3600-24-SFP v2 EI Switch JG303A HP 3600-24TP SI Switch JD329A HP A3600-24TP SI Switch H3C S3600-28TP-SI - model LS-3600-28TP-SI-OVS 0235A10F HP 3600-48 EI Switch JD333A HP A3600-48 EI Switch H3C S3600-52P-EI - model LS-3600-52P-EI-OVS 0235A10K HP 3600-48 SI Switch JD332A H3C S3600-52P-SI - model LS-3600-52P-SI-OVS 0235A10J HP 3600-48 v2 EI Switch JG300A HP 3600-48 v2 SI Switch JG305A HP 3600-48-PoE EI Switch JD328A HP A3600-48-PoE EI Switch H3C S3600-52P-PWR-EI - model LS-3600-52P-PWR-EI-OVS 0235A10E HP 3600-48-PoE SI Switch JD327A HP A3600-48-PoE SI Switch H3C S3600-52P-PWR-SI - model LS-3600-52P-PWR-SI-OVS 0235A10D HP 3600-48-PoE+ v2 EI Switch JG302A HP 3600-48-PoE+ v2 SI Switch JG307A HP 3610-24-2G-2G-SFP Switch JD337A HP A3610-24-2G-SFP Switch H3C S3610-28TP - model LS-3610-28TP-OVS 0235A22E HP 3610-24-4G-SFP Switch JD336A HP A3610-24-4G Switch H3C S3610-28P - model LS-3610-28P-OVS 0235A22D HP 3610-24-SFP Switch JD338A HP A3610-24-SFP Switch H3C S3610-28F - model LS-3610-28F-OVS 0235A22F HP 3610-48 Switch JD335A HP A3610-48 Switch H3C S3610-52P - model LS-3610-52P-OVS 0235A22C HP 4200-12G Switch JE015A HP E4200-12G Switch 3Com 4200G Switch 12-Port 3CR17660-91 HP 4210-16 Switch JE024A HP E4210-16 Switch 3Com 4210 Switch 18-Port 3CR17332-91 HP 4210-16 Switch JE025A 3Com SWITCH 4210 18-Port 3CR17332A-91 HP 4210-24 Switch JE026A 3Com 4210 Switch 26-Port 3CR17333-91 HP 4210-24 Switch JF427A HP E4210-24 Switch 3Com 4210 Switch 26-Port 3CR17333A-91 HP 4210-24G Switch JF844A HP E4210-24G Switch 3Com 4210-24G Switch 3CRS42G-24-91 HP 4210-24G-PoE Switch JF846A HP E4210-24G-PoE Switch 3Com Switch E4210-24G-PoE 3CRS42G-24P-91 HP 4210-24-PoE Switch JE032A 3Com 4210 Switch PWR 26-Port 3CR17343-91 HP 4210-24-PoE Switch JE033A 3Com 4210 PWR Switch 26-Port 3CR17343A-91 HP 4210-48 Switch JE027A 3Com 4210 Switch 52-Port 3CR17334-91 HP 4210-48G Switch JF845A HP E4210-48G Switch 3Com 4210-48G Switch 3CRS42G-48-91 HP 4210-8 Switch JE021A 3Com 4210 Switch 9-Port 3CR17331-91 HP 4210-8 Switch JE022A 3Com 4210 Switch 9-Port 3CR17331A-91 HP 4210-8-PoE Switch JE028A 3Com 4210 PWR Switch 9-Port 3CR17341-91 HP 4210-8-PoE Switch JE029A 3Com 4210 PWR Switch 9-Port 3CR17341A-91 HP 4500-24 Switch JE045A 3Com 4500 Switch 26-Port 3CR17561-91 HP 4500-24G-PoE Switch JE061A 3Com 4500G PWR Switch 24-Port 3CR17771-91 HP 4500-24-PoE Switch JE047A 3Com 4500 PWR Switch 26-Port 3CR17571-91 HP 4500-48 Switch JE046A 3Com 4500 Switch 50-Port 3CR17562-91 HP 4500-48G-PoE Switch JE063A HP E4500-48G-PoE Switch 3Com 4500G PWR Switch 48-Port 3CR17772-91 HP 4500-48-PoE Switch JE048A 3Com 4500 PWR Switch 50-Port 3CR17572-91 HP 4510-24G Switch JF847A HP E4510-24G Switch 3Com Switch E4510-24G 3CRS45G-24-91 HP 4510-48G Switch JF428A HP E4510-48G Switch 3Com 4510G Switch 48 Port 3CRS45G-48-91 HP 4800-24G Switch JD007A 3Com 4800G Switch 24-Port 3CRS48G-24-91 HP 4800-24G-PoE Switch JD008A 3Com 4800G PWR Switch 24-Port 3CRS48G-24P-91 HP 4800-24G-SFP Switch JD009A HP E4800-24G-SFP Switch 3Com 4800G Switch 24-Port SFP 3CRS48G-24S-91 HP 4800-48G Switch JD010A 3Com 4800G Switch 48-Port 3CRS48G-48-91 HP 4800-48G-PoE Switch JD011A 3Com 4800G PWR Switch 48-Port 3CRS48G-48P-91 HP 5012 Router JD935A 3Com 5012 Router 3C13701 HP 5120-16G SI Switch JE073A H3C S5120-20P-SI L2, 16GE Plus 4SFP 0235A42B HP 5120-24G EI TAA-compliant Switch with 2 Interface Slots JG245A HP 5120-24G SI Switch JE074A H3C S5120-28P-SI 24GE Plus 4 SFP 0235A42D HP 5120-24G-PoE+ (170W) SI Switch JG092A H3C S5120-28P-PWR-SI 0235A0E3 HP 5120-24G-PoE+ (370W) SI Switch JG091A H3C S5120-28P-HPWR-SI 0235A0E5 HP 5120-24G-PoE+ EI Switch with 2 Interface Slots JG236A HP 5120-24G-PoE+ EI TAA-compliant Switch with 2 Slots JG247A HP 5120-48G EI TAA-compliant Switch with 2 Interface Slots JG246A HP 5120-48G SI Switch JE072A HP A5120-48G SI Switch H3C S5120-52P-SI 48GE Plus 4 SFP 0235A41W HP 5120-48G-PoE+ EI Switch with 2 Interface Slots JG237A HP 5120-48G-PoE+ EI TAA-compliant Switch with 2 Slots JG248A HP 5232 Router JD943A 3Com 5232 Router 3C13751 HP 5500-24G DC EI Switch JD373A H3C S5500-28C-EI-DC,Ethernet Switch 0235A24S HP 5500-24G EI Switch JD377A H3C S5500-28C-EI,Ethernet Switch 0235A253 HP 5500-24G EI TAA-compliant Switch with 2 Interface Slots JG250A HP 5500-24G SI Switch JD369A H3C S5500-28C-SI,Ethernet Switch 0235A04U HP 5500-24G-4SFP HI Switch with 2 Interface Slots JG311A HP 5500-24G-PoE EI Switch JD378A H3C S5500-28C-PWR-EI,Ethernet Switch 0235A255 HP 5500-24G-PoE SI Switch JD371A H3C S5500-28C-PWR-SI,Ethernet Switch 0235A05H HP 5500-24G-PoE+ EI Switch with 2 Interface Slots JG241A HP 5500-24G-PoE+ EI TAA-compliant Switch with 2 Interface Slots JG252A HP 5500-24G-PoE+ SI Switch with 2 Interface Slots JG238A HP 5500-24G-SFP DC EI Switch JD379A H3C S5500-28F-EI,Eth Swtch,DC Single Pwr 0235A259 HP 5500-24G-SFP EI Switch JD374A H3C S5500-28F-EI,Eth Switch,AC Single 0235A24U HP 5500-24G-SFP EI TAA-compliant Switch with 2 Interface Slots JG249A HP 5500-48G EI Switch JD375A H3C S5500-52C-EI,Ethernet Switch 0235A24X HP 5500-48G EI TAA-compliant Switch with 2 Interface Slots JG251A HP 5500-48G SI Switch JD370A H3C S5500-52C-SI,Ethernet Switch 0235A04V HP 5500-48G-4SFP HI Switch with 2 Interface Slots JG312A HP 5500-48G-PoE EI Switch JD376A H3C S5500-52C-PWR-EI,Ethernet Switch 0235A251 HP 5500-48G-PoE SI Switch JD372A H3C S5500-52C-PWR-SI,Ethernet Switch 0235A05J HP 5500-48G-PoE+ EI Switch with 2 Interface Slots JG240A HP 5500-48G-PoE+ EI TAA-compliant Switch with 2 Interface Slots JG253A HP 5500-48G-PoE+ SI Switch with 2 Interface Slots JG239A HP 5500G-24 EI 10/100/1000 No Power Supply Unit Switch JF551A 3Com SS4 5500G-EI Switch 24PT (NO PSU) 3CR17254-91 HP 5500G-24 EI SFP No Power Supply Unit Switch JF553A 3Com SS4 5500G-EI 24 Port,SFP (NO PSU) 3CR17259-91 HP 5500G-48 EI 10/100/1000 No Power Supply Unit Switch JF552A 3Com SS4 5500G-EI Switch 48PT (NO PSU) 3CR17255-91 HP 5682 Router JD946A 3Com 5682 Router 3C13759 HP 5800-24G Switch JC100A H3C S5800-32C - 24-port 1BT Plus 4-port (SFP Plus ) Plus 1 media slot 0235A36U HP 5800-24G TAA-compliant Switch JG255A HP 5800-24G-PoE Switch JC099A H3C S5800-32C-PWR - 24-port 10/100/1000BASE-T (RJ45) Plus 4-port 10GBASE-X (SFP Plus ) Plus 1 media module, PoE 0235A36S HP 5800-24G-PoE+ TAA-compliant Switch JG254A HP 5800-24G-SFP Switch JC103A H3C S5800-32F 24-port 1000BASE-X (SFP) Plus 4-port 10GBASE-X (SFP Plus ) Plus media module (no power) 0235A374 HP 5800-24G-SFP TAA-compliant Switch with 1 Interface Slot JG256A HP 5800-48G Switch JC105A H3C S5800-56C 48-port 10/100/1000BASE-T (RJ45) Plus 4port 10GBASE-X (SFP Plus ) Plus media module 0235A379 HP 5800-48G Switch with 2 Slots JC101A H3C S5800-60C-PWR 48-port BT Plus 4-port SFP Plus 2 media modules Plus OSM 0235A36W HP 5800-48G TAA-compliant Switch with 1 Interface Slot JG258A HP 5800-48G-PoE Switch JC104A H3C S5800-56C-PWR 48-port BT Plus 4 port (SFP Plus ) Plus media module 0235A378 HP 5800-48G-PoE+ TAA-compliant Switch with 1 Interface Slot JG257A HP 5800-48G-PoE+ TAA-compliant Switch with 2 Interface Slots JG242A HP 5800AF-48G Switch JG225A HP 5810-48G Switch JF242A HP A5810-48G with 2 SFP+ slots AC Switch H3C S5810 48-BT, 2 SFP Plus , AC 0235A42H HP 5820 VPN Firewall Module JD255A HP A5820 VPN Firewall Module H3C S5820 SecBlade VPN Firewall Module LSWM1FW10, 0231A94J HP 5830 CTO Built Switch JG478A HP 5830AF-48G Switch with 1 Interface Slot JC691A HP 5830AF-96G Switch JC694A HP 6600 Firewall Processing Router Module JD250A HP A6600 Firewall Processing Module H3C SR66 Gigabit Firewall Module 0231A88A HP 6600 RPE-X1 Router Module JC165A HP A6600 RPE-X1 Main Processing Unit H3C RT-SR66-RPE-X1-H3 RPE-X1, 0231A761 HP 6600 RSE-X1 Router Main Processing Unit JC566A HP 6602 Router Chassis JC176A HP A6602 Router H3C SR6602 1U Router Host 0235A27D HP 6604 Router Chassis JC178A HP A6604 Router Chassis H3C RT-SR6604-OVS-H3 0235A37X HP 6604 Router Chassis JC178B HP 6608 Router JC177A HP A6608 Router H3C RT-SR6608-OVS-H3 0235A32X HP 6608 Router Chassis JC177B HP 6616 Router Chassis JC496A HP A6616 Router Chassis H3C SR6616 Router Chassis 0235A41D HP 7500 384Gbps Fabric Module JD194A HP A7500 384Gbps Fabric/Main Processing Unit H3C S7500E 384 Gbps Fabric 0231A73K HP 7500 384Gbps Fabric Module with 2 XFP Ports JD193A HP A7500 384Gbps Fabric/Main Processing Unit with 2 10GbE XFP Ports H3C S7500E 384 Gbps Fabric w/ 2-port 10GBASE-X (XFP) 0231A73J HP 7500 384Gbps Fabric Module with 2 XFP Ports JD193B HP A7500 384Gbps Fabric/Main Processing Unit with 2 10GbE XFP Ports H3C S7500E Salience VI-10G Switch and Route Processing Unit,with 2 XFP Interfaces LSQ1SRP2XB0, 0231A0KW HP 7500 384Gbps TAA-compliant Fabric / Main Processing Unit JC700A HP 7500 384Gbps TAA-compliant Fabric / MPU with 2 10GbE XFP Ports JC699A HP 7500 768Gbps Fabric Module JD220A HP A7510 768Gbps Fabric/Main Processing Unit H3C S7510E 768 Gbps Fabric LSQ1SRPD0, 0231A86P HP 7500 768Gbps TAA-compliant Fabric / Main Processing Unit JC701A HP A7510 768Gbps TAA-compliant Fabric/Main Processing Unit HP 7502 Switch Chassis JD242A HP A7502 Switch Chassis H3C S7502E Chassis w/ fans 0235A29A HP 7502 Switch Chassis JD242B H3C S7502E Ethernet Switch Chassis with Fan 0235A0G4 HP 7502 TAA-compliant Main Processing Unit JC697A HP A7502 TAA-compliant Main Processing Unit HP 7503 Switch Chassis JD240A HP A7503 Switch Chassis H3C S7503E Chassis w/ fans 0235A27R HP 7503 Switch Chassis JD240B HP A7503 Switch Chassis H3C S7503E Ethernet Switch Chassis with Fan 0235A0G2 HP 7503 Switch Chassis with 1 Fabric Slot JD243A HP A7503-S Switch Chassis H3C S7503E-S Chassis w/ fans 0235A33R HP 7503 Switch Chassis with 1 Fabric Slot JD243B H3C S7503E-S Ethernet Switch Chassis with Fan 0235A0G5 HP 7503-S 144Gbps Fabric/MPU with PoE Upgradable 20-port Gig-T/4-port GbE Combo JC666A HP 7503-S 144Gbps TAA Fabric / MPU with 16 GbE SFP Ports and 8 GbE Combo Ports JC698A HP 7506 Switch Chassis JD239A HP A7506 Switch Chassis H3C S7506E Chassis w/ fans 0235A27Q HP 7506 Switch Chassis JD239B HP A7506 Switch Chassis H3C S7506E Ethernet Switch Chassis with Fan 0235A0G1 HP 7506 Vertical Switch Chassis JD241A HP A7506-V Switch Chassis H3C S7506E-V Chassis w/ fans 0235A27S HP 7506 Vertical Switch Chassis JD241B HP A7506-V Switch Chassis H3C S7506E-V Ethernet Switch Chassis with Fan 0235A0G3 HP 7510 Switch Chassis JD238A HP A7510 Switch Chassis H3C S7510E Chassis w/ fans 0235A25N HP 7510 Switch Chassis JD238B HP A7510 Switch Chassis H3C S7510E Ethernet Switch Chassis with Fan 0235A0G0 HP 8800 Firewall Processing Module JD251A H3C SR88 Firewall Processing Module 0231A88L HP 8802 Router Chassis JC147A HP A8802 Router Chassis H3C SR8802 10G Core Router Chassis 0235A31B HP 8802 Router Chassis JC147B HP A8802 Router Chassis H3C SR8802 10G Core Router Chassis 0235A0GC HP 8805 Router Chassis JC148A HP A8805 Router Chassis H3C SR8805 10G Core Router Chassis 0235A31C HP 8805 Router Chassis JC148B HP A8805 Router Chassis H3C SR8805 10G Core Router Chassis 0235A0G8 HP 8807 7-slot Chassis Kit JE203A 3Com 8807 Switch 7-slot Chassis Kit 3C17543 HP 8807 Kit (TAA) Switch JE204A 3Com SW8807 Kit TAA 3C17543TAA HP 8808 Router Chassis JC149A HP A8808 Router Chassis H3C SR8808 10G Core Router Chassis 0235A31D HP 8808 Router Chassis JC149B HP A8808 Router Chassis H3C SR8808 10G Core Router Chassis 0235A0G9 HP 8810 10-slot AC (TAA) Chassis Kit JE201A 3Com SW8810 AC Chassis Kit TAA 3C17541TAA HP 8810 10-slot Chassis Kit JE200A 3Com 8810 Switch 10-slot Chassis Kit 3C17541 HP 8812 Router Chassis JC150A HP A8812 Router Chassis H3C SR8812 10G Core Router Chassis 0235A31E HP 8812 Router Chassis JC150B HP A8812 Router Chassis H3C SR8812 10G Core Router Chassis 0235A0GA HP 8814 14-slot AC (TAA) Chassis Kit JE199A 3Com SW8814 AC Chassis Kit TAA 3C17540TAA HP 8814 14-slot Chassis Kit JE198A 3Com 8814 Switch 14-slot Chassis Kit 3C17540 HP 9500 VPN Firewall Module JD245A H3C S9500E SecBlade VPN Firewall Module LSR1FW2A1, 0231A0AV HP 9505 Switch Chassis JC124B HP A9505 Switch Chassis H3C S9505E Routing-Switch Chassis 0235A0G6 HP 9508-V Switch Chassis JC474A H3C S9508E-V Routing-Switch Chassis 0235A38Q HP 9508-V Switch Chassis JC474B H3C S9508E-V Routing-Switch Chassis 0235A38Q HP 9512 Switch Chassis JC125A HP A9512 Switch Chassis H3C S9512E Chassis w/ Fans 0235A38R HP 9512 Switch Chassis JC125B HP A9512 Switch Chassis H3C S9512E Routing-Switch Chassis 0235A0G7 HP A3100 (LS6MCFL1UB) Ethernet Switch JE545A H3C S3100 Ethernet Switch,LS6MCFL1UB,Sin 0231A65T HP A3100-16 DC SI 2-slot Switch JD302A H3C S3100-16C-SI - model LS-S3100-16C-SI-DC-OVS 0235A14V HP A3100-16 SI with 2 External Slots Switch JD308A H3C S3100-16C-SI - model LS-S3100-16C-SI-AC-OVS 0235A15G HP A3100-24 DC SI 2-slot Switch JD303A H3C S3100-26C-SI - model LS-S3100-26C-SI-DC-OVS 0235A14W HP A3100-24 SI 2-slot Switch JD309A H3C S3100-26C-SI - model LS-S3100-26C-SI-AC-OVS 0235A15H HP A3100-26C-EPON-EI Switch JG059A HP A3100-8 SI 1-slot Switch JD310A H3C S3100-8C-SI - model LS-S3100-8C-SI-DC-OVS 0235A15J HP A5100-16G EI Switch JD351A H3C S5100-16P-EI - model LS-5100-16P-EI-OVS-H3 0235A21Q HP A5100-16G SI Switch JD356A H3C S5100-16P-SI - model LS-5100-16P-SI-OVS-H3 0235A22R HP A5100-16G-PoE EI Switch JD353A H3C S5100-16P-PWR-EI - model LS-5100-16P-PWR-EI-OVS 0235A22K HP A5100-24G EI Switch JD346A H3C S5100-24P-EI - model LS-5100-24P-EI-OVS 0235A08K HP A5100-24G EI Switch with SFP Uplink JD344A H3C S5100-26C-EI - model LS-5100-26C-EI-OVS 0235A08F HP A5100-24G SI Switch JD348A H3C S5100-24P-SI - model LS-5100-24P-SI-OVS-H3 0235A20Q HP A5100-24G-PoE EI Switch JD354A H3C S5100-26C-PWR-EI - model LS-5100-26C-PWR-EI-OVS 0235A22M HP A5100-48G EI Switch JD347A H3C S5100-48P-EI - model LS-5100-48P-EI-OVS 0235A08M HP A5100-48G EI Switch with SFP Uplink JD345A H3C S5100-50C-EI - model LS-5100-50C-EI-OVS 0235A08H HP A5100-48G SI Switch JD349A H3C S5100-48P-SI - model LS-5100-48P-SI-OVS-H3 0235A20R HP A5100-48G-PoE EI Switch JD355A H3C S5100-50C-PWR-EI - model LS-5100-50C-PWR-EI-OVS 0235A22P HP A5100-8G EI Switch JD350A H3C S5100-8P-EI - model LS-5100-8P-EI-OVS-H3 0235A21P HP A5100-8G SI Switch JD357A H3C S5100-8P-SI - model LS-5100-8P-SI-OVS-H3 0235A22T HP A5100-8G-PoE EI Switch JD352A H3C S5100-8P-PWR-EI - model LS-5100-8P-PWR-EI-OVS 0235A22H HP A5120-24G EI Switch JE066A H3C S5120-24P-EI 24GE Plus 4ComboSFP 0235A0BQ HP A5120-24G EI Switch with 2 Interface Slots JE068A H3C S5120-28C-EI 24GE Plus 4Combo Plus 2Slt 0235A0BS HP A5120-24G-PoE EI 2-slot Switch JE070A H3C S5120-28C-PWR-EI 24G Plus 4C Plus 2S Plus POE 0235A0BU HP A5120-48G EI Switch JE067A H3C S5120-48P-EI 48GE Plus 4ComboSFP 0235A0BR HP A5120-48G EI Switch with 2 Interface Slots JE069A H3C S5120-52C-EI 48GE Plus 4Combo Plus 2Slt 0235A0BT HP A5120-48G-PoE EI 2-slot Switch JE071A H3C S5120-52C-PWR-EI 48G Plus 4C Plus 2S Plus POE 0235A0BV HP A6604 Router Bundle with RPE-X1 Modules and Power Supply JE528A H3C SR6604 Router Bundle with RPE-X1 and Pow 0150A12B HP A6604 Router with 2 RPE-X1 Modules JC158A H3C RT-SR6604-OVS Plus 2 RPE-X1 Plus 2 AC-H3 0150A12C HP A6608 Router (RT-SR6608-OVS+2 RPE-X1+2 AC-H3) Bundle JE527A H3C RT-SR6608-OVS Plus 2 RPE-X1 Plus 2 AC-H3 0150A12A HP A6608 Router Bundle with RPE-X1 Modules and Power Supply JE526A H3C SR6608 Router Bundle with RPE-X1 and Pow 0150A129 HP A9508 Switch Chassis JC124A H3C S9505E Chassis w/ Fans 0235A38P HP A-MSR20-15 A Multi-service Router JD670A H3C MSR 20-15 A 0235A31Q HP A-MSR20-15 AW Multi-service Router JD671A H3C MSR 20-15 A W 0235A31R HP A-MSR20-15 I Multi-service Router JD672A H3C MSR 20-15 I 0235A31N HP A-MSR20-15 IW Multi-service Router JD667A H3C MSR 20-15 IW 0235A31P HP A-MSR20-21 Router JD432A H3C MSR-20-21 Router 0235A19J HP A-MSR20-21 Router JD663A H3C MSR 20-21 0235A325 HP A-MSR30-20 Multi-service Router Security Bundle JF286A H3C MSR 30-20 Router Host RTVZ33020AS, 0235A20S HP A-MSR30-40, RT-MSR3040-AC-OVS-AS-H3 Multi-service Router JF232A H3C RT-MSR3040-AC-OVS-AS-H3 0235A20V HP AR 18-31E Router JD172A H3C AR18-31E Router 0235A09T HP E4200-24 SI Switch JE013A 3Com 4200-SI Switch 28 Port 3C17304A HP E4200-24G Switch JE016A 3Com 4200G Switch 24-Port 3CR17661-91 HP E4200-24G-PoE Switch JE020A 3Com 4200G Switch PWR 24-Port 3CR17671-91 HP E4200-48 SI Switch JE012A 3Com 4200-SI Switch 50 Port 3C17302A HP E4200-48G Switch JE018A 3Com 4200G Switch 48-Port 3CR17662-91 HP E4210 8-port (TAA) Switch JE023A 3Com 4210 Switch 9-Port TAA 3CR17331TAA-91 HP E4210-16-PoE Switch JE031A 3Com 4210 Switch PWR 18-Port 3CR17342-91 HP E4210-8-PoE (TAA) Switch JE030A 3Com 4210 Switch PWR 9P TAA 3CR17341TAA-91 HP E4500-24G (TAA) Switch JE058A 3Com 4500G Switch 24-Port TAA 3CR17761TAA-91 HP E4500-24G Switch JE057A 3Com 4500G Switch 24-Port 3CR17761-91 HP E4500-24G-PoE (TAA) Switch JE062A 3Com 4500G PWR Switch 24-Port TAA 3CR17771TAA-91 HP E4500-48G (TAA) Switch JE060A 3Com 4500G Switch 48-Port TAA 3CR17762TAA-91 HP E4500-48G Switch JE059A 3Com 4500G Switch 48-Port 3CR17762-91 HP E4500-48G-PoE (TAA) Switch JE064A 3Com 4500G PWR Switch 48-Port TAA 3CR17772TAA-91 HP E5500-24 EI (TAA) Switch JE102A 3Com TAA 5500-EI Switch 28-Port 3CR17161TAA-91 HP E5500-24 SI Switch JE099A 3Com SS4 5500-SI Switch 28 Port 3CR17151-91 HP E5500-24 Switch JE101A 3Com 5500-EI Switch 28-Port 3CR17161-91 HP E5500-24G (TAA) Switch JE089A 3Com TAA COMPLIANT 5500G-EI 24-Port 3CR17250TAA-91 HP E5500-24G Switch JE088A 3Com 5500G-EI Switch 24 Port 3CR17250-91 HP E5500-24G-PoE (TAA) Switch JE093A 3Com TAA COMPLIANT 5500G-EI PWR 24P 3CR17252TAA-91 HP E5500-24G-PoE Switch JE092A 3Com 5500G-EI Switch PWR 24-Port 3CR17252-91 HP E5500-24G-SFP (TAA) Switch JE097A 3Com TAA COMPLIANT 5500G-EI SFP 24P 3CR17258TAA-91 HP E5500-24G-SFP Switch JE096A 3Com 5500G-EI Switch SFP 24-Port 3CR17258-91 HP E5500-24-PoE EI (TAA) Switch JE106A 3Com TAA 5500-EI PWR Switch 28-Port 3CR17171TAA-91 HP E5500-24-PoE Switch JE105A 3Com 5500-EI PWR Switch 28-Port 3CR17171-91 HP E5500-24-SFP Switch JE109A 3Com 5500-EI Switch 28-Port FX 3CR17181-91 HP E5500-24-SPF EI (TAA) Switch JE110A 3Com TAA SWITCH 5500-EI 28-Port FX 3CR17181TAA-91 HP E5500-48 EI (TAA) Switch JE104A 3Com TAA SWITCH 5500-EI 52-Port 3CR17162TAA-91 HP E5500-48 SI Switch JE100A 3Com SS4 SWITCH 5500-SI 52 Port 3CR17152-91 HP E5500-48 Switch JE103A 3Com 5500-EI Switch 52-Port 3CR17162-91 HP E5500-48G (TAA) Switch JE091A 3Com TAA COMPLIANT 5500G-EI 48-Port 3CR17251TAA-91 HP E5500-48G Switch JE090A 3Com 5500G-EI Switch 48-Port 3CR17251-91 HP E5500-48G-PoE (TAA) Switch JE095A 3Com TAA COMPLIANT 5500G-EI PWR 48P 3CR17253TAA-91 HP E5500-48G-PoE Switch JE094A 3Com 5500G-EI PWR Switch 48-Port 3CR17253-91 HP E5500-48-PoE EI (TAA) Switch JE108A 3Com TAA 5500-EI PWR Switch 52-Port 3CR17172TAA-91 HP E5500-48-PoE Switch JE107A 3Com 5500-EI PWR Switch 52-Port 3CR17172-91 HP E7902 Switch Chassis JE164A 3Com S7902E Chassis Kit w/ fans 3CS7902E HP E7903 1 Fabric Slot Switch Chassis JE166A 3Com S7903E-S Chassis Kit w/ fans 3CS7903ES HP E7903 Switch Chassis JE165A 3Com S7903E Chassis Kit w/ fans 3CS7903E HP E7906 Switch Chassis JE167A 3Com S7906E Chassis Kit w/ fans 3CS7906E HP E7906 Vertical Switch Chassis JE168A 3Com S7906E-V Chassis Kit w/ fans 3CS7906EV HP F1000-E VPN Firewall Appliance JD272A H3C F1000-E VPN Firewall 0235A26G HP F1000-EI VPN Firewall Appliance JG214A HP F1000-S-EI VPN Firewall Appliance JG213A HP F5000 Firewall Main Processing Unit JG215A HP MSR 50-40 Router JD655A H3C MSR 50-40 Chassis 0235A20N HP MSR20-10 Router JD431A H3C MSR 20-10 0235A0A7 HP MSR20-11 Router JD673A H3C MSR 20-11 0235A31V HP MSR20-11 Router JF239A H3C RT-MSR2011-AC-OVS-H3 0235A395 HP MSR20-12 Router JD674A H3C MSR 20-12 0235A32E HP MSR20-12 Router JF241A H3C RT-MSR2012-AC-OVS-H3 0235A396 HP MSR20-12-T Router JD676A H3C MSR 20-12 T1 0235A32B HP MSR20-12-T Router JF806A H3C RT-MSR2012-T-AC-OVS-H3 0235A398 HP MSR20-12-T-W Router (NA) JG209A HP MSR20-12-W Router JD675A H3C MSR20-12 W 0235A32G HP MSR20-12-W Router JF807A H3C RT-MSR2012-AC-OVS-W-H3 0235A397 HP MSR20-13 Router JD668A H3C MSR 20-13 0235A31W HP MSR20-13 Router JF240A H3C RT-MSR2013-AC-OVS-H3 0235A390 HP MSR20-13-W Router JD669A H3C MSR 20-13 W 0235A31X HP MSR20-13-W Router JF808A H3C RT-MSR2013-AC-OVS-W-H3 0235A391 HP MSR20-13-W Router (NA) JG210A HP MSR20-15 Router JF817A H3C MSR 20-15 Router Host (AC), 1 FE, 4 LSW, 1 ADSLoPOTS, 1 DSIC 0235A0A8 HP MSR20-15-A Router JF237A H3C RT-MSR2015-AC-OVS-A-H3 0235A392 HP MSR20-15-A-W Router JF809A H3C RT-MSR2015-AC-OVS-IW-H3 0235A38V HP MSR20-15-I Router JF236A H3C RT-MSR2015-AC-OVS-I-H3 0235A394 HP MSR20-15-I-W Router JF238A H3C RT-MSR2015-AC-OVS-AW-H3 0235A393 HP MSR20-20 Router JD662A HP A-MSR20-20 Router H3C MSR 20-20 0235A19H HP MSR20-20 Router JF283A H3C RT-MSR2020-AC-OVS-H3C 0235A324 HP MSR20-21 Router JD663B HP MSR20-40 Router JD664A H3C MSR 20-40 0235A19K HP MSR20-40 Router JF228A H3C RT-MSR2040-AC-OVS-H3 0235A326 HP MSR30-10 DC Router JG184A HP MSR30-10 Router JF816A H3C MSR 30-10 Router Host (AC), 2FE, 2SIC, 1XMIM, 256DDR 0235A39H HP MSR30-11 Router JF800A H3C RT-MSR3011-AC-OVS-H3 0235A29L HP MSR30-11E Router JG182A HP MSR30-11F Router JG183A HP MSR30-16 PoE Router JD659A H3C MSR 30-16 POE 0235A238 HP MSR30-16 PoE Router JF234A H3C RT-MSR3016-AC-POE-OVS-H3 0235A321 HP MSR30-16 Router JD665A H3C MSR 30-16 0235A237 HP MSR30-16 Router JF233A H3C RT-MSR3016-AC-OVS-H3 0235A327 HP MSR30-16 Router with VCX and 4-port FXO and 2-port FXS Modules JD025A HP A-MSR30-16 Router with VCX and 4-port FXO and 2-port FXS Modules 3Com MSR 3016 VCX CPM 4FXO/2FXS Bundle 3CRBVCXMSR03A HP MSR30-16 Router with VCX Enterprise Branch Communications MIM Module JD024A HP A-MSR30-16 Router with VCX Ent MIM Module 3Com MSR 3016 VCX Ent MIM Bundle 3CRBVCXMSR02A HP MSR30-20 DC Router JF235A H3C RT-MSR3020-DC-OVS-H3 0235A267 HP MSR30-20 PoE Router JD660A H3C MSR 30-20 POE 0235A239 HP MSR30-20 PoE Router JF802A H3C RT-MSR3020-AC-POE-OVS-H3 0235A322 HP MSR30-20 Router JD666A H3C MSR 30-20 0235A19L HP MSR30-20 Router JF284A H3C MSR 30-20 Router 0235A328 HP MSR30-40 DC Router JF287A H3C MSR 30-40 Router Host (DC) 0235A268 HP MSR30-40 PoE Router JD661A H3C MSR 30-40 POE 0235A25R HP MSR30-40 PoE Router JF803A H3C RT-MSR3040-AC-POE-OVS-H3 0235A323 HP MSR30-40 Router JD657A H3C MSR 30-40 0235A20J HP MSR30-40 Router JF229A H3C RT-MSR3040-AC-OVS-H 0235A299 HP MSR30-40 Router with VCX and 8-port BRI and 4-port FXS Modules JD027A 3Com MSR 3040 VCX CPM 8BRI/4FXS Bundle 3CRBVCXMSR06A HP MSR30-40 Router with VCX and 8-port FXO and 4-port FXS Modules JD026A 3Com MSR 3040 VCX CPM 8FXO/4FXS Bundle 3CRBVCXMSR05A HP MSR30-40 Router with VCX and E1 and 4-port BRI and 4-port FXS Modules JD029A HP A-MSR30-40 Router with VCX and E1 and 4-port BRI and 4-port FXS Modules 3Com MSR 3040 VCX CPM E1/4BRI/4FXS Bundle 3CRBVCXMSR08A HP MSR30-40 Router with VCX and T1 and 4-port FX0 and 4-port FXS Modules JD028A HP A-MSR30-40 Router with VCX and T1 and 4-port FX0 and 4-port FXS Modules 3Com MSR 3040 VCX CPM T1/4FXO/4FXS Bundle 3CRBVCXMSR07A HP MSR30-40 Router with VCX MIM Module JD023A 3Com MSR 3040 VCX Ent MIM Bundle 3CRBVCXMSR01A HP MSR30-60 DC Router JF801A H3C RT-MSR3060-DC-OVS-H3 0235A269 HP MSR30-60 PoE Router JD654A H3C MSR 30-60 POE 0235A25S HP MSR30-60 PoE Router JF804A H3C RT-MSR3060-AC-POE-OVS-H3 0235A296 HP MSR30-60 Router JD658A H3C MSR 30-60 0235A20K HP MSR30-60 Router JF230A H3C RT-MSR3060-AC-OVS-H3 0235A320 HP MSR50-40 DC Router JF285A HP A-MSR50-40 DC Router Chassis H3C MSR5040-DC-OVS-H3C 0235A20P HP MSR50-40 Router JD433A H3C MSR 50-40 Router 0235A297 HP MSR50-60 Router JD656A H3C MSR 50-60 Chassis 0235A20L HP MSR50-60 Router JF231A H3C RT-MSR5060-AC-OVS-H3 0235A298 HP MSR50-60 Router Chassis with DC Power Supply JF640A HP MSR900 2-port FE WAN / 4 -port FE LAN Router JF812A H3C MSR 900 Router, 2 FE WAN, 4 FE LAN, 256DDR 0235A0BX HP MSR900-W Router JF814A H3C MSR 900 Router with 802.11b/g, 2 FE WAN, 4 FE LAN, 256DDR, 802.11b 0235A0C2 HP MSR900-W Router (NA) JG207A HP MSR920 2-port FE WAN / 8-port FE LAN / 802.11b/g Router JF815A H3C MSR 920 Router with 802.11b/g, 2 FE WAN, 8 FE LAN, 256DDR 0235A0C4 HP MSR920 Router JF813A H3C MSR 920 Router, 2 FE WAN, 8 FE LAN, 256DDR 0235A0C0 HP MSR920-W Router (NA) JG208A HP 6040 Router Chassis JD967A 3Com 6040 Router Chassis 3C13840 HP 6080 Router Chassis JD972A 3Com 6080 Router Chassis 3C13880 HP S5600-26C Ethernet Switch JD393A H3C S5600-26C Ethernet Switch 0235A11F HP S5600-26C-PoE Ethernet Switch JD394A H3C S5600-26C-PWR Ethernet Switch 0235A11G HP S5600-26F Ethernet Switch JD395A H3C S5600-26F Ethernet Switch 0235A11H HP S5600-50C Ethernet Switch JD391A H3C S5600-50C Ethernet Switch 0235A11D HP S5600-50C PoE Ethernet Switch JD392A H3C S5600-50C-PWR Ethernet Switch 0235A11E HP S9502 (LS-9502-OVS-H3) Routing Switch Chassis JE551A H3C LS-9502-OVS-H3 0235A21X HP S9505 Routing Switch Chassis JC055A H3C S9505 Routing Switch Chassis 0235A17A HP S9508 Routing Switch Chassis JC054A H3C S9508 Routing Switch Chassis 0235A16T HP S9512 Routing Switch Chassis JC056A H3C S9512 Routing Switch Chassis 0235A17B HP U200-A UTM Appliance JD275A HP A-U200-A Unified Threat Management Appliance H3C SecPath U200-A 0235A36Q HP U200-S UTM Appliance JD273A HP A-U200-S Unified Threat Management Appliance H3C SecPath U200-S 0235A36N HP WX5002 Access Controller JD447A H3C WX5002 Access Controller 0235A34B HP WX5002 Access Controller JD447B HP A-WX5002 Access Controller H3C WX5002 Access Controller 0235A34B HP WX5002 Access Controller JD468A 3Com WX 5002 Access Controller 3CRUWX500275 HP WX5004 Access Controller JD448A HP A-WX5004 Access Controller H3C WX5004 Access Controller 0235A35J HP WX5004 Access Controller JD448B HP A-WX5004 Access Controller H3C WX5004 4-Port 1000BASE-X/1000BASE-T (Combo) Access Controller 0235A0GD HP WX5004 Access Controller JD469A 3Com WX 5004 Access Controller 3CRUWX500475 HP WX6103 Access Controller Support up to 128 Access Points JF247A BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2012-3268 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Kurt Grutzmacher (grutz@jingojango.net) and CERT/CC for reporting these vulnerabilities to security-alert@hp.com RESOLUTION If your product is listed as vulnerable, a software update to address this issue may be available for download. Using a web browser, go to http://www.hp.com/networking/support . Enter the product number or product description into Auto Search. Select the displayed result and click ' Display selected '. Click Software Downloads from the list of choices provided below. There is a section called ' Early Availability ' which will contain software that addresses this issue. The descriptive text of the software should indicate SSRT100920 as a further indication that the software addresses this issue. There are important considerations about using Early Availability software: Early Availability software is recommended for use in: Lab testing prior to upgrading a production network Evaluation of new features prior to general deployment Evaluation with specific applications prior to wider deployment Please evaluate this software thoroughly prior to deployment in a production environment. If your product is listed as vulnerable and software is not available via the process outlined previously, you may contact HP Networking support directly by going to this URL: https://h10145.www1.hp.com/help/Help_ContactInfo.aspx?cwp=2&SelectedTab=2 and clicking on your location to get the technical support telephone number. There are other support options such as Electronic Case submission available. If your product is listed as vulnerable and a software update is not yet available, HP is currently working to address these vulnerabilities with a new software update. This Security Bulletin will be revised when the software update is available. Prior to the update being made available and you have an impacted product, the following mitigations are recommended: Moving to SNMPv3 with authentication and privacy for all network management applications. Using SNMPv3s VACM to block access to the H3C-USER-MIB for SNMPv1/v2c users. Here is an example configuration using the snmp-agent command: snmp-agent mib-view include readView iso snmp-agent mib-view exclude readView hh3cUserPassword snmp-agent mib-view include writeView iso snmp-agent mib-view exclude writeView hh3cUserPassword snmp-agent mib-view include notifyView iso snmp-agent group v1 testV1ReadGroup read-view readView snmp-agent usm-user v1 testV1ReadUser testV1ReadGroup snmp-agent group v1 testV1WriteGroup read-view readView write-view writeView notify-view notifyView snmp-agent usm-user v1 testV1WriteUser testV1WriteGroup snmp-agent community read testV1ReadUser mib-view readView snmp-agent community write testV1WriteUser mib-view writeView You may also further control SNMP MIB access using an ACL. For v1/2 snmp-agent community write testV1WriteUser mib-view writeView acl <acl-number> snmp-agent community read testV1ReadUser mib-view readView acl <acl-number> For v3 snmp-agent group v3 testV3Group privacy read-view readView write-view writeView acl <acl-number> snmp-agent usm-user v3 testV3User testV3Group authentication-mode sha <auth-passwd> privacy-mode aes128 <priv-password> Configure SNMP community strings with ACLs to limit access to SNMP to just network management workstation(s). Here is an example configuration: # acl number 2001 rule 1 permit source 192.168.100.0 0.0.0.255 rule 1 permit source 192.168.100.1 0 acl number 2002 rule 1 permit source 192.168.100.1 0 # snmp-agent community read READONLY acl 2001 snmp-agent community write READONLY acl 2002 # Disable all local user administrative accounts and use RADIUS or TACACS+ authentication instead. Disable SNMP. Regarding secure use of switch or router configuration information: Avoid using plaintext protocols such as TFTP or FTP to transfer configuration files that contain local user accounts. Control user privileges on displaying any configuration information or displaying the content of a configuration file. For example, display current-configuration or more <configuration file> '. HISTORY Version:1 (rev.1) - 22 October 2012 Initial release Version:2 (rev.2) - 25 October 2012 Updated product list and the summary section. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlCJl+QACgkQ4B86/C0qfVl9cgCcDoJkIjTWzBdeJdAdOimzRNg7 YJgAoPmQ5ycXX07g21tV9nvSaLLvPPE5 =cmPB -----END PGP SIGNATURE-----

SAP NetWeaver Process Integration is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.