VARIoT IoT vulnerabilities database

http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028. Nginx is prone to a remote security vulnerability. Attackers can exploit this issue to a cause a denial-of-service condition or obtain sensitive information. nginx is a lightweight web server/reverse proxy server and email (IMAP/POP3) proxy server developed by Russian programmer Igor Sysoev. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201310-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: nginx: Multiple vulnerabilities Date: October 06, 2013 Bugs: #458726, #468870 ID: 201310-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in nginx, the worst of which may allow execution of arbitrary code. Background ========== nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx < 1.4.1-r2 >= 1.4.1-r2 Description =========== Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could send a specially crafted request, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.4.1-r2" References ========== [ 1 ] CVE-2013-0337 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0337 [ 2 ] CVE-2013-2028 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2028 [ 3 ] CVE-2013-2070 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2070 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201310-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2721-1 security@debian.org http://www.debian.org/security/ Nico Golde July 07, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nginx Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-2070 Debian Bug : 708164 A buffer overflow has been identified in nginx, a small, powerful, scalable web/proxy server, when processing certain chunked transfer encoding requests if proxy_pass to untrusted upstream HTTP servers is used. The oldstable distribution (squeeze), is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 1.2.1-2.2+wheezy1. For the unstable distribution (sid), this problem has been fixed in version 1.4.1-1. We recommend that you upgrade your nginx packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJR2ZOuAAoJEM1LKvOgoKqqTjsQAMKVFfBMx5Xu6XB6jXXM+2CL +m0TyjQp9oKTlTkZpE18fbQviCVk+A1jZZbHdEZlJnEdy0XvXvJpaN6DiNi10IVi kRQkMBtusXI7Bshh4Z/xWh6on9s//06mQzQzymnMQfcKDcg91Z159xPYi86mlxH5 dnf9/XirRwCokM5PI8duw1YJg2aMUpr5wYi14LVpC93ic5UoL3olwtbWcIAJy6VP auORGQLFTUCljpyEtZXku8mD168RnSubP6FZGRfar3JvywBX4MgK/+KnGXuZKZ6H MNDgVrb8hrkzQJQWvycZjhYUhurqSkR17VgJnwiyHxOxP9Sw6adWoH5aRGwoklhH 0d48CMlunJFvYtFEY8rQqiXBLAyZ09CnrEwgQa3hlugGWkRPVxnKmaghOwXZNXez o8RjCYEOdD2BppUc8RJZYz3UYq+WdVKv499HcgKGscol9aJ8XCYoq/G67697EaPF NUFaL3ApZ7rGiuUsx82FujIRs2rjuvQTe9Wiz2jRh0/BjuKarL/TG3r3SVD5/nDX 6j4ngF8eFDmf2ZfxQM1/Ug2ReO+gglnVZyYy4Kn/fxTTwFMLvznR+2lygAJQs/aM CsRN7KQhDdL1FgELvapLYyfcweeq41NJGwIvD7y3O7JKAlO44IO3XcvdAOHWLY2f 8xcpghy474tAclbQPQUi =4eCV -----END PGP SIGNATURE-----

The Huawei viewpoint VP9610 and VP9620 units for the Huawei Video Conference system do not update the Session ID upon successful establishment of a login session, which allows remote authenticated users to hijack sessions via an unspecified interception method. Huawei VP9610 and VP9620 are prone to a session-hijacking vulnerability. An attacker can exploit this issue to hijack user sessions and gain unauthorized access to the affected applications

The crypto engine process in Cisco IOS on Aggregation Services Router (ASR) Route Processor 2 does not properly manage memory, which allows local users to cause a denial of service (route processor crash) by creating multiple tunnels and then examining encryption statistics, aka Bug ID CSCuc52193. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS is prone to a local denial-of-service vulnerability. A local attacker can exploit this issue to crash the system, resulting in denial-of-service conditions. This issue is being tracked by Cisco bug ID CSCuc52193

Fujitsu is an ICT integrated service provider that provides industry solutions for the global market. There is a privilege elevation vulnerability in Fujitsu Desktop Update that allows malicious programs to execute in the context of the current user. The application is registered as control panel item via [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{070B64FF-795D-4DAA-88AD-6D3277C7E445}] @="Fujitsu DeskUpdate" The "shell object" with GUID {070B64FF-795D-4DAA-88AD-6D3277C7E445} is registered with [HKLM\SOFTWARE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}] @="Fujitsu DeskUpdate" "InfoTip"=expand:"@C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe,-132" "System.ControlPanel.Category"=dword:00000005 "System.Software.TasksFileUrl"="C:\\Program Files (x86)\\Fujitsu\DeskUpdate\\duconfig.xml" [HKLM\SOFTWARE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}\DefaultIcon] @=expand:"C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe,-0" [HKLM\SOFTWARE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}\Shell\Open\Command] @="C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe" The last entry is a pathname with unquoted spaces and allows the execution of the rogue programs "C:\Program.exe" and/or "C:\Program Files.exe", as documented in <http://msdn.microsoft.com/library/ms682425.aspx> Stefan Kanthak PS: long pathnames containing spaces exist for about 20 years now in Windows, EVERY developer should know how to use them properly, and EVERY QA should check their proper use!

The CallServer component in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to cause a denial of service (call-acceptance outage) via malformed SIP INVITE messages, aka Bug ID CSCua65148. Vendors have confirmed this vulnerability Bug ID CSCua65148 It is released as.Malformed by a third party SIP INVITE Service disruption via message ( Stop receiving ) There is a possibility of being put into a state. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCua65148. A remote attacker can exploit this vulnerability through malformed SIP INVITE packets to cause denial of service (interruption of call reception)

The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to execute arbitrary code via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38384. Vendors have confirmed this vulnerability Bug ID CSCub38384 It is released as.Skillfully crafted by a third party (1) HTTP Or (2) HTTPS Arbitrary code may be executed via a request. Cisco Unified Customer Voice Portal is prone to a remote privilege-escalation vulnerability. Attackers can exploit this issue to gain elevated privileges in the context of the affected application. Successful exploits may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCub38384. Versions prior to Unified Customer Voice Portal (CVP) 9.0.1 ES 11 are vulnerable. The vulnerability stems from the fact that the program does not properly configure the Tomcat component

The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to launch arbitrary custom web applications via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38379. Cisco Unified Customer Voice Portal is prone to a security-bypass vulnerability. Exploiting this issue could allow an attacker to bypass certain security restrictions and gain unauthorized access to the affected device. This issue is being tracked by Cisco Bug ID CSCub38379. Versions prior to Unified Customer Voice Portal (CVP) 9.0.1 ES 11 are vulnerable. The vulnerability is caused by the program not configuring the Tomcat component correctly

The log viewer in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly validate an unspecified parameter, which allows remote attackers to read arbitrary files via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38372. Successfully exploiting this issue may allow attackers to read arbitrary files. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCub38372. Versions prior to Unified Customer Voice Portal (CVP) 9.0.1 ES 11 are vulnerable

Directory traversal vulnerability in the Resource Manager in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to overwrite arbitrary files via a crafted (1) HTTP or (2) HTTPS request that triggers incorrect parameter validation, aka Bug ID CSCub38369. A remote attacker can use directory-traversal strings to modify arbitrary system files in the context of the affected application. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCub38369

Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to read arbitrary files via a Resource Manager (1) HTTP or (2) HTTPS request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka Bug ID CSCub38366. Cisco Unified Customer Voice Portal (CVP) Contains a vulnerability in which arbitrary files can be read. This case XML External entity (XXE) Vulnerability related to the problem. Remote attackers can exploit this issue to read arbitrary files. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCub38366

Multiple cross-site scripting (XSS) vulnerabilities in administrative-interface pages in the management console in Symantec Brightmail Gateway 9.5.x allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Symantec Brightmail Gateway is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Symantec Brightmail Gateway 9.5.x are vulnerable

Cross-site scripting (XSS) vulnerability in Juniper SmartPass WLAN Security Management before 7.7 MR3 and 8.0 before MR2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Juniper Networks SmartPass is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. SmartPass 8.0 MR1 and 7.7 MR2 are vulnerable. Juniper Networks SmartPass is a security management application of Juniper Networks (Juniper Networks), which can implement dynamic access control on all users and devices on the wireless LAN

Juniper Junos Space before 12.3P2.8, as used on the JA1500 appliance and in other contexts, includes a cleartext password in a configuration tab, which makes it easier for physically proximate attackers to obtain the password by reading the workstation screen. Multiple Juniper Networks Products are prone to a password-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. The solution supports automated configuration, monitoring, and troubleshooting of devices and services throughout their lifecycle

Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors. Adobe ColdFusion is prone to an information-disclosure vulnerability. Attackers can exploit this issue to retrieve files stored on the server and obtain sensitive information. This may aid in launching further attacks. Adobe ColdFusion is a dynamic web server product of Adobe (Adobe) in the United States, and the CFML (ColdFusion Markup Language) it runs is a programming language for web applications

Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal does not restrict unspecified size and amount values, which allows remote attackers to execute arbitrary code or cause a denial of service (resource consumption) via unknown vectors. Invensys Wonderware Information Server is a graphical visualization, reporting and analysis of real-time network-based plant operations data that helps drive productivity across the enterprise. Invensys Wonderware Information Server is prone to a denial-of-service vulnerability. Successful exploits may allow an attacker to trigger high CPU consumption and make the application unresponsive. Note that this issue could be exploited to execute arbitrary code, however, Symantec has not been confirmed. The following versions are vulnerable: Wonderware Information Server 4.0 SP1 Wonderware Information Server 4.5 Portal Wonderware Information Server 5.0 Portal. Through the network solution, this product can conveniently display the factory performance indicators and production data to the operation, operation and maintenance and engineering personnel, and is widely used in petroleum, natural gas, chemical and other industries

Cross-site scripting (XSS) vulnerability in Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Invensys Wonderware Information Server can centrally reflect web management solutions for production management. There are security vulnerabilities in the implementation of Wonderware Information Server 4.0 SP1, Wonderware Information Server 4.5 Portal, and Wonderware Information Server 5.0 Portal. An attacker could exploit this vulnerability to execute arbitrary script code in the user's browser of the affected site context. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Through the network solution, this product can conveniently display the factory performance indicators and production data to the operation, operation and maintenance and engineering personnel, and is widely used in petroleum, natural gas, chemical and other industries

SQL injection vulnerability in Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Invensys Wonderware Information Server can centrally reflect web management solutions for production management. There are security vulnerabilities in the implementation of Wonderware Information Server 4.0 SP1, Wonderware Information Server 4.5 Portal, and Wonderware Information Server 5.0 Portal. An attacker can exploit a vulnerability to compromise an application and perform unauthorized operations. Through the network solution, this product can conveniently display the factory performance indicators and production data to the operation, operation and maintenance and engineering personnel, and is widely used in petroleum, natural gas, chemical and other industries

Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Invensys Wonderware Information Server can centrally reflect web management solutions for production management. There are security vulnerabilities in the implementation of Wonderware Information Server 4.0 SP1, Wonderware Information Server 4.5 Portal, and Wonderware Information Server 5.0 Portal. A local attacker exploited this vulnerability to obtain sensitive information. Through the network solution, this product can conveniently display the factory performance indicators and production data to the operation, operation and maintenance and engineering personnel, and is widely used in petroleum, natural gas, chemical and other industries. Entity (XXE) issues

Memory leak in the web framework in the server in Cisco Unified Presence (CUP) allows remote attackers to cause a denial of service (memory consumption) via malformed TCP packets, aka Bug ID CSCug38080. Successfully exploiting this issue allows remote attackers to exhaust memory resources resulting in denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCug38080. A remote attacker can exploit this vulnerability to cause denial of service through malicious TCP packets

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow. nginx is prone to a stack-based buffer-overflow vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. The issue is fixed in nginx 1.4.1 and 1.5.0. nginx is a lightweight web server/reverse proxy server and email (IMAP/POP3) proxy server developed by Russian programmer Igor Sysoev. A denial of service vulnerability exists in the 'ngx_http_parse_chunked' function in http/ngx_http_parse.c in nginx versions 1.3.9 to 1.4.0. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201310-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: nginx: Multiple vulnerabilities Date: October 06, 2013 Bugs: #458726, #468870 ID: 201310-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in nginx, the worst of which may allow execution of arbitrary code. Background ========== nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx < 1.4.1-r2 >= 1.4.1-r2 Description =========== Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could send a specially crafted request, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Furthermore, a context-dependent attacker may be able to obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.4.1-r2" References ========== [ 1 ] CVE-2013-0337 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0337 [ 2 ] CVE-2013-2028 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2028 [ 3 ] CVE-2013-2070 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2070 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201310-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . From: Maxim Dounin mdounin at mdounin.ru Tue May 7 11:30:26 UTC 2013 Hello! Greg MacManus, of iSIGHT Partners Labs, found a security problem in several recent versions of nginx. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt As a temporary workaround the following configuration can be used in each server{} block: if ($http_transfer_encoding ~* chunked) { return 444; } -- Maxim Dounin http://nginx.org/en/donation.html