VARIoT IoT vulnerabilities database

EMC Celerra Network Server 6.x before 6.0.61.0, VNX 7.x before 7.0.53.2, and VNXe 2.0 and 2.1 before 2.1.3.19077 (aka MR1 SP3.2) and 2.2 before 2.2.0.19078 (aka MR2 SP0.2) do not properly implement NFS access control, which allows remote authenticated users to read or modify files via a (1) NFSv2, (2) NFSv3, or (3) NFSv4 request. There are security vulnerabilities in multiple EMC products. Failure to properly access control settings allows an attacker to exploit the vulnerability to bypass security restrictions and gain unauthorized access to the output file system. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2012-027: EMC Celerra/VNX/VNXe Improper Access Control Vulnerability EMC Identifier: ESA-2012-027 CVE Identifier: CVE-2012-2282 Severity Rating: CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Affected products: EMC Celerra Network Server versions 6.0.36.4 through 6.0.60.2 EMC VNX versions 7.0.12.0 through 7.0.53.1 EMC VNXe 2.0 (including SP1, SP2, and SP3) EMC VNXe MR1 (including SP1, SP2, SP3, and SP3.1) EMC VNXe MR2 (including SP0.1) Vulnerability Summary: A vulnerability exists in EMC Celerra/VNX/VNXe systems that can be potentially exploited to gain unauthorized access to distributed files and directories. For EMC Celerra, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads C > Celerra Software For EMC VNX, navigate in Powerlink to Home >Support>Support by Product and search for VNX For EMC VNXe, Log onto the affected VNXe, navigate in Support Zone as follows: Settings > More Configuration > Update Software > Obtain Candidate Version Online Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. EMC Product Security Response Center Security_Alert@emc.com http://www.emc.com/contact-us/contact/product-security-response-center.htm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Cygwin) iEYEARECAAYFAk/9nQcACgkQtjd2rKp+ALwy+QCfRYR3eaF29k28f7gYjgC0vcVk NLIAn0GWWLPQ0VPfcFUjC6RlyahlwImL =wjkz -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- We are millions! Join us to protect all Pc's Worldwide. Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends: http://secunia.com/psi ---------------------------------------------------------------------- TITLE: EMC Products Security Bypass Security Issue SECUNIA ADVISORY ID: SA49911 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49911/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49911 RELEASE DATE: 2012-07-12 DISCUSS ADVISORY: http://secunia.com/advisories/49911/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49911/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49911 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in multiple EMC products, which can be exploited by malicious users to potentially bypass certain security restrictions. SOLUTION: Update to a fixed version. Updated software can be downloaded from Powerlink. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: EMC (ESA-2012-027): http://archives.neohapsis.com/archives/bugtraq/2012-07/att-0063/ESA-2012-027.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

TP Link is a provider specializing in the development, manufacture and sale of network and communication equipment. There are multiple HTML code injection vulnerabilities in the implementation of the TP Link Gateway. Use these vulnerabilities to execute HTML and script code on your device to steal authentication credentials or control the look of your site

The Cisco Discovery Protocol (CDP) implementation on Cisco TelePresence Multipoint Switch before 1.9.0, Cisco TelePresence Immersive Endpoint Devices before 1.9.1, Cisco TelePresence Manager before 1.9.0, and Cisco TelePresence Recording Server before 1.8.1 allows remote attackers to execute arbitrary code by leveraging certain adjacency and sending a malformed CDP packet, aka Bug IDs CSCtz40953, CSCtz40947, CSCtz40965, and CSCtz40953. The problem is Bug ID CSCtz40953 , CSCtz40947 , CSCtz40965 and CSCtz40953 It is a problem.A third party may use an adjacent network CDP By sending a packet, arbitrary code may be executed. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. The problem is that because the malformed Cisco Discovery Protocol message is incorrectly processed, the attacker can submit a malformed message to the affected device and execute any system command. Also known as Bug IDs CSCtz40953, CSCtz40947, CSCtz40965 and CSCtz40953. ---------------------------------------------------------------------- We are millions! Join us to protect all Pc's Worldwide. Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends: http://secunia.com/psi ---------------------------------------------------------------------- TITLE: Cisco TelePresence Immersive Endpoint Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49879 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49879/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49879 RELEASE DATE: 2012-07-12 DISCUSS ADVISORY: http://secunia.com/advisories/49879/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49879/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49879 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco TelePresence Immersive Endpoint devices, which can be exploited by malicious users and malicious people to compromise a vulnerable system. 1) An error within a Cisco TelePresence API can be exploited to inject and execute arbitrary commands via a specially crafted request to TCP port 61480. For more information see vulnerability#2 in: SA49864 The vulnerabilities #1 and #2 are reported in in Cisco TelePresence Immersive Endpoint devices versions 1.6 and prior, 1.7, and 1.8. 3) An error within the administrative web interface can be exploited to inject and execute arbitrary commands by sending a specially crafted request to TCP port 443. This vulnerability is reported in Cisco TelePresence Immersive Endpoint devices versions 1.6 and prior and 1.7. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Successful exploitation requires the ability to send an Ethernet frame directly to the device

The administrative web interface on Cisco TelePresence Recording Server before 1.8.0 allows remote authenticated users to execute arbitrary commands via unspecified vectors, aka Bug ID CSCth85804. The problem is Bug ID CSCth85804 It is a problem.An arbitrary command may be executed by a remotely authenticated user. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. Successful exploits will result in the execution of arbitrary attacker-supplied commands in the context of the root user. This may facilitate a complete compromise. This issue is being tracked by Cisco bug ID CSCti21830. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. A remote attacker could exploit this vulnerability to execute arbitrary commands through an unknown vector. ---------------------------------------------------------------------- We are millions! Join us to protect all Pc's Worldwide. Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends: http://secunia.com/psi ---------------------------------------------------------------------- TITLE: Cisco TelePresence Recording Server Two Vulnerabilities SECUNIA ADVISORY ID: SA49864 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49864/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49864 RELEASE DATE: 2012-07-12 DISCUSS ADVISORY: http://secunia.com/advisories/49864/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49864/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49864 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Cisco TelePresence Recording Server, which can be exploited by malicious users and malicious people to compromise a vulnerable system. 2) An error within the handling of Cisco Discovery Protocol (CDP) packets in the CDP component can be exploited to execute arbitrary code by sending a specially crafted CDP packet. Successful exploitation requires the ability to send an Ethernet frame directly to the device. The vulnerability is reported in versions 1.6 and prior, 1.7, and 1.8. SOLUTION: Update to version 1.8.1. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctrs OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple Cisco Products are prone to a remote code-execution vulnerability. Successfully exploiting this issue allows remote attackers to execute arbitrary code with elevated privileges; other attacks are also possible. The following products are vulnerable: Cisco TelePresence Manager Cisco TelePresence Recording Server Cisco TelePresence Multipoint Switch Cisco TelePresence Immersive Endpoint System

The web interface on the SMC SMC8024L2 switch allows remote attackers to bypass authentication and obtain administrative access via a direct request to a .html file under (1) status/, (2) system/, (3) ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8) dot1x/, (9) security/, (10) igmps/, or (11) snmp/. SMC8024L2 There is an authentication bypass vulnerability in the web management screen. SMC Networks Inc. Network switch provided by SMC8024L2 There is an authentication bypass vulnerability in the web management screen. In the web interface URL By directly entering, you can access without requiring authentication.A remote attacker may change the settings of the product. The SMC Networks SMC8024L2 Switch is a powerful switch. The WEB interface of the SMC Networks SMC8024L2 switch incorrectly restricts user access. The SMC8024L2 is a multifunctional 10/100/1000BASE-T independently managed switch

The IP implementation on Cisco TelePresence Multipoint Switch before 1.8.1, Cisco TelePresence Manager before 1.9.0, and Cisco TelePresence Recording Server 1.8 and earlier allows remote attackers to cause a denial of service (networking outage or process crash) via (1) malformed IP packets, (2) a high rate of TCP connection requests, or (3) a high rate of TCP connection terminations, aka Bug IDs CSCti21830, CSCti21851, CSCtj19100, CSCtj19086, CSCtj19078, CSCty11219, CSCty11299, CSCty11323, and CSCty11338. The problem is Bug ID CSCti21830 , CSCti21851 , CSCtj19100 , CSCtj19086 , CSCtj19078 , CSCty11219 , CSCty11299 , CSCty11323 and CSCty11338 It is a problem.Denial of service by a third party through the following items ( Network outage or process crash ) There is a possibility of being put into a state. (1) Malformed IP packet (2) High frequency TCP Connection request (3) High frequency TCP Termination of connection. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. A security issue exists in the network stack of the Cisco TelePresence operating system, allowing unauthenticated remote attackers to conduct denial of service attacks. An attacker can send a malformed IP packet sequence or TCP segment to the affected device at a higher frequency, which can cause the service and process of the affected device to crash, resulting in a denial of service attack. Multiple Cisco products are prone to a remote denial-of-service vulnerability. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. Also known as Bug IDs CSCti21830, CSCti21851, CSCtj19100, CSCtj19086, CSCtj19078, CSCty11219, CSCty11299, CSCty11323 and CSCty11338. For more information: SA49880 2) An error exists within the handling of Cisco Discovery Protocol (CDP) packets. ---------------------------------------------------------------------- We are millions! Join us to protect all Pc's Worldwide. Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends: http://secunia.com/psi ---------------------------------------------------------------------- TITLE: Cisco TelePresence Recording Server Denial of Service Vulnerability SECUNIA ADVISORY ID: SA49880 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49880/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49880 RELEASE DATE: 2012-07-12 DISCUSS ADVISORY: http://secunia.com/advisories/49880/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49880/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49880 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco TelePresence Recording Server, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is reported in versions 1.6 and prior, 1.7, and 1.8. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctrs OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

An unspecified API on Cisco TelePresence Immersive Endpoint Devices before 1.9.1 allows remote attackers to execute arbitrary commands by leveraging certain adjacency and sending a malformed request on TCP port 61460, aka Bug ID CSCtz38382. The vulnerability is caused by the affected software not correctly handling the malformed request. Unauthenticated remote attackers can exploit the vulnerability to send malicious requests to port 61460. Successful exploitation of the vulnerability can execute arbitrary commands on the device with high privileges. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. Also known as Bug ID CSCtz38382. ---------------------------------------------------------------------- We are millions! Join us to protect all Pc's Worldwide. Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends: http://secunia.com/psi ---------------------------------------------------------------------- TITLE: Cisco TelePresence Immersive Endpoint Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49879 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49879/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49879 RELEASE DATE: 2012-07-12 DISCUSS ADVISORY: http://secunia.com/advisories/49879/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49879/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49879 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco TelePresence Immersive Endpoint devices, which can be exploited by malicious users and malicious people to compromise a vulnerable system. 2) An error exists within the handling of Cisco Discovery Protocol (CDP) packets. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query. Dnsmasq is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions through a stream of spoofed DNS queries producing large results. Dnsmasq versions 2.62 and prior are vulnerable. Relevant releases/architectures: RHEV Hypervisor for RHEL-6 - noarch 3. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way the vhost kernel module handled descriptors that spanned multiple regions. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges on the host. (CVE-2013-0311) It was found that the default SCSI command filter does not accommodate commands that overlap across device classes. A privileged guest user could potentially use this flaw to write arbitrary data to a LUN that is passed-through as read-only. Now, the VDSM version compatibility is considered and the upgrade message only displays if there is an upgrade relevant to the host available. As a result, virtual machines with supported CPU models were not being properly parsed by libvirt and failed to start. Virtual machines now start normally. This allows for multiple versions of the hypervisor package to be installed on a system concurrently without making changes to the yum configuration as was previously required. Bugs fixed (http://bugzilla.redhat.com/): 833033 - CVE-2012-3411 libvirt+dnsmasq: DNS configured to answer DNS queries from non-virtual networks 835162 - rhev-hypervisor 6.4 release 853092 - rhev-h: supported vdsm compatibility versions should be supplied along with rhev-h ISOs 863579 - RFE: Support installonlypkgs functionality for rhev-hypervisor packages 875360 - CVE-2012-4542 kernel: block: default SCSI command filter does not accomodate commands overlap across device classes 912905 - CVE-2013-0311 kernel: vhost: fix length for cross region descriptor 6. packets that should not be passed in) may be sent to the dnsmasq application and processed. This can result in DNS amplification attacks for example (CVE-2012-3411). It was found that after the upstream patch for CVE-2012-3411 issue was applied, dnsmasq still: - replied to remote TCP-protocol based DNS queries (UDP protocol ones were corrected, but TCP ones not) from prohibited networks, when the --bind-dynamic option was used, - when --except-interface lo option was used dnsmasq didn&#039;t answer local or remote UDP DNS queries, but still allowed TCP protocol based DNS queries, - when --except-interface lo option was not used local / remote TCP DNS queries were also still answered by dnsmasq. This update fix these three cases. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRYvSNmqjQ0CJFipgRAmDuAKDqB4WerX13N+7g/zR6iU5C6b8QjACdEdEW koGb8Voa5rhgjjRVCT1ZvBg= =VQ4h -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201406-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dnsmasq: Denial of Service Date: June 25, 2014 Bugs: #436894, #453170 ID: 201406-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in Dnsmasq can lead to a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Dnsmasq users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.66" References ========== [ 1 ] CVE-2012-3411 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3411 [ 2 ] CVE-2013-0198 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0198 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-24.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: dnsmasq security, bug fix and enhancement update Advisory ID: RHSA-2013:0277-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0277.html Issue date: 2013-02-21 CVE Names: CVE-2012-3411 ===================================================================== 1. Summary: Updated dnsmasq packages that fix one security issue, one bug, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server. It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. (CVE-2012-3411) In order to fully address this issue, libvirt package users are advised to install updated libvirt packages. Refer to RHSA-2013:0276 for additional information. This update also fixes the following bug: * Due to a regression, the lease change script was disabled. Consequently, the "dhcp-script" option in the /etc/dnsmasq.conf configuration file did not work. This update corrects the problem and the "dhcp-script" option now works as expected. (BZ#815819) This update also adds the following enhancements: * Prior to this update, dnsmasq did not validate that the tftp directory given actually existed and was a directory. Consequently, configuration errors were not immediately reported on startup. This update improves the code to validate the tftp root directory option. As a result, fault finding is simplified especially when dnsmasq is called by external processes such as libvirt. (BZ#824214) * The dnsmasq init script used an incorrect Process Identifier (PID) in the "stop", "restart", and "condrestart" commands. Consequently, if there were some dnsmasq instances running besides the system one started by the init script, then repeated calling of "service dnsmasq" with "stop" or "restart" would kill all running dnsmasq instances, including ones not started with the init script. The dnsmasq init script code has been corrected to obtain the correct PID when calling the "stop", "restart", and "condrestart" commands. As a result, if there are dnsmasq instances running in addition to the system one started by the init script, then by calling "service dnsmasq" with "stop" or "restart" only the system one is stopped or restarted. (BZ#850944) * When two or more dnsmasq processes were running with DHCP enabled on one interface, DHCP RELEASE packets were sometimes lost. Consequently, when two or more dnsmasq processes were running with DHCP enabled on one interface, releasing IP addresses sometimes failed. This update sets the SO_BINDTODEVICE socket option on DHCP sockets if running dnsmasq with DHCP enabled on one interface. As a result, when two or more dnsmasq processes are running with DHCP enabled on one interface, they can release IP addresses as expected. (BZ#887156) All users of dnsmasq are advised to upgrade to these updated packages, which fix these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 833033 - CVE-2012-3411 libvirt+dnsmasq: DNS configured to answer DNS queries from non-virtual networks 850944 - "service dnsmasq restart (or dnsmasq package update) kills all instances of dnsmasq on system, including those started by libvirtd 884957 - guest can not get NAT IP from dnsmasq-2.48-10 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm i386: dnsmasq-2.48-13.el6.i686.rpm dnsmasq-debuginfo-2.48-13.el6.i686.rpm x86_64: dnsmasq-2.48-13.el6.x86_64.rpm dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm i386: dnsmasq-debuginfo-2.48-13.el6.i686.rpm dnsmasq-utils-2.48-13.el6.i686.rpm x86_64: dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm dnsmasq-utils-2.48-13.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm x86_64: dnsmasq-2.48-13.el6.x86_64.rpm dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm x86_64: dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm dnsmasq-utils-2.48-13.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm i386: dnsmasq-2.48-13.el6.i686.rpm dnsmasq-debuginfo-2.48-13.el6.i686.rpm ppc64: dnsmasq-2.48-13.el6.ppc64.rpm dnsmasq-debuginfo-2.48-13.el6.ppc64.rpm s390x: dnsmasq-2.48-13.el6.s390x.rpm dnsmasq-debuginfo-2.48-13.el6.s390x.rpm x86_64: dnsmasq-2.48-13.el6.x86_64.rpm dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm i386: dnsmasq-debuginfo-2.48-13.el6.i686.rpm dnsmasq-utils-2.48-13.el6.i686.rpm ppc64: dnsmasq-debuginfo-2.48-13.el6.ppc64.rpm dnsmasq-utils-2.48-13.el6.ppc64.rpm s390x: dnsmasq-debuginfo-2.48-13.el6.s390x.rpm dnsmasq-utils-2.48-13.el6.s390x.rpm x86_64: dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm dnsmasq-utils-2.48-13.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm i386: dnsmasq-2.48-13.el6.i686.rpm dnsmasq-debuginfo-2.48-13.el6.i686.rpm x86_64: dnsmasq-2.48-13.el6.x86_64.rpm dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm i386: dnsmasq-debuginfo-2.48-13.el6.i686.rpm dnsmasq-utils-2.48-13.el6.i686.rpm x86_64: dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm dnsmasq-utils-2.48-13.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3411.html https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHSA-2013-0276.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRJbynXlSAg2UNWIIRAvO7AKC9DX720FbYDvxil9RlNiiZHmN2TQCglV5s c8EDGXAb588QM/PyzO8J+9A= =GXp0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 6) - x86_64 3. Description: The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. This update includes the changes necessary to call dnsmasq with a new command line option, which was introduced to dnsmasq via RHSA-2013:0277. Space precludes documenting all of these changes in this advisory. After installing the updated packages, libvirtd must be restarted ("service libvirtd restart") for this update to take effect. Bugs fixed (http://bugzilla.redhat.com/): 695394 - default migration speed is too low for guests with heavy IO 713922 - virsh man page refers to unspecified "documentation" 724893 - RFE: better message when start the guest which CPU comprises flags that host doesn't support 770285 - cpu-compare fails inside virtualized hosts 770795 - blkioParameters doesn't work 770830 - --config doesn't work correctly for blkiotune option --device-weight 771424 - RFE: Resident Set Size (RSS) limits on qemu guests 772290 - RFE: Configurable VNC start port or ability to exclude use of specific ports 787906 - [python binding] migrateGetMaxSpeed did not work right with parameters 789327 - [RFE] Resume VM from s3 as a response for monitor/keyboard/mouse action 798467 - libvirt doesn't validate a manually specified MAC address for a KVM guest 799986 - libvirtd should explicitly check for existance of configured sanlock directory before trying to register lockspace 801772 - RFE: Use scsi-hd, scsi-cd instead of scsi-disk 803577 - virsh attach-disk should detect disk source file type when sourcetype is not specified 804601 - Controllers do not support virsh attach/detach-device --persistent 805071 - RFE : Dynamically change the host network/bridge that is attached to a vNIC 805243 - [RFE] add some mechanism to pre-populate credentials for libvirt connections 805361 - RFE: privnet should work well with lxc 807545 - the programming continue to run when executing virsh snapshot-list with --roots and --from mutually exclusive options 807907 - Tunnelled migration sometimes report error when do scalability test 807996 - libvirtd may hang during tunneled migration 810799 - virsh list and "--managed-save " flag can't list the domains with managed save state 813191 - virt-xml-validate fail for pool, nodedev and capabilities 813735 - Non detection of qemu TCG mode support within a RHEL VM 813819 - Unable to disable sending keep-alive messages 815644 - There is no executable permission on default pool. 816448 - inaccurate display for status of stopped libvirt-guests service 816503 - [RFE] Ability to configure sound pass-through to appear as MIC as opposed to line-in 816609 - [libvirt] python bindings have inconsistent handling of float->int conversion 817219 - Don't allow to define multiple pools with the same target 817239 - dominfo outputs incorrectly for memory unit 817244 - Issues about virsh -h usage 818467 - Improve libvirt debug capability 818996 - [rfe] allow to disable usb & vga altogether 819401 - [LXC] virsh dominfo can't get a correct VCPU number 820173 - Libvirtd fails to initialize sanlock driver 821665 - unclear error message: qemu should report 'lsi' is not supported 822068 - libvirtd will crash when hotplug attah-disk to guest 822340 - There are some typos when virsh connect source guest server with ssh PermitRootLogin disabled 822373 - libvirtd will crash when tight loop of hotplug/unplug PCI device to guest without managed=yes 823362 - vol-create-as should fail when allocate a malformed size image 823765 - libvirt should raise an error when set network with special/invalid MAC address 823850 - find-storage-pool-sources/ find-storage-pool-sources-as can't return XML describing of netfs/iscsi pool 823857 - guest can't start with unable to set security context error if guests are unconfined 824253 - manpage: document limitations on identifying domains with numeric names 825068 - Start a guest with assigned usb device which is used by another guest will reset the label 825108 - unexpected result from virt-pki-validate 825600 - spice client could not disconnect after update graphics with connected='disconnect' 825699 - Can't start pool with uuid and other commands with uuid issue 825820 - Libvirt is missing important hooks 827234 - potential to deadlock libvirt on EPIPE 827380 - Minimum value for nodesuspend time duration need be given in virsh manual or help 827519 - "Unable to determine device index for network device" when attaching new network device to a guest that already has a netdev of type='hostdev' 828023 - [libvirt] Setting numa parameters causes guest xml error 828640 - valgrind defects some use-after-free errors - virsh console 828676 - virt-xml-validate validate fails when xml contains kernel/initrd/cmdline elements 828729 - CPU topology parsing bug on special NUMA platform 829107 - valgrind defects some use-after-free errors - virsh change-media 829246 - virsh detach-disk will be failed with special image name 829562 - virsh attach-disk --cache does not work 830051 - [Doc] virsh doc has error/omission on device commands and nodedev commands 830057 - man doc of vol-create-as format is lack of qed and vmdk 831044 - #libvirtd error messages should be fixed 831049 - Update libvirtd manpage to describe how --timeout works & its usage limitations 831099 - add the ability to set a wwn for SCSI disks 831149 - virt-manager causes iowait, due to rewriting XML files repeatable 832004 - vncdisplay can't output default ip address for the vnc display 832081 - Fix keepalive issues in libvirt 832156 - RFE: Support customizable actions when sanlock leases are lost 832302 - libvirt shouldn't delete an existing unregistered volume in vol-create 832309 - [Doc]Problems about manual and help of virsh desc command 832329 - [Doc]Problems about help of virsh domiftune command 832372 - [Doc]Problems about manual and help of virsh dompmsuspend command 833327 - [Doc]The abbreviation of domain name-id-uuid arguments are inconsistent in manual 833674 - Deactivate memory balloon with type of none get wrong error info 834365 - Improve error message when trying to change VM's processor count to 0 834927 - virConnectDomainEventRegisterAny won't register the same callback for the same event but for different domains 835782 - when create the netfs pool, virsh pool-create-as do not remount the target dir which is mounted for another device firstly. 836135 - spice migration: prevent race with libvirt 837466 - virsh report error when quit virsh connection 837470 - libvirtd crash when virsh find-storage-pool-sources 837485 - can not start vdsmd service after update the libvirt packages 837542 - [regression]can't undefine guest after guest saved. 837544 - snapshot-list return core dumped 837761 - [Doc] Inaccurate description about force option in change-media help 837884 - per-machine-type CPU models for safe migration 839537 - Error occurs when given hard_limit in memtune more than current swap_hard_limit 839557 - [Doc]Need to explain in manual that the output memory of memtune command may be rounded 839661 - libvirt: support QMP event for S4 839930 - There is no message if debug level number is out of scope when run a virsh command with -d option 842208 - "Segmentation fault" when use virsh command with vdsm installed 842272 - include-passwd option can't worked when using domdisplay. 842557 - libvirt doesn't check ABI compatibility of watchdog and channel fully 842966 - [snapshot] snapshot-info report unknow procedure error even snapshot-info works well 842979 - [Regression] lxc domain fail to start due to not exist cgroup dir 843324 - snapshot-edit will report error message but return 0 when do not update xml 843372 - disk-only snapshot create external file even if snapshot command failed 843560 - Add live migration support for USB 843716 - The libvirtd deamon was killed abnormally when i destroy a domain which was in creating process 844266 - Fail to modify the domain xml with saved file 844408 - after failed hotplug qemu keeps the file descriptor open 845448 - [blockcopy]sometimes Ctrl+C can't terminate blockcopy when use --wait with other options 845460 - exit console will crash libvirtd 845468 - snapshot-list --descendants --from will core dumped 845521 - Plug memory leak after escaping sequence for console 845523 - Use after free when escaping sequence for console 845635 - Return a specific error when qemu-ga is missing or unusable during a live snapshot (quiesce) 845893 - Double close of FD when failing to connect to a remote hypervisor 845958 - libvirt domain event handler can not catch domain pmsuspend and get error when pmwakeup 845966 - libvirt pmsuspend to disk will crash libvirtd 845968 - numatune command can't handle nodeset with '^' for excluding a node 846265 - virsh blkdeviotune fail 846629 - Failed to run cpu-stats when cpuacct.usage_percpu is too large 846639 - Should forbid suspend&resume operate when guest in pmsuspend status. 848648 - [Doc] Add annotation about how to enable stack traces in log messages 851391 - Throw out "DBus support" error in libvirtd.log when restart libvirtd 851395 - xml parse error occur after upgrade to the newest package 851397 - can not start guest in rhevm 851423 - virsh segmentation fault when using find-storage-pool-sources 851452 - unexpected result of virsh save when stop libvirtd 851491 - Libvirtd crash when set "security_default_confined = 0" in qemu.conf 851959 - cpuset can be set in two places. 851963 - Guest will be undefined if remove channel content 851981 - The migration with macvtap network was denied by the target when i set "setenforce 1" in the target 852260 - AFFECT_CURRENT flag does not work well in set_scheduler_parameters when domain is shutoff 852383 - libvirtd dead when start a domain with openvswitch interface 852592 - libvirtd will be crashed when run vcpupin more than once 852668 - libvirt got security label parse error with xml 852675 - [Graphical framebuffer] update device with connected parameter "fail", guest's xml changed 852984 - virsh start command will be hung with openvswitch network interface 853002 - [qemu-ga]shutdown guest by qemu-guest-agent will successful but report error 853043 - guest can't start with unable to set security context error if guests are unconfined 853342 - [doc]There are some typos in CPU Tuning part of the formatdomain.html 853567 - Request for taking fix for PF shutdown in 802.1Qbh 853821 - virsh reboot with 'agent' shutdown mode will hang 853925 - [configuration][doc] set security_driver in qemu.conf 853930 - It is failed to start guest when the number of vcpu is different between <vcpu> and <cputune/> 854133 - libvirt should check the range of emulator_period and emulator_quota when set them with --config 854135 - The libvirt domain event handler can't catch the disconnecting information when disconnected the guest 855218 - Problems on CPU tuning 855237 - [libvirt] Add a new boot parameter to set the delay time before rebooting 855783 - improve error message for secret-get-value 856247 - full RHEL 6.4 block-copy support 856489 - Modify target type of channel element from 'virtio' to 'guestfwd' will cause libvirtd crash 856528 - List option --state-shutoff should filter guest properly 856864 - Do live migration from rhel6.1.z release version to rhel6.4 newest version and back will get "error Unknown controller type 'usb'" 856950 - Deadlock on libvirt when playing with hotplug and add/remove vm 856951 - The value of label is wrong with static dac model in xml 857013 - Failed to run cpu-stats after vcpu hotplug 857341 - fail to start lxc domain 857367 - destroy default virtual network throw error in libvirtd.log 858204 - The libvirt augeas lens can't parse a libvirtd.conf file where host_uuid is present 859320 - libvirt auth.conf make virsh cmd Segmentation fault (core dumped) 859331 - Create new guest fail with usermode 859712 - [libvirt] Deadlock in libvirt after storage is blocked 860519 - security: support for names on DAC labels 860907 - It reported an error when checked the schedinfo of the lxc guest 860971 - There should be a comma between "kvmclock" and "kvm_pv_eoi" in qemu-kvm cmd generated by libvirt 861564 - fail to start lxc os container 863059 - Unable to migrate guest: internal error missing hostuuid element in migration data 863115 - libvirt calls 'qemu-kvm -help' too often 864097 - Cannot start domains with custom CPU model 864122 - virtualport parameter profileid in a <network> or <portgroup> causes failure to initialize guest interface 864336 - [LXC] destroy domain will hang after restart libvirtd 864384 - virsh list get error msg when connect ESXi5.0 server 865670 - Warning messages "Found untested VI API major/minor version 5.1" show when connect to esx5.1 server 866288 - libvirtd crashes when both <boot dev='...'/> and <boot order='...'/> are used in one domain XML 866364 - libvirtd crash when edit a net with some operation 866369 - libvirt: terminating vm on signal 15 when hibernate fails on ENOSPACE 866388 - libvirt: no event is sent to vdsm in case vm is terminated on signal 15 after hibernate failure 866508 - Fail to import libvirt python module due to 'undefined symbol: libssh2_agent_free' 866524 - use-after-free on virsh node-memory-tune 866999 - CPU topology is missing in capabilities XML when libvirt fails to detect host CPU model 867246 - [LXC] A running guest will be stopped after restarting libvirtd service 867372 - Can not change affinity of domain process with "cpuset "of <vcpu> element. 867412 - libvirt fails to clear async job when p2p migration fails early 867724 - Libvirt sometimes fails to wait on spice to migrate 867764 - default machine type is detected incorrectly 868389 - virsh net-update to do a live add of a static host to a network that previously had no static hosts, reports success, but doesn't take effect until network is restarted. 868483 - multiple default portgroups erroneously allowed in network definitions 868692 - Libvirt: Double dash in VM causes it to disappear - bad parsing of XML 869096 - Vcpuinfo don't return numa's CPU Affinity properly on mutiple numa node's machine 869100 - poor error message for virsh snapshot-list --roots --current 869508 - the option --flags of virsh nodesuspend command should be removed 869557 - Can't add more than 256 logical networks 870099 - virsh emulatorpin still can work when vcpu placement is "auto". 870273 - coding errors in virsh man page 871055 - libvirt should support both upstream and RHEL drive-mirror 871201 - If libvirt is restarted after updating dnsmasq or radvd packages, a subsequent "virsh net-destroy" will fail to kill the dnsmasq/radvd processes 871312 - emulatorpin affinity isn't the same as Cpus_allowed_list of emulator ' thread when cpuset is specified 872104 - wrong description of net-update option(config, live and current) 872656 - virNodeGetMemoryParameters is broken on older kernels 873134 - setting current memory equal to max will end with domain start as current > max 873537 - virsh save will crash libvirtd sometimes 873538 - [Regression] Define domain failed in ESX5.1 873792 - libvirt: cancel migration is sent but migration continues 873934 - Failed to run Coverity on libvirt RHEL source rpm 874050 - virsh nodeinfo can't get the right info on AMD Bulldozer cpu 874171 - virsh should make external checkpoint creation easy 874330 - First autostarted guest has always id 1 874549 - libvirt_lxc segfaults when staring lxc through openstack 874702 - CVE-2012-3411 libvirt needs to use new dnsmasq option to avoid open DNS proxy 874860 - libvirt fails to start if storage pool contains image with missing backing file 876415 - virDomainGetVcpuPinInfo might fail to show right CPU affinity setting 876816 - libvirt should allow disk-only (external) snapshots of offline VMs 876817 - virsh should make it easier to filter snapshots by type 876828 - the qcow2 disk's major:minor number still exists in guest's devices.list after hot-unplug 876868 - virsh save guest with an no-exist xml should show error msg 877095 - libvirt doesn't clean up open files for device assignment 877303 - virsh snapshot-edit prints garbage with wrong parameters 878376 - Coverity scan founds some resource leaks and USE_AFTER_FREE 878400 - virsh pool-destroy should fail with error info when pool is in using 878779 - domdisplay with --include-password can't display VNC passwor 878862 - NULL pointer usage when starting guest with broken image chain 879130 - there is not error message when create external checkpoint with --memspec= (NULL) 879132 - create external checkpoint sometimes will crash libvirtd 879360 - Libvirt leaks libvirt_lxc processes on container shutdown 879473 - net-update may cause libvirtd crash when modify portgroup 879780 - vol-clone failed to clone LVM volumes 880064 - [LXC] libvirt_lxc segfaults when staring lxc guest 880919 - Libvirtd crashed while saving the guest to a nonexistent directory 881480 - virDomainUpdateDeviceFlags fails when interface type is 'network' 882915 - virsh doesn't report error if updated data argument for command "schedinfo" is invalid 883832 - Cannot start VMs after upgrade from 6.3 to libvirt-0.10.2-10 884650 - Add support for qemu-kvm's BALLOON_CHANGE event to avoid using monitor in virDomainGetXMLDesc 885081 - Invalid job handling while restarting CPUs when creating external snapshot 885727 - Libvirt won't parse dnsmasq capabilities when debug logs are enabled 885838 - improper errors logged when changing the bridge device used by a domain <interface type='bridge'> 886821 - libvirt-launched dnsmasq listens on localhost when it shouldn't 886933 - High disk usage when both libvirt and virt-manager are opened 887187 - [Doc] There are some typos in libvirt manual and formatdomain.html 888426 - block-copy pivot fails complaining that job is not active 889319 - support for IFLA_EXT_MASK and RTEXT_FILTER_VF needs to be added to lib 889407 - snapshot --redefine disk snapshot may cause libvirtd crash 891653 - Cgroups memory limit are causing the virt to be terminated unexpectedly 894085 - libvirt: vm pauses after live storage migration 896403 - delete snapshot which name contain '/' lead to libvirtd crash 6

Heap-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555. KingView is a product for building data information service platforms for industrial automation. WellinTech KingView is prone to multiple memory corruption vulnerabilities and a directory-traversal vulnerability. Failed exploit attempts will result in a denial-of-service condition. WellinTech KingView 6.53 is vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: KingHistorian Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA49765 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49765/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 RELEASE DATE: 2012-07-09 DISCUSS ADVISORY: http://secunia.com/advisories/49765/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49765/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in KingHistorian, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an invalid pointer write error, which can be exploited to corrupt memory via a specially crafted packet sent to port 5678. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 3.0. SOLUTION: Install patch. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dillon Beresford. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WellinTech KingView 6.53 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted packet to (1) TCP or (2) UDP port 2001. KingView is a product for building data information service platforms for industrial automation. A security vulnerability exists in WellinTech KingView that allows an attacker to send a specially crafted message to the TCP 2001 or UPD 2001 port, which can trigger the reading of illegal memory domain data, causing the application to crash. WellinTech KingView is prone to multiple memory corruption vulnerabilities and a directory-traversal vulnerability. An attacker can exploit these issues to access arbitrary files within the context of the affected application and execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. WellinTech KingView 6.53 is vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: KingHistorian Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA49765 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49765/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 RELEASE DATE: 2012-07-09 DISCUSS ADVISORY: http://secunia.com/advisories/49765/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49765/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in KingHistorian, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an invalid pointer write error, which can be exploited to corrupt memory via a specially crafted packet sent to port 5678. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 3.0. SOLUTION: Install patch. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dillon Beresford. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in WellinTech KingView 6.53 allows remote attackers to read arbitrary files via a crafted HTTP request to port 8001. KingView is a product for building data information service platforms for industrial automation. WellinTech KingView is prone to multiple memory corruption vulnerabilities and a directory-traversal vulnerability. An attacker can exploit these issues to access arbitrary files within the context of the affected application and execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. WellinTech KingView 6.53 is vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: KingHistorian Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA49765 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49765/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 RELEASE DATE: 2012-07-09 DISCUSS ADVISORY: http://secunia.com/advisories/49765/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49765/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in KingHistorian, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an invalid pointer write error, which can be exploited to corrupt memory via a specially crafted packet sent to port 5678. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 3.0. SOLUTION: Install patch. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dillon Beresford. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555. KingView is a product for building data information service platforms for industrial automation. WellinTech KingView is prone to multiple memory corruption vulnerabilities and a directory-traversal vulnerability. Failed exploit attempts will result in a denial-of-service condition. WellinTech KingView 6.53 is vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: KingHistorian Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA49765 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49765/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 RELEASE DATE: 2012-07-09 DISCUSS ADVISORY: http://secunia.com/advisories/49765/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49765/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in KingHistorian, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an invalid pointer write error, which can be exploited to corrupt memory via a specially crafted packet sent to port 5678. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 3.0. SOLUTION: Install patch. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dillon Beresford. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WellinTech KingHistorian 3.0 allows remote attackers to execute arbitrary code or cause a denial of service (invalid pointer write) via a crafted packet to TCP port 5678. WellinTech KingHistorian is a data storage platform. WellinTech KingHistorian is prone to a memory corruption vulnerability. Failed exploit attempts will result in a denial-of-service condition. WellinTech KingHistorian 3.0 is vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: KingHistorian Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA49765 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49765/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 RELEASE DATE: 2012-07-09 DISCUSS ADVISORY: http://secunia.com/advisories/49765/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49765/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49765 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in KingHistorian, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 3.0. SOLUTION: Install patch. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Dillon Beresford. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SAP NetWeaver Business Warehouse is prone to an information-disclosure vulnerability. This issue is vulnerable to XML External Entity attacks. An attackers can exploit this issue to gain access to sensitive information; this may lead to further attacks. Versions SAP NetWeaver Business Warehouse 6.40 and 7.02 are vulnerable; other versions may also be affected.

Cisco IOS 15.0 and 15.1 on Catalyst 3560 and 3750 series switches allows remote authenticated users to cause a denial of service (device reload) by completing local web authentication quickly, aka Bug ID CSCts88664. Cisco Catalyst is a smart Ethernet switch developed by Cisco. An attacker can exploit this issue to cause a vulnerable device to reload, triggering a denial-of-service condition. This issue is tracked by Cisco Bug ID CSCts88664

Directory traversal vulnerability in the web server in SpecView 2.5 build 853 and earlier allows remote attackers to read arbitrary files via a ... (dot dot dot) in a URI. SpecView is a SCADA software. SPECVIEW is a SCADA/HMI product. The WEB server included in SPECVIEW does not properly filter the specially requested requests submitted by users. SpecView is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks

An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; Proficy HMI/SCADA iFIX 5.0 and 5.1; Proficy Pulse 1.0; Proficy Batch Execution 5.6; SI7 I/O Driver 7.20 through 7.42; and other products, allows remote attackers to execute arbitrary commands via crafted input, related to a "command injection vulnerability.". This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE Proficy Historian. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the KeyHelp.ocx ActiveX control. The control contains a LaunchTriPane function that allows launching of the HTML Help executable (hh.exe) with customized command line parameters. By using the -decompile switch, an attacker can specify the folder to decompile to and a UNC path to a specially crafted .chm file. The attacker can utilize this vulnerability to execute remote code under the context of the process. GE Intelligent Platforms is a software and hardware product, service and expertise for users in the field of automation control and embedded. Multiple GE Proficy Products are prone to remote stack-based buffer-overflow and command-injection vulnerabilities. Attackers can exploit this issue to execute arbitrary code within the context of an application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-169 : GE Proficy Historian KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-169 August 29, 2012 - -- CVE ID: CVE 2012-2516 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: GE - -- Affected Products: GE Proficy Historian - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11626. - -- Vendor Response: GE has issued an update to correct this vulnerability. More details can be found at: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863 - -- Disclosure Timeline: 2012-01-24 - Vulnerability reported to vendor 2012-08-29 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4cxVVtgMGTo1scAQI1/wf/fb3iWK8lB8HeWQV1TqUheLZqqXVzhClT K6W/V2OD2fD/JGUVy62AZX7frRIbxPzlEU+ywKhQO2WL8mDsybkaZr5YWO7/ri6r KZy+7VWLHaoqnp2jZpVma1xIrh6MAeTuBtuyzIkN+//n1eLc7ZHSeuiBq29Px1y9 X6odtLQiyB7laVtRVUq9IrwFOxKHNKHs3LRKWWxDjCCdO3UR1sn9ofzrw19RV4TA 0nSzx0eyHxrj4gaVa6yAi8ysuB+x9g4AbXAtoDz+8m0bcNQaRbYNHM0ABZTqAIkH CVNIshqTZrnowzrdlZ2ljM3vgaNNWZMmse1ft/2WhpHtCpbGdlYw8A== =xHh0 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: GE Intelligent Platforms Multiple Products KeyHelp ActiveX Control Two Vulnerabilities SECUNIA ADVISORY ID: SA49728 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49728/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49728 RELEASE DATE: 2012-06-29 DISCUSS ADVISORY: http://secunia.com/advisories/49728/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49728/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49728 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in multiple GE Intelligent Platforms products, which can be exploited by malicious people to compromise a user's system. The vulnerabilities are reported in the following products: * Proficy Historian versions 4.5, 4.0, 3.5, and 3.1 * Proficy HMI/SCADA \x96 iFIX versions 5.1 and 5.0 * Proficy Pulse version 1.0 * Proficy Batch Execution version 5.6 * SI7 I/O Driver versions 7.20 through 7.42 SOLUTION: Apply patch (please see the vendor's advisory for more information). PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Andrea Micalizzi aka rgod via ZDI. ORIGINAL ADVISORY: GE: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863 http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14863/en_US/GEIP12-04%20Security%20Advisory%20-%20Proficy%20HTML%20Help.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the Cisco WebEx Advanced Recording Format (ARF) player T27 L through SP11 EP26, T27 LB through SP21 EP10, T27 LC before SP25 EP11, T27 LD before SP32 CP2, and T28 L10N before SP1 allows remote attackers to execute arbitrary code via a crafted ARF file, aka Bug ID CSCtz72985. Cisco WebEx Advanced Recording Format (ARF) player Contains a buffer overflow vulnerability. The problem is Bug ID CSCtz72985 It is a problem.Skillfully crafted by a third party ARF An arbitrary code may be executed via the file. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. An attacker can exploit these issues to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition. Cisco WebEx is a set of Web conferencing tools developed by American Cisco (Cisco), which can assist office workers in different places to coordinate and cooperate. WebEx services include Web conferencing, telepresence video conferencing and enterprise instant messaging (IM). ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Cisco WebEx Player ARF Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA49751 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49751/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49751 RELEASE DATE: 2012-06-28 DISCUSS ADVISORY: http://secunia.com/advisories/49751/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49751/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49751 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in WebEx Advanced Recording Format Player, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error when processing ARF files. No further information is currently available. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in the following versions: * Client builds 28.0.0 (T28 L10N). * Client builds 27.32.1 (T27 LD SP32 CP1) and prior. * Client builds 27.25.10 (T27 LC SP25 EP10) and prior. * Client builds 27.21.10 (T27 LB SP21 EP10) and prior. * Client builds 27.11.26 (T27 L SP11 EP26) and prior. SOLUTION: Update to a fixed client build (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits iDefense and Microsoft Vulnerability Research (MSVR). ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120627-webex OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability on HP Photosmart Wireless e-All-in-One B110, e-All-in-One D110, Plus e-All-in-One B210, eStation All-in-One C510, Ink Advantage e-All-in-One K510, and Premium Fax e-All-in-One C410 printers allows remote attackers to cause a denial of service via unknown vectors. plural HP Photosmart Product has a service disruption (DoS) There is a vulnerability that becomes a condition.Service disruption by a third party (DoS) There is a possibility of being put into a state. HP Photosmart Printer is a professional photo printer developed by HP. Multiple HP Photosmart printers are prone to multiple unspecified denial-of-service vulnerabilities. The HP Photosmart Line Matrix Printer is a printer designed to print digital images conveniently and efficiently. It can be used under a variety of operating systems, including the Mac OS X operating system. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: HP Photosmart Printers Denial of Service Vulnerability SECUNIA ADVISORY ID: SA49739 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49739/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49739 RELEASE DATE: 2012-06-28 DISCUSS ADVISORY: http://secunia.com/advisories/49739/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49739/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49739 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in multiple HP Photosmart printers, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error. No further information is currently available. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HPSBPI02794 SSRT100542: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02931414 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02931414 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02931414 Version: 1 HPSBPI02794 SSRT100542 rev.1 - Certain HP Photosmart Printers, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-06-27 Last Updated: 2012-06-27 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with certain HP Photosmart printers. The vulnerability could be exploited remotely to create a Denial of Service (DoS). References: CVE-2012-2017 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The firmware updates are available from http://www.hp.com Browse to http://www.hp.com and search for "Getting the Latest Firmware and Product Updates". In the search results list select the link for the appropriate printer. Note: Updates are not available for the following products. These products should be used on networks where the users are trusted. HP Photosmart Ink Advantage e-All-in-One Printer series - K510 HP Photosmart Premium Fax e-All-in-One Printer series - C410 HISTORY Version:1 (rev.1) - 27 June 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk/rFRYACgkQ4B86/C0qfVkrSQCgpTPiW7mKrRWNHDAZhVE/ILLj AU8AoM0QoVrHTTRcpqAoElwPfzE0V5Yt =wNL3 -----END PGP SIGNATURE-----