VARIoT IoT vulnerabilities database
| VAR-200912-0321 | CVE-2009-4444 | Microsoft IIS Vulnerabilities that allow third-party extension restrictions to be bypassed |
CVSS V2: 6.0 CVSS V3: - Severity: MEDIUM |
Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a filename with a (1) .asp, (2) .cer, or (3) .asa first extension, followed by a semicolon and a safe extension, as demonstrated by the use of asp.dll to handle a .asp;.jpg file. Microsoft IIS is prone to a security-bypass vulnerability.
This vulnerability may cause IIS to interpret unexpected files as CGI applications. Attackers may be able to exploit this vulnerability to bypass intended security restrictions.
UPDATE (December 25, 2009): Reports indicate that IIS 7.5 is not vulnerable to this issue. Furthermore, it is currently unknown whether IIS 7.0 is vulnerable.
UPDATE (December 29, 2009): Reports indicate that IIS 5.0 SP1 under Windows XP SP 3 and IIS 7.0 under Windows Server 2008 are not affected.
NOTE: This BID is being retired. For an exploit to succeed, IIS must be configured in a nondefault way and contrary to the vendor's recommended best practices. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Microsoft IIS ASP Multiple Extensions Security Bypass
SECUNIA ADVISORY ID:
SA37831
VERIFY ADVISORY:
http://secunia.com/advisories/37831/
DESCRIPTION:
Soroush Dalili has discovered a vulnerability in Microsoft Internet
Information Services (IIS), which can be exploited by malicious
people to potentially bypass certain security restrictions and
compromise a vulnerable system.
The vulnerability is caused due to the web server incorrectly
executing e.g. ASP code included in a file having multiple extensions
separated by ";", only one internal extension being equal to ".asp"
(e.g. "file.asp;.jpg"). This can be exploited to potentially upload
and execute arbitrary ASP code via a third-party application using
file extensions to restrict uploaded file types.
The vulnerability is confirmed on a fully patched Windows Server 2003
R2 SP2 running Microsoft IIS version 6. Other versions may also be
affected.
SOLUTION:
Restrict file uploads to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Soroush Dalili
ORIGINAL ADVISORY:
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200912-0564 | No CVE | Hitachi Multiple Storage Command Suite Products 'StartTLS' Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Multiple Hitachi Storage Command Suite Products are prone to an information-disclosure vulnerability.
An attacker can exploit this issue to obtain communication information that may aid in further attacks. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Hitachi Products Secure LDAP Information Disclosure
SECUNIA ADVISORY ID:
SA37869
VERIFY ADVISORY:
http://secunia.com/advisories/37869/
DESCRIPTION:
A security issue has been reported in multiple Hitachi products,
which can be exploited by malicious people to disclose potentially
sensitive information.
The security issue is caused due to the products sending plaintext
LDAP data over LDAP sessions configured as secure. This can be
exploited to disclose LDAP protocol data by sniffing network
traffic.
Please see the vendor advisory for a list of affected products.
SOLUTION:
Update to a fixed version.
Hitachi Device Manager Software (Windows, Linux, Solaris):
Update to version 6.2.0-02.
Hitachi Global Link Manager Software:
Update to version 6.2.0-01 when available.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS09-018/index.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200912-0369 | CVE-2009-4419 | SINIT Authenticated Code Module (ACM) of Intel Q35 Vulnerability that can be obtained authority |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets in the SINIT Authenticated Code Module (ACM), which allows local users to bypass the Trusted Execution Technology protection mechanism and gain privileges by modifying the MCHBAR register to point to an attacker-controlled region, which prevents the SENTER instruction from properly applying VT-d protection while an MLE is being loaded. Intel BIOS is prone to an unspecified privilege-escalation vulnerability.
Successful exploits will allow local processes to bypass intended security restrictions and gain elevated privileges.
Currently very few technical details are available. We will update this BID as more information emerges. Intel Trusted Execution Technology is a hardware extension technology in Intel Core 2 Duo processor E8400, designed to protect data in a virtualized computing environment from software attacks, virus intrusions and other types of threats. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Intel Trusted Execution Technology SINIT Security Bypass
SECUNIA ADVISORY ID:
SA37900
VERIFY ADVISORY:
http://secunia.com/advisories/37900/
DESCRIPTION:
A vulnerability has been reported in multiple Intel products, which
can be exploited by malicious, local users to bypass certain security
restrictions and gain escalated privileges.
The vulnerability is caused due to a configuration error in the SINIT
Authenticated Code Module (ACM).
The vulnerability is reported in platforms using the Q35, GM45, PM45
Express, Q45, and Q43 Express chipsets.
SOLUTION:
Install updated SINIT modules.
http://sourceforge.net/projects/tboot/files/
Q35:
Install Q35_SINIT_18.BIN.
GM45 and PM45 Express:
Install GM45_GS45_PM45_SINIT_21.BIN.
Q45 and Q43 Express:
Install Q45_Q43_SINIT_18.BIN.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Alexander Tereshkin, Rafal Wojtczuk, and Joanna
Rutkowska from Invisible Things Lab.
ORIGINAL ADVISORY:
http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00021&languageid=en-fr
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201004-0065 | CVE-2009-4815 | Serv-U Vulnerable to directory traversal |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Serv-U before 9.2.0.1 allows remote authenticated users to read arbitrary files via unspecified vectors. Serv-U File Server is prone to an unspecified information-disclosure vulnerability.
Attackers can exploit this issue to harvest sensitive information that may lead to further attacks.
Versions prior to SERV-U File Server 9.2.0.1 are vulnerable. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Serv-U File Server Information Disclosure Vulnerability
SECUNIA ADVISORY ID:
SA37847
VERIFY ADVISORY:
http://secunia.com/advisories/37847/
DESCRIPTION:
A vulnerability has been reported in Serv-U File Server, which can be
exploited by malicious users to disclose potentially sensitive
information.
The vulnerability is caused due to an unspecified error and can be
exploited to disclose directories placed outside a user's root
directory.
SOLUTION:
Update to version 9.2.0.1.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.serv-u.com/releasenotes/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201004-0071 | CVE-2009-4821 | D-Link DIR-615 In DNS Vulnerability whose settings are changed |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The D-Link DIR-615 with firmware 3.10NA does not require administrative authentication for apply.cgi, which allows remote attackers to (1) change the admin password via the admin_password parameter, (2) disable the security requirement for the Wi-Fi network via unspecified vectors, or (3) modify DNS settings via unspecified vectors. D-Link DIR-615 Is apply.cgi The following vulnerabilities exist because management authentication for is not required. The D-Link DIR-615 is a small wireless router. The DIR-615 router does not restrict access to the apply.cgi script. D-Link DIR-615 is is prone to a security-bypass vulnerability.
Remote attackers can exploit this issue to bypass security restrictions and access certain administrative functions. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
D-Link DIR-615 "apply.cgi" Security Bypass Vulnerability
SECUNIA ADVISORY ID:
SA37777
VERIFY ADVISORY:
http://secunia.com/advisories/37777/
DESCRIPTION:
gerry has reported a vulnerability in D-Link DIR-615, which can be
exploited by malicious people to bypass certain security
restrictions. This can be exploited to e.g.
change the administrator password via a specially crafted HTTP
request.
The vulnerability is reported in firmware version 3.10NA. Other
versions may also be affected.
PROVIDED AND/OR DISCOVERED BY:
gerry
ORIGINAL ADVISORY:
http://www.hiredhacker.com/2009/12/15/d-link-dir-615-remote-exploit/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200912-0332 | CVE-2009-4455 | Cisco ASA Vulnerability that bypasses access restrictions in default settings |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
The default configuration of Cisco ASA 5500 Series Adaptive Security Appliance (Cisco ASA) 7.0, 7.1, 7.2, 8.0, 8.1, and 8.2 allows portal traffic to access arbitrary backend servers, which might allow remote authenticated users to bypass intended access restrictions and access unauthorized web sites via a crafted URL obfuscated with ROT13 and a certain encoding. NOTE: this issue was originally reported as a vulnerability related to lack of restrictions to URLs listed in the Cisco WebVPN bookmark component, but the vendor states that "The bookmark feature is not a security feature.". Adaptive Security Appliance 5500 is prone to a security bypass vulnerability. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Cisco ASA WebVPN Bookmark URLs Security Bypass
SECUNIA ADVISORY ID:
SA37710
VERIFY ADVISORY:
http://secunia.com/advisories/37710/
DESCRIPTION:
David Eduardo Acosta Rodriguez has reported a security issue in Cisco
ASA, which can be exploited by malicious users to bypass certain
security restrictions.
The security issue is caused due to the appliance allowing
administrators the option to limit web access via the VPN through
obfuscated bookmark URLs. This can be exploited to access apparently
restricted URLs obfuscated using the ROT13 cipher.
SOLUTION:
Apply web access control lists to group-policies and Dynamic Access
Policies. Please see the vendor's advisory for details.
PROVIDED AND/OR DISCOVERED BY:
David Eduardo Acosta Rodriguez, ISecAuditors
ORIGINAL ADVISORY:
ISecAuditors:
http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0385.html
Cisco:
http://tools.cisco.com/security/center/viewAlert.x?alertId=19609
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200912-0442 | CVE-2009-2877 | Cisco WebEx WRF Player of ataudio.dll Vulnerable to stack-based buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in ataudio.dll in the Cisco WebEx WRF Player 26.x before 26.49.32 for Windows, 27.x before 27.10.x (aka T27SP10) for Windows, 26.x before 26.49.35 for Mac OS X and Linux, and 27.x before 27.11.8 for Mac OS X and Linux allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted WebEx Recording Format (WRF) file. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because the software fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code with administrative privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
Advisory ID: cisco-sa-20091216-webex
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
Revision 1.0
For Public Release 2009 December 16 1600 UTC (GMT)
Summary
=======
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) Player.
The Cisco WebEx WRF Player is an application that is used to play back
WebEx meeting recordings that have been recorded on the computer of an
on-line meeting attendee. The WRF Player can be automatically installed
when the user accesses a WRF file that is hosted on a WebEx server. The
WRF Player can also be manually installed for offline playback after
downloading the application from www.webex.com.
If the WRF Player was automatically installed, the WebEx WRF Player
will be automatically upgraded to the latest, non-vulnerable version
when users access a WRF file hosted on a WebEx server. If the WebEx
WRF Player was manually installed, users will need to manually install
a new version of the player after downloading the latest version from
www.webex.com.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
WRF Player. Affected versions of the WRF Player are those prior
to the "first fixed" versions, which are shown in the section "Software
Versions and Fixes" of this advisory.
To check if a Cisco WebEx server is running an affected version of the
WebEx client build, users can log in to their Cisco WebEx server and go
to the Support -> Downloads section. The version of the WebEx client
build will be displayed on the right-hand side of the page under "About
Support Center", for example "Client build: 27.11.0.3328".
There is no way to check if a manually installed version of the WRF
Player is affected by these vulnerabilities. Therefore, Cisco recommends
that users upgrade to the most current version of the player that is
available from http://www.webex.com/downloadplayer.html.
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF)
file format is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing solution
that is managed by and maintained by Cisco WebEx. The WebEx Recording
Format (WRF) is a file format that is used to store WebEx meeting
recordings that have been recorded on the computer of an on-line meeting
attendee. The WRF Player is an application that is used to play back
and edit WRF files (files with .wrf extensions). The WRF Player can be
automatically installed when the user accesses a WRF file that is hosted
on a WebEx server (stream playback mode). The WRF Player can also be
manually installed after downloading the application from www.webex.com
to play back WRF files locally (offline playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF Player. The
vulnerabilities may lead to a crash of the WRF Player application, or in
some cases, lead to remote code execution.
To exploit a vulnerability, a malicious WRF file would need to be opened
by the WRF Player application. An attacker may be able to accomplish
this by providing the malicious WRF file directly to users (for example,
via e-mail), or by convincing users to visit a malicious website. The
vulnerability cannot be triggered by users attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2009-2875
* CVE-2009-2876
* CVE-2009-2877
* CVE-2009-2878
* CVE-2009-2879
* CVE-2009-2880
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all
vulnerabilities in this advisory)
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx WRF Player
application, and in some cases, allow a remote attacker to execute
arbitrary code on the targeted system with the privileges of the user
running the WRF Player application.
Software Versions and Fixes
===========================
The table below contains "First Fixed" information for the Cisco WebEx
WRF Player that is automatically downloaded from a WebEx site when a WRF
hosted on a WebEx site is accessed (stream playback mode). Fixes are
cumulative within a major release so for example, if release 27.10.1 is
fixed, then release 27.10.2 will have the fix too.
+------------------------------------------------------------+
| Platform | Major Release 26.x | Major Release 27.x |
|-----------+---------------------+--------------------------|
| Microsoft | 26.49.32; available | 27.10.x; available now |
| Windows | now except lockdown | for non-PSO and |
| | sites | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Mac OS X | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Linux | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
+------------------------------------------------------------+
PSO and lockdown sites running 27.x will receive the fixes for these
vulnerabilities during the next emergency patching (EP) cycle. This
advisory will be updated to indicate a specific timeline once one is
available.
If the WRF Player was automatically installed, the WebEx WRF Player will
be automatically upgraded to the latest, non-vulnerable version when
users access a WRF file hosted on a WebEx server.
If the WebEx WRF Player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com.
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers that need additional information can contact WebEx Global
Support Services and Technical Support. WebEx Global Support Services
and Technical Support can be reached through the WebEx support site at
http://support.webex.com/support/support-overview.html or by phone at
+1-866-229-3239 or +1-408-435-7088.
Customers outside of the United States can reference the following link
for local support numbers:
http://support.webex.com/support/phone-numbers.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious use of the vulnerabilities
described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Xiaopeng
Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs
advisory is available at http://www.fortiguard.com. Cisco would like to
thank FortiGuard Labs for reporting these vulnerabilities to us and for
working with us on a coordinated disclosure.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-December-16 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Dec 16, 2009 Document ID: 110946
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs
IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh
=KaHv
-----END PGP SIGNATURE-----
| VAR-200912-0443 | CVE-2009-2878 | Cisco WebEx WRF Player of atas32.dll Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player 26.x before 26.49.32 (aka T26SP49EP32) for Windows, 27.x before 27.10.x (aka T27SP10) for Windows, 26.x before 26.49.35 for Mac OS X and Linux, and 27.x before 27.11.8 for Mac OS X and Linux allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted WebEx Recording Format (WRF) file, a different vulnerability than CVE-2009-2876 and CVE-2009-2879. Cisco WebEx WRF Player of atas32.dll Contains a heap-based buffer overflow vulnerability. This vulnerability CVE-2009-2876 and CVE-2009-2879 Is a different vulnerability.Skillfully crafted by a third party WebEx Recording Format (WRF) Service disruption via file (DoS) Could be put into a state or execute arbitrary code. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because the software fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code with administrative privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. This vulnerability is different from CVE-2009-2876 and CVE-2009-2879. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
Advisory ID: cisco-sa-20091216-webex
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
Revision 1.0
For Public Release 2009 December 16 1600 UTC (GMT)
Summary
=======
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) Player.
The Cisco WebEx WRF Player is an application that is used to play back
WebEx meeting recordings that have been recorded on the computer of an
on-line meeting attendee. The WRF Player can be automatically installed
when the user accesses a WRF file that is hosted on a WebEx server. The
WRF Player can also be manually installed for offline playback after
downloading the application from www.webex.com.
If the WRF Player was automatically installed, the WebEx WRF Player
will be automatically upgraded to the latest, non-vulnerable version
when users access a WRF file hosted on a WebEx server. If the WebEx
WRF Player was manually installed, users will need to manually install
a new version of the player after downloading the latest version from
www.webex.com.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the
player are affected. Affected versions of the WRF Player are those prior
to the "first fixed" versions, which are shown in the section "Software
Versions and Fixes" of this advisory.
To check if a Cisco WebEx server is running an affected version of the
WebEx client build, users can log in to their Cisco WebEx server and go
to the Support -> Downloads section. The version of the WebEx client
build will be displayed on the right-hand side of the page under "About
Support Center", for example "Client build: 27.11.0.3328".
There is no way to check if a manually installed version of the WRF
Player is affected by these vulnerabilities. Therefore, Cisco recommends
that users upgrade to the most current version of the player that is
available from http://www.webex.com/downloadplayer.html.
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF)
file format is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing solution
that is managed by and maintained by Cisco WebEx. The WebEx Recording
Format (WRF) is a file format that is used to store WebEx meeting
recordings that have been recorded on the computer of an on-line meeting
attendee. The WRF Player is an application that is used to play back
and edit WRF files (files with .wrf extensions). The WRF Player can be
automatically installed when the user accesses a WRF file that is hosted
on a WebEx server (stream playback mode). The WRF Player can also be
manually installed after downloading the application from www.webex.com
to play back WRF files locally (offline playback mode). The
vulnerabilities may lead to a crash of the WRF Player application, or in
some cases, lead to remote code execution.
To exploit a vulnerability, a malicious WRF file would need to be opened
by the WRF Player application. An attacker may be able to accomplish
this by providing the malicious WRF file directly to users (for example,
via e-mail), or by convincing users to visit a malicious website. The
vulnerability cannot be triggered by users attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2009-2875
* CVE-2009-2876
* CVE-2009-2877
* CVE-2009-2878
* CVE-2009-2879
* CVE-2009-2880
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all
vulnerabilities in this advisory)
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx WRF Player
application, and in some cases, allow a remote attacker to execute
arbitrary code on the targeted system with the privileges of the user
running the WRF Player application.
Software Versions and Fixes
===========================
The table below contains "First Fixed" information for the Cisco WebEx
WRF Player that is automatically downloaded from a WebEx site when a WRF
hosted on a WebEx site is accessed (stream playback mode). Fixes are
cumulative within a major release so for example, if release 27.10.1 is
fixed, then release 27.10.2 will have the fix too.
+------------------------------------------------------------+
| Platform | Major Release 26.x | Major Release 27.x |
|-----------+---------------------+--------------------------|
| Microsoft | 26.49.32; available | 27.10.x; available now |
| Windows | now except lockdown | for non-PSO and |
| | sites | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Mac OS X | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Linux | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
+------------------------------------------------------------+
PSO and lockdown sites running 27.x will receive the fixes for these
vulnerabilities during the next emergency patching (EP) cycle. This
advisory will be updated to indicate a specific timeline once one is
available.
If the WRF Player was automatically installed, the WebEx WRF Player will
be automatically upgraded to the latest, non-vulnerable version when
users access a WRF file hosted on a WebEx server.
If the WebEx WRF Player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com.
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers that need additional information can contact WebEx Global
Support Services and Technical Support. WebEx Global Support Services
and Technical Support can be reached through the WebEx support site at
http://support.webex.com/support/support-overview.html or by phone at
+1-866-229-3239 or +1-408-435-7088.
Customers outside of the United States can reference the following link
for local support numbers:
http://support.webex.com/support/phone-numbers.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious use of the vulnerabilities
described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Xiaopeng
Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs
advisory is available at http://www.fortiguard.com. Cisco would like to
thank FortiGuard Labs for reporting these vulnerabilities to us and for
working with us on a coordinated disclosure.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-December-16 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Dec 16, 2009 Document ID: 110946
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs
IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh
=KaHv
-----END PGP SIGNATURE-----
| VAR-200912-0441 | CVE-2009-2876 | Cisco WebEx WRF Player of atas32.dll Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player 26.x before 26.49.32 (aka T26SP49EP32) for Windows, 27.x before 27.10.x (aka T27SP10) for Windows, 26.x before 26.49.35 for Mac OS X and Linux, and 27.x before 27.11.8 for Mac OS X and Linux allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted WebEx Recording Format (WRF) file, a different vulnerability than CVE-2009-2878 and CVE-2009-2879. Cisco WebEx WRF Player of atas32.dll Contains a heap-based buffer overflow vulnerability. This vulnerability CVE-2009-2878 and CVE-2009-2879 Is a different vulnerability.Skillfully crafted by a third party WebEx Recording Format (WRF) Service disruption via file (DoS) Could be put into a state or execute arbitrary code. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because the software fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code with administrative privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. This vulnerability is different from CVE-2009-2878 and CVE-2009-2879. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
Advisory ID: cisco-sa-20091216-webex
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
Revision 1.0
For Public Release 2009 December 16 1600 UTC (GMT)
Summary
=======
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) Player.
The Cisco WebEx WRF Player is an application that is used to play back
WebEx meeting recordings that have been recorded on the computer of an
on-line meeting attendee. The WRF Player can be automatically installed
when the user accesses a WRF file that is hosted on a WebEx server. The
WRF Player can also be manually installed for offline playback after
downloading the application from www.webex.com.
If the WRF Player was automatically installed, the WebEx WRF Player
will be automatically upgraded to the latest, non-vulnerable version
when users access a WRF file hosted on a WebEx server. If the WebEx
WRF Player was manually installed, users will need to manually install
a new version of the player after downloading the latest version from
www.webex.com.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the
player are affected. Affected versions of the WRF Player are those prior
to the "first fixed" versions, which are shown in the section "Software
Versions and Fixes" of this advisory.
To check if a Cisco WebEx server is running an affected version of the
WebEx client build, users can log in to their Cisco WebEx server and go
to the Support -> Downloads section. The version of the WebEx client
build will be displayed on the right-hand side of the page under "About
Support Center", for example "Client build: 27.11.0.3328".
There is no way to check if a manually installed version of the WRF
Player is affected by these vulnerabilities. Therefore, Cisco recommends
that users upgrade to the most current version of the player that is
available from http://www.webex.com/downloadplayer.html.
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF)
file format is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing solution
that is managed by and maintained by Cisco WebEx. The WebEx Recording
Format (WRF) is a file format that is used to store WebEx meeting
recordings that have been recorded on the computer of an on-line meeting
attendee. The WRF Player is an application that is used to play back
and edit WRF files (files with .wrf extensions). The WRF Player can be
automatically installed when the user accesses a WRF file that is hosted
on a WebEx server (stream playback mode). The WRF Player can also be
manually installed after downloading the application from www.webex.com
to play back WRF files locally (offline playback mode). The
vulnerabilities may lead to a crash of the WRF Player application, or in
some cases, lead to remote code execution.
To exploit a vulnerability, a malicious WRF file would need to be opened
by the WRF Player application. An attacker may be able to accomplish
this by providing the malicious WRF file directly to users (for example,
via e-mail), or by convincing users to visit a malicious website. The
vulnerability cannot be triggered by users attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2009-2875
* CVE-2009-2876
* CVE-2009-2877
* CVE-2009-2878
* CVE-2009-2879
* CVE-2009-2880
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all
vulnerabilities in this advisory)
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx WRF Player
application, and in some cases, allow a remote attacker to execute
arbitrary code on the targeted system with the privileges of the user
running the WRF Player application.
Software Versions and Fixes
===========================
The table below contains "First Fixed" information for the Cisco WebEx
WRF Player that is automatically downloaded from a WebEx site when a WRF
hosted on a WebEx site is accessed (stream playback mode). Fixes are
cumulative within a major release so for example, if release 27.10.1 is
fixed, then release 27.10.2 will have the fix too.
+------------------------------------------------------------+
| Platform | Major Release 26.x | Major Release 27.x |
|-----------+---------------------+--------------------------|
| Microsoft | 26.49.32; available | 27.10.x; available now |
| Windows | now except lockdown | for non-PSO and |
| | sites | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Mac OS X | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Linux | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
+------------------------------------------------------------+
PSO and lockdown sites running 27.x will receive the fixes for these
vulnerabilities during the next emergency patching (EP) cycle. This
advisory will be updated to indicate a specific timeline once one is
available.
If the WRF Player was automatically installed, the WebEx WRF Player will
be automatically upgraded to the latest, non-vulnerable version when
users access a WRF file hosted on a WebEx server.
If the WebEx WRF Player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com.
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers that need additional information can contact WebEx Global
Support Services and Technical Support. WebEx Global Support Services
and Technical Support can be reached through the WebEx support site at
http://support.webex.com/support/support-overview.html or by phone at
+1-866-229-3239 or +1-408-435-7088.
Customers outside of the United States can reference the following link
for local support numbers:
http://support.webex.com/support/phone-numbers.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious use of the vulnerabilities
described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Xiaopeng
Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs
advisory is available at http://www.fortiguard.com. Cisco would like to
thank FortiGuard Labs for reporting these vulnerabilities to us and for
working with us on a coordinated disclosure.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-December-16 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Dec 16, 2009 Document ID: 110946
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs
IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh
=KaHv
-----END PGP SIGNATURE-----
| VAR-200912-0440 | CVE-2009-2875 | Cisco WebEx WRF Player of atas32.dll Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in atas32.dll in the Cisco WebEx WRF Player 26.x before 26.49.32 for Windows, 27.x before 27.10.x for Windows, 26.x before 26.49.35 for Mac OS X and Linux, and 27.x before 27.11.8 for Mac OS X and Linux allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WebEx Recording Format (WRF) file. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because the software fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code with administrative privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
Advisory ID: cisco-sa-20091216-webex
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
Revision 1.0
For Public Release 2009 December 16 1600 UTC (GMT)
Summary
=======
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) Player.
The Cisco WebEx WRF Player is an application that is used to play back
WebEx meeting recordings that have been recorded on the computer of an
on-line meeting attendee. The WRF Player can be automatically installed
when the user accesses a WRF file that is hosted on a WebEx server. The
WRF Player can also be manually installed for offline playback after
downloading the application from www.webex.com.
If the WRF Player was automatically installed, the WebEx WRF Player
will be automatically upgraded to the latest, non-vulnerable version
when users access a WRF file hosted on a WebEx server. If the WebEx
WRF Player was manually installed, users will need to manually install
a new version of the player after downloading the latest version from
www.webex.com.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
WRF Player. Affected versions of the WRF Player are those prior
to the "first fixed" versions, which are shown in the section "Software
Versions and Fixes" of this advisory.
To check if a Cisco WebEx server is running an affected version of the
WebEx client build, users can log in to their Cisco WebEx server and go
to the Support -> Downloads section. The version of the WebEx client
build will be displayed on the right-hand side of the page under "About
Support Center", for example "Client build: 27.11.0.3328".
There is no way to check if a manually installed version of the WRF
Player is affected by these vulnerabilities. Therefore, Cisco recommends
that users upgrade to the most current version of the player that is
available from http://www.webex.com/downloadplayer.html.
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF)
file format is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing solution
that is managed by and maintained by Cisco WebEx. The WebEx Recording
Format (WRF) is a file format that is used to store WebEx meeting
recordings that have been recorded on the computer of an on-line meeting
attendee. The WRF Player is an application that is used to play back
and edit WRF files (files with .wrf extensions). The WRF Player can be
automatically installed when the user accesses a WRF file that is hosted
on a WebEx server (stream playback mode). The WRF Player can also be
manually installed after downloading the application from www.webex.com
to play back WRF files locally (offline playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF Player. The
vulnerabilities may lead to a crash of the WRF Player application, or in
some cases, lead to remote code execution.
To exploit a vulnerability, a malicious WRF file would need to be opened
by the WRF Player application. An attacker may be able to accomplish
this by providing the malicious WRF file directly to users (for example,
via e-mail), or by convincing users to visit a malicious website. The
vulnerability cannot be triggered by users attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2009-2875
* CVE-2009-2876
* CVE-2009-2877
* CVE-2009-2878
* CVE-2009-2879
* CVE-2009-2880
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all
vulnerabilities in this advisory)
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx WRF Player
application, and in some cases, allow a remote attacker to execute
arbitrary code on the targeted system with the privileges of the user
running the WRF Player application.
Software Versions and Fixes
===========================
The table below contains "First Fixed" information for the Cisco WebEx
WRF Player that is automatically downloaded from a WebEx site when a WRF
hosted on a WebEx site is accessed (stream playback mode). Fixes are
cumulative within a major release so for example, if release 27.10.1 is
fixed, then release 27.10.2 will have the fix too.
+------------------------------------------------------------+
| Platform | Major Release 26.x | Major Release 27.x |
|-----------+---------------------+--------------------------|
| Microsoft | 26.49.32; available | 27.10.x; available now |
| Windows | now except lockdown | for non-PSO and |
| | sites | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Mac OS X | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Linux | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
+------------------------------------------------------------+
PSO and lockdown sites running 27.x will receive the fixes for these
vulnerabilities during the next emergency patching (EP) cycle. This
advisory will be updated to indicate a specific timeline once one is
available.
If the WRF Player was automatically installed, the WebEx WRF Player will
be automatically upgraded to the latest, non-vulnerable version when
users access a WRF file hosted on a WebEx server.
If the WebEx WRF Player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com.
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers that need additional information can contact WebEx Global
Support Services and Technical Support. WebEx Global Support Services
and Technical Support can be reached through the WebEx support site at
http://support.webex.com/support/support-overview.html or by phone at
+1-866-229-3239 or +1-408-435-7088.
Customers outside of the United States can reference the following link
for local support numbers:
http://support.webex.com/support/phone-numbers.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious use of the vulnerabilities
described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Xiaopeng
Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs
advisory is available at http://www.fortiguard.com. Cisco would like to
thank FortiGuard Labs for reporting these vulnerabilities to us and for
working with us on a coordinated disclosure.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-December-16 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Dec 16, 2009 Document ID: 110946
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs
IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh
=KaHv
-----END PGP SIGNATURE-----
| VAR-200912-0439 | CVE-2009-2880 | Cisco WebEx WRF Player of atrpui.dll Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in atrpui.dll in the Cisco WebEx WRF Player 26.x before 26.49.32 for Windows, 27.x before 27.10.x for Windows, 26.x before 26.49.35 for Mac OS X and Linux, and 27.x before 27.11.8 for Mac OS X and Linux allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WebEx Recording Format (WRF) file. Cisco WebEx WRF Player of atrpui.dll Contains a buffer overflow vulnerability. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because the software fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code with administrative privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
Advisory ID: cisco-sa-20091216-webex
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
Revision 1.0
For Public Release 2009 December 16 1600 UTC (GMT)
Summary
=======
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) Player.
The Cisco WebEx WRF Player is an application that is used to play back
WebEx meeting recordings that have been recorded on the computer of an
on-line meeting attendee. The WRF Player can be automatically installed
when the user accesses a WRF file that is hosted on a WebEx server. The
WRF Player can also be manually installed for offline playback after
downloading the application from www.webex.com.
If the WRF Player was automatically installed, the WebEx WRF Player
will be automatically upgraded to the latest, non-vulnerable version
when users access a WRF file hosted on a WebEx server. If the WebEx
WRF Player was manually installed, users will need to manually install
a new version of the player after downloading the latest version from
www.webex.com.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
WRF Player. Affected versions of the WRF Player are those prior
to the "first fixed" versions, which are shown in the section "Software
Versions and Fixes" of this advisory.
To check if a Cisco WebEx server is running an affected version of the
WebEx client build, users can log in to their Cisco WebEx server and go
to the Support -> Downloads section. The version of the WebEx client
build will be displayed on the right-hand side of the page under "About
Support Center", for example "Client build: 27.11.0.3328".
There is no way to check if a manually installed version of the WRF
Player is affected by these vulnerabilities. Therefore, Cisco recommends
that users upgrade to the most current version of the player that is
available from http://www.webex.com/downloadplayer.html.
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF)
file format is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing solution
that is managed by and maintained by Cisco WebEx. The WebEx Recording
Format (WRF) is a file format that is used to store WebEx meeting
recordings that have been recorded on the computer of an on-line meeting
attendee. The WRF Player is an application that is used to play back
and edit WRF files (files with .wrf extensions). The WRF Player can be
automatically installed when the user accesses a WRF file that is hosted
on a WebEx server (stream playback mode). The WRF Player can also be
manually installed after downloading the application from www.webex.com
to play back WRF files locally (offline playback mode). The
vulnerabilities may lead to a crash of the WRF Player application, or in
some cases, lead to remote code execution.
To exploit a vulnerability, a malicious WRF file would need to be opened
by the WRF Player application. An attacker may be able to accomplish
this by providing the malicious WRF file directly to users (for example,
via e-mail), or by convincing users to visit a malicious website. The
vulnerability cannot be triggered by users attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2009-2875
* CVE-2009-2876
* CVE-2009-2877
* CVE-2009-2878
* CVE-2009-2879
* CVE-2009-2880
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all
vulnerabilities in this advisory)
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx WRF Player
application, and in some cases, allow a remote attacker to execute
arbitrary code on the targeted system with the privileges of the user
running the WRF Player application.
Software Versions and Fixes
===========================
The table below contains "First Fixed" information for the Cisco WebEx
WRF Player that is automatically downloaded from a WebEx site when a WRF
hosted on a WebEx site is accessed (stream playback mode). Fixes are
cumulative within a major release so for example, if release 27.10.1 is
fixed, then release 27.10.2 will have the fix too.
+------------------------------------------------------------+
| Platform | Major Release 26.x | Major Release 27.x |
|-----------+---------------------+--------------------------|
| Microsoft | 26.49.32; available | 27.10.x; available now |
| Windows | now except lockdown | for non-PSO and |
| | sites | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Mac OS X | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Linux | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
+------------------------------------------------------------+
PSO and lockdown sites running 27.x will receive the fixes for these
vulnerabilities during the next emergency patching (EP) cycle. This
advisory will be updated to indicate a specific timeline once one is
available.
If the WRF Player was automatically installed, the WebEx WRF Player will
be automatically upgraded to the latest, non-vulnerable version when
users access a WRF file hosted on a WebEx server.
If the WebEx WRF Player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com.
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers that need additional information can contact WebEx Global
Support Services and Technical Support. WebEx Global Support Services
and Technical Support can be reached through the WebEx support site at
http://support.webex.com/support/support-overview.html or by phone at
+1-866-229-3239 or +1-408-435-7088.
Customers outside of the United States can reference the following link
for local support numbers:
http://support.webex.com/support/phone-numbers.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious use of the vulnerabilities
described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Xiaopeng
Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs
advisory is available at http://www.fortiguard.com. Cisco would like to
thank FortiGuard Labs for reporting these vulnerabilities to us and for
working with us on a coordinated disclosure.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-December-16 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Dec 16, 2009 Document ID: 110946
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs
IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh
=KaHv
-----END PGP SIGNATURE-----
| VAR-200912-0438 | CVE-2009-2879 | Cisco WebEx WRF Player of atas32.dll Vulnerable to heap-based buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player 26.x before 26.49.32 (aka T26SP49EP32) for Windows, 27.x before 27.10.x (aka T27SP10) for Windows, 26.x before 26.49.35 for Mac OS X and Linux, and 27.x before 27.11.8 for Mac OS X and Linux allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted WebEx Recording Format (WRF) file, a different vulnerability than CVE-2009-2876 and CVE-2009-2878. Cisco WebEx WRF Player of atas32.dll Contains a heap-based buffer overflow vulnerability. This vulnerability CVE-2009-2876 and CVE-2009-2878 This is a different vulnerability.Expertly crafted by a third party WebEx Recording Format (WRF) Denial of service via file (DoS) Could be state or execute arbitrary code. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because the software fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code with administrative privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. This vulnerability is different from CVE-2009-2876 and CVE-2009-2878. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
Advisory ID: cisco-sa-20091216-webex
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
Revision 1.0
For Public Release 2009 December 16 1600 UTC (GMT)
Summary
=======
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) Player.
The Cisco WebEx WRF Player is an application that is used to play back
WebEx meeting recordings that have been recorded on the computer of an
on-line meeting attendee. The WRF Player can be automatically installed
when the user accesses a WRF file that is hosted on a WebEx server. The
WRF Player can also be manually installed for offline playback after
downloading the application from www.webex.com.
If the WRF Player was automatically installed, the WebEx WRF Player
will be automatically upgraded to the latest, non-vulnerable version
when users access a WRF file hosted on a WebEx server. If the WebEx
WRF Player was manually installed, users will need to manually install
a new version of the player after downloading the latest version from
www.webex.com.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the
player are affected. Affected versions of the WRF Player are those prior
to the "first fixed" versions, which are shown in the section "Software
Versions and Fixes" of this advisory.
To check if a Cisco WebEx server is running an affected version of the
WebEx client build, users can log in to their Cisco WebEx server and go
to the Support -> Downloads section. The version of the WebEx client
build will be displayed on the right-hand side of the page under "About
Support Center", for example "Client build: 27.11.0.3328".
There is no way to check if a manually installed version of the WRF
Player is affected by these vulnerabilities. Therefore, Cisco recommends
that users upgrade to the most current version of the player that is
available from http://www.webex.com/downloadplayer.html.
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF)
file format is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing solution
that is managed by and maintained by Cisco WebEx. The WebEx Recording
Format (WRF) is a file format that is used to store WebEx meeting
recordings that have been recorded on the computer of an on-line meeting
attendee. The WRF Player is an application that is used to play back
and edit WRF files (files with .wrf extensions). The WRF Player can be
automatically installed when the user accesses a WRF file that is hosted
on a WebEx server (stream playback mode). The WRF Player can also be
manually installed after downloading the application from www.webex.com
to play back WRF files locally (offline playback mode). The
vulnerabilities may lead to a crash of the WRF Player application, or in
some cases, lead to remote code execution.
To exploit a vulnerability, a malicious WRF file would need to be opened
by the WRF Player application. An attacker may be able to accomplish
this by providing the malicious WRF file directly to users (for example,
via e-mail), or by convincing users to visit a malicious website. The
vulnerability cannot be triggered by users attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2009-2875
* CVE-2009-2876
* CVE-2009-2877
* CVE-2009-2878
* CVE-2009-2879
* CVE-2009-2880
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all
vulnerabilities in this advisory)
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx WRF Player
application, and in some cases, allow a remote attacker to execute
arbitrary code on the targeted system with the privileges of the user
running the WRF Player application.
Software Versions and Fixes
===========================
The table below contains "First Fixed" information for the Cisco WebEx
WRF Player that is automatically downloaded from a WebEx site when a WRF
hosted on a WebEx site is accessed (stream playback mode). Fixes are
cumulative within a major release so for example, if release 27.10.1 is
fixed, then release 27.10.2 will have the fix too.
+------------------------------------------------------------+
| Platform | Major Release 26.x | Major Release 27.x |
|-----------+---------------------+--------------------------|
| Microsoft | 26.49.32; available | 27.10.x; available now |
| Windows | now except lockdown | for non-PSO and |
| | sites | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Mac OS X | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Linux | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
+------------------------------------------------------------+
PSO and lockdown sites running 27.x will receive the fixes for these
vulnerabilities during the next emergency patching (EP) cycle. This
advisory will be updated to indicate a specific timeline once one is
available.
If the WRF Player was automatically installed, the WebEx WRF Player will
be automatically upgraded to the latest, non-vulnerable version when
users access a WRF file hosted on a WebEx server.
If the WebEx WRF Player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com.
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers that need additional information can contact WebEx Global
Support Services and Technical Support. WebEx Global Support Services
and Technical Support can be reached through the WebEx support site at
http://support.webex.com/support/support-overview.html or by phone at
+1-866-229-3239 or +1-408-435-7088.
Customers outside of the United States can reference the following link
for local support numbers:
http://support.webex.com/support/phone-numbers.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious use of the vulnerabilities
described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Xiaopeng
Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs
advisory is available at http://www.fortiguard.com. Cisco would like to
thank FortiGuard Labs for reporting these vulnerabilities to us and for
working with us on a coordinated disclosure.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-December-16 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Dec 16, 2009 Document ID: 110946
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs
IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh
=KaHv
-----END PGP SIGNATURE-----
| VAR-200912-0430 | CVE-2009-1797 | APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to hijack the authentication of (1) administrator or (2) device users for requests that create new administrative users or have unspecified other impact. The web management interface for the APC Network Monitoring Card (NMC) used in various APC devices contains cross-site scripting (XSS) and cross-site request forgery (CSRF/XSRF) vulnerabilities. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it.
An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks.
The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
Versions prior to the following are vulnerable:
Network Management Card Firmware 3.7.2
Network Management Card Firmware 5.1.1. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) Input passed to various parameters (e.g. the "login_username"
parameter in Forms/login1) is not properly sanitised before being
returned to the user.
2) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. create administrative users by
tricking a logged-in administrative user into visiting a malicious web
site.
Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version
3.3.4 with application module version 3.7.0. Other APC NMC products
and versions may also be affected.
SOLUTION:
Filter malicious characters and character sequences using a proxy. Do
not browse untrusted websites and do not follow untrusted links.
Apply updated firmware versions when available. Contact the vendor
for additional details.
PROVIDED AND/OR DISCOVERED BY:
Russ McRee, HolisticInfoSec.
Vulnerability #1 also independently discovered by Jamal Pecou.
ORIGINAL ADVISORY:
HolisticInfoSec:
http://holisticinfosec.org/content/view/111/45/
APC:
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1
Jamal Pecou:
http://archives.neohapsis.com/archives/bugtraq/current/0219.html
OTHER REFERENCES:
US-CERT VU#166739:
http://www.kb.cert.org/vuls/id/166739
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200912-0431 | CVE-2009-1798 | APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it.
An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks.
The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
Versions prior to the following are vulnerable:
Network Management Card Firmware 3.7.2
Network Management Card Firmware 5.1.1. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) Input passed to various parameters (e.g. the "login_username"
parameter in Forms/login1) is not properly sanitised before being
returned to the user.
2) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. create administrative users by
tricking a logged-in administrative user into visiting a malicious web
site.
Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version
3.3.4 with application module version 3.7.0. Other APC NMC products
and versions may also be affected.
SOLUTION:
Filter malicious characters and character sequences using a proxy. Do
not browse untrusted websites and do not follow untrusted links.
Apply updated firmware versions when available. Contact the vendor
for additional details.
PROVIDED AND/OR DISCOVERED BY:
Russ McRee, HolisticInfoSec.
Vulnerability #1 also independently discovered by Jamal Pecou.
ORIGINAL ADVISORY:
HolisticInfoSec:
http://holisticinfosec.org/content/view/111/45/
APC:
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1
Jamal Pecou:
http://archives.neohapsis.com/archives/bugtraq/current/0219.html
OTHER REFERENCES:
US-CERT VU#166739:
http://www.kb.cert.org/vuls/id/166739
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200912-0282 | CVE-2009-4406 | APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Forms/login1 in American Power Conversion (APC) Switched Rack PDU AP7932 B2, running rpdu 3.3.3 or 3.7.0 on AOS 3.3.4, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the login_username parameter. The web management interface for the APC Network Monitoring Card (NMC) used in various APC devices contains cross-site scripting (XSS) and cross-site request forgery (CSRF/XSRF) vulnerabilities. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it.
An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks.
The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
Versions prior to the following are vulnerable:
Network Management Card Firmware 3.7.2
Network Management Card Firmware 5.1.1. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) Input passed to various parameters (e.g. the "login_username"
parameter in Forms/login1) is not properly sanitised before being
returned to the user.
2) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. create administrative users by
tricking a logged-in administrative user into visiting a malicious web
site.
Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version
3.3.4 with application module version 3.7.0. Other APC NMC products
and versions may also be affected.
SOLUTION:
Filter malicious characters and character sequences using a proxy. Do
not browse untrusted websites and do not follow untrusted links.
Apply updated firmware versions when available. Contact the vendor
for additional details.
PROVIDED AND/OR DISCOVERED BY:
Russ McRee, HolisticInfoSec.
Vulnerability #1 also independently discovered by Jamal Pecou.
ORIGINAL ADVISORY:
HolisticInfoSec:
http://holisticinfosec.org/content/view/111/45/
APC:
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1
Jamal Pecou:
http://archives.neohapsis.com/archives/bugtraq/current/0219.html
OTHER REFERENCES:
US-CERT VU#166739:
http://www.kb.cert.org/vuls/id/166739
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201001-0022 | CVE-2009-3958 | NOS Microsystems Adobe getPlus Helper ActiveX control stack buffer overflows |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in the NOS Microsystems getPlus Helper ActiveX control before 1.6.2.49 in gp.ocx in the Download Manager in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow remote attackers to execute arbitrary code via unspecified initialization parameters. The Doc.media.newPlayer method in Adobe Acrobat and Reader contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Failed attempts will likely result in denial-of-service conditions.
NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Adobe Reader/Acrobat Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA37690
VERIFY ADVISORY:
http://secunia.com/advisories/37690/
DESCRIPTION:
A vulnerability has been reported in Adobe Reader and Acrobat, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error and can be
exploited to execute arbitrary code.
The vulnerability is reported in versions 9.2 and prior.
SOLUTION:
Do not open untrusted PDF files.
Do not visit untrusted websites or follow untrusted links.
PROVIDED AND/OR DISCOVERED BY:
Reported as a 0-day.
ORIGINAL ADVISORY:
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA10-013A
Adobe Reader and Acrobat Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Adobe Reader and Acrobat 9.2 and earlier 9.x versions
* Adobe Reader and Acrobat 8.1.7 and earlier 8.x versions
Overview
Adobe has released Security bulletin APSB10-02, which describes
multiple vulnerabilities affecting Adobe Reader and Acrobat.
I. Description
Adobe Security Advisory APSB10-02 describes a number of
vulnerabilities affecting Adobe Reader and Acrobat. These
vulnerabilities affect Reader 9.2 and earlier 9.x versions and
8.1.7 and earlier 8.x versions. Further details are available in
the US-CERT Vulnerability Notes Database.
An attacker could exploit these vulnerabilities by convincing a
user to open a specially crafted PDF file. The Adobe Reader browser
plug-in is available for multiple web browsers and operating
systems, which can automatically open PDF documents hosted on a
website.
Some of these vulnerabilities are being actively exploited.
II.
III. Solution
Update
Adobe has released updates to address this issue. Users are
encouraged to read Adobe Security Bulletin APSB10-02 and update
vulnerable versions of Adobe Reader and Acrobat. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript; un-check
Enable Acrobat JavaScript).
Prevent Internet Explorer from automatically opening PDF documents
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to a safer option that
prompts the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied it may also mitigate future vulnerabilities.
To prevent PDF documents from automatically being opened in a web
browser, do the following:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.
Do not access PDF documents from untrusted sources
Do not open unfamiliar or unexpected PDF documents, particularly
those hosted on websites or delivered as email attachments. Please
see Cyber Security Tip ST04-010.
IV. References
* Adobe Security Bulletin APSB10-02 -
<http://www.adobe.com/support/security/bulletins/apsb10-02.html>
* Vulnerability Note VU#508357 -
<https://www.kb.cert.org/vuls/id/508357>
* Vulnerability Note VU#773545 -
<https://www.kb.cert.org/vuls/id/773545>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA10-013A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA10-013A Feedback VU#508357" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2010 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 13, 2010: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBS0402NucaIvSvh1ZAQJ3NQf+IbEop63x4l0P2ns/qPIVL3XaBd6xx11n
+8eqQk0+ZtpmrPb03UjWaeh1tkNu98R4sMWZQENOWVbbeYLzAKLHPNf48ewqvzbl
UvmW/kLxdu88Ux1BPNpJahX3zZgGqIswYSlGyIhlkpiLhUVrzfssykwyYbGZvGVn
so9Euz4/1ZThOgAFoGY8xsqXVZ45lcS6YY2ACkl84r6BBcayzVtIsvfxKDfNMvfP
bxjrXNqoLB/9n6x150uo2iF1dtB6uj/V+GVRFZa/X6lySTp/R+InBK8mpsxWMPB4
/la9+twnIB5cPHpNq1WVPhxbElsM3JCAndKEiLLTencMYPLc4i1cLQ==
=KC5F
-----END PGP SIGNATURE-----
| VAR-201001-0021 | CVE-2009-3957 | NOS Microsystems Adobe getPlus Helper ActiveX control stack buffer overflows |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow attackers to cause a denial of service (NULL pointer dereference) via unspecified vectors. The Doc.media.newPlayer method in Adobe Acrobat and Reader contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Adobe Reader and Acrobat are prone to a denial-of-service vulnerability.
Successfully exploiting this issue may allow attackers to crash the affected applications, denying service to legitimate users.
NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Adobe Reader/Acrobat Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA37690
VERIFY ADVISORY:
http://secunia.com/advisories/37690/
DESCRIPTION:
A vulnerability has been reported in Adobe Reader and Acrobat, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error and can be
exploited to execute arbitrary code.
The vulnerability is reported in versions 9.2 and prior.
SOLUTION:
Do not open untrusted PDF files.
Do not visit untrusted websites or follow untrusted links.
PROVIDED AND/OR DISCOVERED BY:
Reported as a 0-day.
ORIGINAL ADVISORY:
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA10-013A
Adobe Reader and Acrobat Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Adobe Reader and Acrobat 9.2 and earlier 9.x versions
* Adobe Reader and Acrobat 8.1.7 and earlier 8.x versions
Overview
Adobe has released Security bulletin APSB10-02, which describes
multiple vulnerabilities affecting Adobe Reader and Acrobat.
I. These
vulnerabilities affect Reader 9.2 and earlier 9.x versions and
8.1.7 and earlier 8.x versions. Further details are available in
the US-CERT Vulnerability Notes Database.
An attacker could exploit these vulnerabilities by convincing a
user to open a specially crafted PDF file. The Adobe Reader browser
plug-in is available for multiple web browsers and operating
systems, which can automatically open PDF documents hosted on a
website.
Some of these vulnerabilities are being actively exploited.
II.
III. Solution
Update
Adobe has released updates to address this issue. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript; un-check
Enable Acrobat JavaScript).
Prevent Internet Explorer from automatically opening PDF documents
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to a safer option that
prompts the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied it may also mitigate future vulnerabilities.
To prevent PDF documents from automatically being opened in a web
browser, do the following:
1.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.
Do not access PDF documents from untrusted sources
Do not open unfamiliar or unexpected PDF documents, particularly
those hosted on websites or delivered as email attachments. Please
see Cyber Security Tip ST04-010.
IV. References
* Adobe Security Bulletin APSB10-02 -
<http://www.adobe.com/support/security/bulletins/apsb10-02.html>
* Vulnerability Note VU#508357 -
<https://www.kb.cert.org/vuls/id/508357>
* Vulnerability Note VU#773545 -
<https://www.kb.cert.org/vuls/id/773545>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA10-013A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA10-013A Feedback VU#508357" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2010 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 13, 2010: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBS0402NucaIvSvh1ZAQJ3NQf+IbEop63x4l0P2ns/qPIVL3XaBd6xx11n
+8eqQk0+ZtpmrPb03UjWaeh1tkNu98R4sMWZQENOWVbbeYLzAKLHPNf48ewqvzbl
UvmW/kLxdu88Ux1BPNpJahX3zZgGqIswYSlGyIhlkpiLhUVrzfssykwyYbGZvGVn
so9Euz4/1ZThOgAFoGY8xsqXVZ45lcS6YY2ACkl84r6BBcayzVtIsvfxKDfNMvfP
bxjrXNqoLB/9n6x150uo2iF1dtB6uj/V+GVRFZa/X6lySTp/R+InBK8mpsxWMPB4
/la9+twnIB5cPHpNq1WVPhxbElsM3JCAndKEiLLTencMYPLc4i1cLQ==
=KC5F
-----END PGP SIGNATURE-----
| VAR-200912-0790 | CVE-2009-3956 | NOS Microsystems Adobe getPlus Helper ActiveX control stack buffer overflows |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The default configuration of Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, does not enable the Enhanced Security feature, which has unspecified impact and attack vectors, related to a "script injection vulnerability," as demonstrated by Acrobat Forms Data Format (FDF) behavior that allows cross-site scripting (XSS) by user-assisted remote attackers. The Doc.media.newPlayer method in Adobe Acrobat and Reader contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
An attacker can exploit this issue to obtain the contents of sensitive PDF files or to perform cross-site scripting attacks against domains hosting PDF files.
NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Adobe Reader/Acrobat Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA37690
VERIFY ADVISORY:
http://secunia.com/advisories/37690/
DESCRIPTION:
A vulnerability has been reported in Adobe Reader and Acrobat, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error and can be
exploited to execute arbitrary code.
The vulnerability is reported in versions 9.2 and prior.
SOLUTION:
Do not open untrusted PDF files.
Do not visit untrusted websites or follow untrusted links.
PROVIDED AND/OR DISCOVERED BY:
Reported as a 0-day.
ORIGINAL ADVISORY:
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
For more information:
SA37690
SOLUTION:
Adobe Reader 7.x and Acrobat 7.x:
Upgrade to version 8.2 or 9.3. Please see the vendor's advisory for
more information.
NOTE: Support has ended for Adobe Reader 7.x and Acrobat 7.x on
Windows, Macintosh, and UNIX.
CHANGELOG:
2010-01-13: Updated CVE references.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA10-013A
Adobe Reader and Acrobat Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Adobe Reader and Acrobat 9.2 and earlier 9.x versions
* Adobe Reader and Acrobat 8.1.7 and earlier 8.x versions
Overview
Adobe has released Security bulletin APSB10-02, which describes
multiple vulnerabilities affecting Adobe Reader and Acrobat.
I. These
vulnerabilities affect Reader 9.2 and earlier 9.x versions and
8.1.7 and earlier 8.x versions. Further details are available in
the US-CERT Vulnerability Notes Database.
An attacker could exploit these vulnerabilities by convincing a
user to open a specially crafted PDF file. The Adobe Reader browser
plug-in is available for multiple web browsers and operating
systems, which can automatically open PDF documents hosted on a
website.
Some of these vulnerabilities are being actively exploited.
II.
III. Solution
Update
Adobe has released updates to address this issue. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript; un-check
Enable Acrobat JavaScript).
Prevent Internet Explorer from automatically opening PDF documents
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to a safer option that
prompts the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied it may also mitigate future vulnerabilities.
To prevent PDF documents from automatically being opened in a web
browser, do the following:
1.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.
Do not access PDF documents from untrusted sources
Do not open unfamiliar or unexpected PDF documents, particularly
those hosted on websites or delivered as email attachments. Please
see Cyber Security Tip ST04-010.
IV. References
* Adobe Security Bulletin APSB10-02 -
<http://www.adobe.com/support/security/bulletins/apsb10-02.html>
* Vulnerability Note VU#508357 -
<https://www.kb.cert.org/vuls/id/508357>
* Vulnerability Note VU#773545 -
<https://www.kb.cert.org/vuls/id/773545>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA10-013A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA10-013A Feedback VU#508357" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2010 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 13, 2010: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBS0402NucaIvSvh1ZAQJ3NQf+IbEop63x4l0P2ns/qPIVL3XaBd6xx11n
+8eqQk0+ZtpmrPb03UjWaeh1tkNu98R4sMWZQENOWVbbeYLzAKLHPNf48ewqvzbl
UvmW/kLxdu88Ux1BPNpJahX3zZgGqIswYSlGyIhlkpiLhUVrzfssykwyYbGZvGVn
so9Euz4/1ZThOgAFoGY8xsqXVZ45lcS6YY2ACkl84r6BBcayzVtIsvfxKDfNMvfP
bxjrXNqoLB/9n6x150uo2iF1dtB6uj/V+GVRFZa/X6lySTp/R+InBK8mpsxWMPB4
/la9+twnIB5cPHpNq1WVPhxbElsM3JCAndKEiLLTencMYPLc4i1cLQ==
=KC5F
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia integrated with Microsoft WSUS
http://secunia.com/blog/71/
----------------------------------------------------------------------
TITLE:
Red Hat update for acroread
SECUNIA ADVISORY ID:
SA38215
VERIFY ADVISORY:
http://secunia.com/advisories/38215/
DESCRIPTION:
Red Hat has issued an update for acroread. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
conduct cross-site scripting attacks or compromise a user's system.
For more information:
SA37690
SOLUTION:
Updated packages are available via Red Hat Network
| VAR-200912-0765 | CVE-2009-3954 | NOS Microsystems Adobe getPlus Helper ActiveX control stack buffer overflows |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The 3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow attackers to execute arbitrary code via unspecified vectors, related to a "DLL-loading vulnerability.".
An attacker can exploit this issue to execute arbitrary code. Failed exploit attempts will likely cause denial-of-service conditions.
This issue affects Reader and Acrobat 9.2 and prior versions.
NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Adobe Reader/Acrobat Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA37690
VERIFY ADVISORY:
http://secunia.com/advisories/37690/
DESCRIPTION:
A vulnerability has been reported in Adobe Reader and Acrobat, which
can be exploited by malicious people to compromise a user's system.
SOLUTION:
Do not open untrusted PDF files.
Do not visit untrusted websites or follow untrusted links.
PROVIDED AND/OR DISCOVERED BY:
Reported as a 0-day.
ORIGINAL ADVISORY:
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
For more information:
SA37690
SOLUTION:
Adobe Reader 7.x and Acrobat 7.x:
Upgrade to version 8.2 or 9.3. Please see the vendor's advisory for
more information.
NOTE: Support has ended for Adobe Reader 7.x and Acrobat 7.x on
Windows, Macintosh, and UNIX.
CHANGELOG:
2010-01-13: Updated CVE references.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA10-013A
Adobe Reader and Acrobat Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Adobe Reader and Acrobat 9.2 and earlier 9.x versions
* Adobe Reader and Acrobat 8.1.7 and earlier 8.x versions
Overview
Adobe has released Security bulletin APSB10-02, which describes
multiple vulnerabilities affecting Adobe Reader and Acrobat.
I. Further details are available in
the US-CERT Vulnerability Notes Database.
An attacker could exploit these vulnerabilities by convincing a
user to open a specially crafted PDF file. The Adobe Reader browser
plug-in is available for multiple web browsers and operating
systems, which can automatically open PDF documents hosted on a
website.
Some of these vulnerabilities are being actively exploited.
II.
III. Solution
Update
Adobe has released updates to address this issue. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript; un-check
Enable Acrobat JavaScript).
Prevent Internet Explorer from automatically opening PDF documents
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to a safer option that
prompts the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied it may also mitigate future vulnerabilities.
To prevent PDF documents from automatically being opened in a web
browser, do the following:
1.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.
Do not access PDF documents from untrusted sources
Do not open unfamiliar or unexpected PDF documents, particularly
those hosted on websites or delivered as email attachments. Please
see Cyber Security Tip ST04-010.
IV. References
* Adobe Security Bulletin APSB10-02 -
<http://www.adobe.com/support/security/bulletins/apsb10-02.html>
* Vulnerability Note VU#508357 -
<https://www.kb.cert.org/vuls/id/508357>
* Vulnerability Note VU#773545 -
<https://www.kb.cert.org/vuls/id/773545>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA10-013A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA10-013A Feedback VU#508357" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2010 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 13, 2010: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBS0402NucaIvSvh1ZAQJ3NQf+IbEop63x4l0P2ns/qPIVL3XaBd6xx11n
+8eqQk0+ZtpmrPb03UjWaeh1tkNu98R4sMWZQENOWVbbeYLzAKLHPNf48ewqvzbl
UvmW/kLxdu88Ux1BPNpJahX3zZgGqIswYSlGyIhlkpiLhUVrzfssykwyYbGZvGVn
so9Euz4/1ZThOgAFoGY8xsqXVZ45lcS6YY2ACkl84r6BBcayzVtIsvfxKDfNMvfP
bxjrXNqoLB/9n6x150uo2iF1dtB6uj/V+GVRFZa/X6lySTp/R+InBK8mpsxWMPB4
/la9+twnIB5cPHpNq1WVPhxbElsM3JCAndKEiLLTencMYPLc4i1cLQ==
=KC5F
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia integrated with Microsoft WSUS
http://secunia.com/blog/71/
----------------------------------------------------------------------
TITLE:
Red Hat update for acroread
SECUNIA ADVISORY ID:
SA38215
VERIFY ADVISORY:
http://secunia.com/advisories/38215/
DESCRIPTION:
Red Hat has issued an update for acroread. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
conduct cross-site scripting attacks or compromise a user's system.
For more information:
SA37690
SOLUTION:
Updated packages are available via Red Hat Network
| VAR-200912-0756 | CVE-2009-3953 | Adobe Acrobat and Reader contain a use-after-free vulnerability in the JavaScript Doc.media.newPlayer method |
CVSS V2: 10.0 CVSS V3: 8.8 Severity: HIGH |
The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994. CVE-2009-2994 Is a different vulnerability.by the attacker ' Array Bounds Problem ' Arbitrary code may be executed via vectors related to. Failed exploit attempts will likely cause denial-of-service conditions.
This issue affects Reader and Acrobat 9.2 and prior versions.
NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. An array indexing error vulnerability exists in Adobe Reader and Acrobat's 3difr.x3d when processing U3D CLOD Mesh Declaration blocks. Users tricked into opening a PDF document containing a specially crafted U3D model will trigger memory corruption, resulting in the execution of arbitrary instructions. The Adobe Reader browser plug-in is available for several web browsers and operating systems and will automatically open PDF documents on websites. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Adobe Reader/Acrobat Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA37690
VERIFY ADVISORY:
http://secunia.com/advisories/37690/
DESCRIPTION:
A vulnerability has been reported in Adobe Reader and Acrobat, which
can be exploited by malicious people to compromise a user's system.
NOTE: This vulnerability is currently being actively exploited.
SOLUTION:
Do not open untrusted PDF files.
Do not visit untrusted websites or follow untrusted links.
PROVIDED AND/OR DISCOVERED BY:
Reported as a 0-day.
ORIGINAL ADVISORY:
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.3.4 >= 9.3.4
Description
===========
Multiple vulnerabilities were discovered in Adobe Reader. For further
information please consult the CVE entries and the Adobe Security
Bulletins referenced below.
Impact
======
A remote attacker might entice a user to open a specially crafted PDF
file, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application, or bypass intended
sandbox restrictions, make cross-domain requests, inject arbitrary web
script or HTML, or cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.3.4"
References
==========
[ 1 ] APSA10-01
http://www.adobe.com/support/security/advisories/apsa10-01.html
[ 2 ] APSB10-02
http://www.adobe.com/support/security/bulletins/apsb10-02.html
[ 3 ] APSB10-07
http://www.adobe.com/support/security/bulletins/apsb10-07.html
[ 4 ] APSB10-09
http://www.adobe.com/support/security/bulletins/apsb10-09.html
[ 5 ] APSB10-14
http://www.adobe.com/support/security/bulletins/apsb10-14.html
[ 6 ] APSB10-16
http://www.adobe.com/support/security/bulletins/apsb10-16.html
[ 7 ] CVE-2009-3953
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3953
[ 8 ] CVE-2009-4324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324
[ 9 ] CVE-2010-0186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0186
[ 10 ] CVE-2010-0188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188
[ 11 ] CVE-2010-0190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0190
[ 12 ] CVE-2010-0191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0191
[ 13 ] CVE-2010-0192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0192
[ 14 ] CVE-2010-0193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0193
[ 15 ] CVE-2010-0194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0194
[ 16 ] CVE-2010-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0195
[ 17 ] CVE-2010-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0196
[ 18 ] CVE-2010-0197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0197
[ 19 ] CVE-2010-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0198
[ 20 ] CVE-2010-0199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0199
[ 21 ] CVE-2010-0201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0201
[ 22 ] CVE-2010-0202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0202
[ 23 ] CVE-2010-0203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0203
[ 24 ] CVE-2010-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0204
[ 25 ] CVE-2010-1241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1241
[ 26 ] CVE-2010-1285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1285
[ 27 ] CVE-2010-1295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1295
[ 28 ] CVE-2010-1297
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297
[ 29 ] CVE-2010-2168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2168
[ 30 ] CVE-2010-2201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2201
[ 31 ] CVE-2010-2202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2202
[ 32 ] CVE-2010-2203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2203
[ 33 ] CVE-2010-2204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2204
[ 34 ] CVE-2010-2205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2205
[ 35 ] CVE-2010-2206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2206
[ 36 ] CVE-2010-2207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2207
[ 37 ] CVE-2010-2208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2208
[ 38 ] CVE-2010-2209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2209
[ 39 ] CVE-2010-2210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2210
[ 40 ] CVE-2010-2211
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2211
[ 41 ] CVE-2010-2212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2212
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201009-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2010 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5