VARIoT IoT vulnerabilities database

Buffer overflow in atrpui.dll in the Cisco WebEx WRF Player 26.x before 26.49.32 for Windows, 27.x before 27.10.x for Windows, 26.x before 26.49.35 for Mac OS X and Linux, and 27.x before 27.11.8 for Mac OS X and Linux allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WebEx Recording Format (WRF) file. Cisco WebEx WRF Player of atrpui.dll Contains a buffer overflow vulnerability. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because the software fails to perform adequate boundary checks on user-supplied data. An attacker can exploit these issues to execute arbitrary code with administrative privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities Advisory ID: cisco-sa-20091216-webex http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml Revision 1.0 For Public Release 2009 December 16 1600 UTC (GMT) Summary ======= Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Player. The Cisco WebEx WRF Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server. The WRF Player can also be manually installed for offline playback after downloading the application from www.webex.com. If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server. If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml. Affected Products ================= Vulnerable Products - ------------------- The vulnerabilities disclosed in this advisory affect the Cisco WebEx WRF Player. Affected versions of the WRF Player are those prior to the "first fixed" versions, which are shown in the section "Software Versions and Fixes" of this advisory. To check if a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support -> Downloads section. The version of the WebEx client build will be displayed on the right-hand side of the page under "About Support Center", for example "Client build: 27.11.0.3328". There is no way to check if a manually installed version of the WRF Player is affected by these vulnerabilities. Therefore, Cisco recommends that users upgrade to the most current version of the player that is available from http://www.webex.com/downloadplayer.html. Products Confirmed Not Vulnerable - --------------------------------- The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF) file format is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. The WebEx Recording Format (WRF) is a file format that is used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player is an application that is used to play back and edit WRF files (files with .wrf extensions). The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server (stream playback mode). The WRF Player can also be manually installed after downloading the application from www.webex.com to play back WRF files locally (offline playback mode). The vulnerabilities may lead to a crash of the WRF Player application, or in some cases, lead to remote code execution. To exploit a vulnerability, a malicious WRF file would need to be opened by the WRF Player application. An attacker may be able to accomplish this by providing the malicious WRF file directly to users (for example, via e-mail), or by convincing users to visit a malicious website. The vulnerability cannot be triggered by users attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2009-2875 * CVE-2009-2876 * CVE-2009-2877 * CVE-2009-2878 * CVE-2009-2879 * CVE-2009-2880 Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all vulnerabilities in this advisory) CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx WRF Player application, and in some cases, allow a remote attacker to execute arbitrary code on the targeted system with the privileges of the user running the WRF Player application. Software Versions and Fixes =========================== The table below contains "First Fixed" information for the Cisco WebEx WRF Player that is automatically downloaded from a WebEx site when a WRF hosted on a WebEx site is accessed (stream playback mode). Fixes are cumulative within a major release so for example, if release 27.10.1 is fixed, then release 27.10.2 will have the fix too. +------------------------------------------------------------+ | Platform | Major Release 26.x | Major Release 27.x | |-----------+---------------------+--------------------------| | Microsoft | 26.49.32; available | 27.10.x; available now | | Windows | now except lockdown | for non-PSO and | | | sites | non-lockdown sites | |-----------+---------------------+--------------------------| | | 26.49.35; available | 27.11.8; available now | | Mac OS X | early February 2010 | for non-PSO and | | | | non-lockdown sites | |-----------+---------------------+--------------------------| | | 26.49.35; available | 27.11.8; available now | | Linux | early February 2010 | for non-PSO and | | | | non-lockdown sites | +------------------------------------------------------------+ PSO and lockdown sites running 27.x will receive the fixes for these vulnerabilities during the next emergency patching (EP) cycle. This advisory will be updated to indicate a specific timeline once one is available. If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server. If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com. Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers that need additional information can contact WebEx Global Support Services and Technical Support. WebEx Global Support Services and Technical Support can be reached through the WebEx support site at http://support.webex.com/support/support-overview.html or by phone at +1-866-229-3239 or +1-408-435-7088. Customers outside of the United States can reference the following link for local support numbers: http://support.webex.com/support/phone-numbers.html Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered and reported to Cisco by Xiaopeng Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs advisory is available at http://www.fortiguard.com. Cisco would like to thank FortiGuard Labs for reporting these vulnerabilities to us and for working with us on a coordinated disclosure. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-December-16 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Dec 16, 2009 Document ID: 110946 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh =KaHv -----END PGP SIGNATURE-----

Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player 26.x before 26.49.32 (aka T26SP49EP32) for Windows, 27.x before 27.10.x (aka T27SP10) for Windows, 26.x before 26.49.35 for Mac OS X and Linux, and 27.x before 27.11.8 for Mac OS X and Linux allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted WebEx Recording Format (WRF) file, a different vulnerability than CVE-2009-2876 and CVE-2009-2878. Cisco WebEx WRF Player of atas32.dll Contains a heap-based buffer overflow vulnerability. This vulnerability CVE-2009-2876 and CVE-2009-2878 This is a different vulnerability.Expertly crafted by a third party WebEx Recording Format (WRF) Denial of service via file (DoS) Could be state or execute arbitrary code. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because the software fails to perform adequate boundary checks on user-supplied data. An attacker can exploit these issues to execute arbitrary code with administrative privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. This vulnerability is different from CVE-2009-2876 and CVE-2009-2878. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities Advisory ID: cisco-sa-20091216-webex http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml Revision 1.0 For Public Release 2009 December 16 1600 UTC (GMT) Summary ======= Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Player. The Cisco WebEx WRF Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server. The WRF Player can also be manually installed for offline playback after downloading the application from www.webex.com. If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server. If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml. Affected Products ================= Vulnerable Products - ------------------- The vulnerabilities disclosed in this advisory affect the Cisco WebEx WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are affected. Affected versions of the WRF Player are those prior to the "first fixed" versions, which are shown in the section "Software Versions and Fixes" of this advisory. To check if a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support -> Downloads section. The version of the WebEx client build will be displayed on the right-hand side of the page under "About Support Center", for example "Client build: 27.11.0.3328". There is no way to check if a manually installed version of the WRF Player is affected by these vulnerabilities. Therefore, Cisco recommends that users upgrade to the most current version of the player that is available from http://www.webex.com/downloadplayer.html. Products Confirmed Not Vulnerable - --------------------------------- The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF) file format is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. The WebEx Recording Format (WRF) is a file format that is used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player is an application that is used to play back and edit WRF files (files with .wrf extensions). The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server (stream playback mode). The WRF Player can also be manually installed after downloading the application from www.webex.com to play back WRF files locally (offline playback mode). The vulnerabilities may lead to a crash of the WRF Player application, or in some cases, lead to remote code execution. To exploit a vulnerability, a malicious WRF file would need to be opened by the WRF Player application. An attacker may be able to accomplish this by providing the malicious WRF file directly to users (for example, via e-mail), or by convincing users to visit a malicious website. The vulnerability cannot be triggered by users attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2009-2875 * CVE-2009-2876 * CVE-2009-2877 * CVE-2009-2878 * CVE-2009-2879 * CVE-2009-2880 Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all vulnerabilities in this advisory) CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx WRF Player application, and in some cases, allow a remote attacker to execute arbitrary code on the targeted system with the privileges of the user running the WRF Player application. Software Versions and Fixes =========================== The table below contains "First Fixed" information for the Cisco WebEx WRF Player that is automatically downloaded from a WebEx site when a WRF hosted on a WebEx site is accessed (stream playback mode). Fixes are cumulative within a major release so for example, if release 27.10.1 is fixed, then release 27.10.2 will have the fix too. +------------------------------------------------------------+ | Platform | Major Release 26.x | Major Release 27.x | |-----------+---------------------+--------------------------| | Microsoft | 26.49.32; available | 27.10.x; available now | | Windows | now except lockdown | for non-PSO and | | | sites | non-lockdown sites | |-----------+---------------------+--------------------------| | | 26.49.35; available | 27.11.8; available now | | Mac OS X | early February 2010 | for non-PSO and | | | | non-lockdown sites | |-----------+---------------------+--------------------------| | | 26.49.35; available | 27.11.8; available now | | Linux | early February 2010 | for non-PSO and | | | | non-lockdown sites | +------------------------------------------------------------+ PSO and lockdown sites running 27.x will receive the fixes for these vulnerabilities during the next emergency patching (EP) cycle. This advisory will be updated to indicate a specific timeline once one is available. If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server. If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com. Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers that need additional information can contact WebEx Global Support Services and Technical Support. WebEx Global Support Services and Technical Support can be reached through the WebEx support site at http://support.webex.com/support/support-overview.html or by phone at +1-866-229-3239 or +1-408-435-7088. Customers outside of the United States can reference the following link for local support numbers: http://support.webex.com/support/phone-numbers.html Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered and reported to Cisco by Xiaopeng Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs advisory is available at http://www.fortiguard.com. Cisco would like to thank FortiGuard Labs for reporting these vulnerabilities to us and for working with us on a coordinated disclosure. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-December-16 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Dec 16, 2009 Document ID: 110946 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh =KaHv -----END PGP SIGNATURE-----

Multiple cross-site request forgery (CSRF) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to hijack the authentication of (1) administrator or (2) device users for requests that create new administrative users or have unspecified other impact. The web management interface for the APC Network Monitoring Card (NMC) used in various APC devices contains cross-site scripting (XSS) and cross-site request forgery (CSRF/XSRF) vulnerabilities. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it. An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to the following are vulnerable: Network Management Card Firmware 3.7.2 Network Management Card Firmware 5.1.1. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) Input passed to various parameters (e.g. the "login_username" parameter in Forms/login1) is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create administrative users by tricking a logged-in administrative user into visiting a malicious web site. Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version 3.3.4 with application module version 3.7.0. Other APC NMC products and versions may also be affected. SOLUTION: Filter malicious characters and character sequences using a proxy. Do not browse untrusted websites and do not follow untrusted links. Apply updated firmware versions when available. Contact the vendor for additional details. PROVIDED AND/OR DISCOVERED BY: Russ McRee, HolisticInfoSec. Vulnerability #1 also independently discovered by Jamal Pecou. ORIGINAL ADVISORY: HolisticInfoSec: http://holisticinfosec.org/content/view/111/45/ APC: http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1 Jamal Pecou: http://archives.neohapsis.com/archives/bugtraq/current/0219.html OTHER REFERENCES: US-CERT VU#166739: http://www.kb.cert.org/vuls/id/166739 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it. An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to the following are vulnerable: Network Management Card Firmware 3.7.2 Network Management Card Firmware 5.1.1. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) Input passed to various parameters (e.g. the "login_username" parameter in Forms/login1) is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create administrative users by tricking a logged-in administrative user into visiting a malicious web site. Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version 3.3.4 with application module version 3.7.0. Other APC NMC products and versions may also be affected. SOLUTION: Filter malicious characters and character sequences using a proxy. Do not browse untrusted websites and do not follow untrusted links. Apply updated firmware versions when available. Contact the vendor for additional details. PROVIDED AND/OR DISCOVERED BY: Russ McRee, HolisticInfoSec. Vulnerability #1 also independently discovered by Jamal Pecou. ORIGINAL ADVISORY: HolisticInfoSec: http://holisticinfosec.org/content/view/111/45/ APC: http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1 Jamal Pecou: http://archives.neohapsis.com/archives/bugtraq/current/0219.html OTHER REFERENCES: US-CERT VU#166739: http://www.kb.cert.org/vuls/id/166739 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Forms/login1 in American Power Conversion (APC) Switched Rack PDU AP7932 B2, running rpdu 3.3.3 or 3.7.0 on AOS 3.3.4, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the login_username parameter. The web management interface for the APC Network Monitoring Card (NMC) used in various APC devices contains cross-site scripting (XSS) and cross-site request forgery (CSRF/XSRF) vulnerabilities. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it. An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to the following are vulnerable: Network Management Card Firmware 3.7.2 Network Management Card Firmware 5.1.1. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) Input passed to various parameters (e.g. the "login_username" parameter in Forms/login1) is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create administrative users by tricking a logged-in administrative user into visiting a malicious web site. Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version 3.3.4 with application module version 3.7.0. Other APC NMC products and versions may also be affected. SOLUTION: Filter malicious characters and character sequences using a proxy. Do not browse untrusted websites and do not follow untrusted links. Apply updated firmware versions when available. Contact the vendor for additional details. PROVIDED AND/OR DISCOVERED BY: Russ McRee, HolisticInfoSec. Vulnerability #1 also independently discovered by Jamal Pecou. ORIGINAL ADVISORY: HolisticInfoSec: http://holisticinfosec.org/content/view/111/45/ APC: http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1 Jamal Pecou: http://archives.neohapsis.com/archives/bugtraq/current/0219.html OTHER REFERENCES: US-CERT VU#166739: http://www.kb.cert.org/vuls/id/166739 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple stack-based buffer overflows in the NOS Microsystems getPlus Helper ActiveX control before 1.6.2.49 in gp.ocx in the Download Manager in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow remote attackers to execute arbitrary code via unspecified initialization parameters. The Doc.media.newPlayer method in Adobe Acrobat and Reader contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Failed attempts will likely result in denial-of-service conditions. NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Adobe Reader/Acrobat Code Execution Vulnerability SECUNIA ADVISORY ID: SA37690 VERIFY ADVISORY: http://secunia.com/advisories/37690/ DESCRIPTION: A vulnerability has been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code. The vulnerability is reported in versions 9.2 and prior. SOLUTION: Do not open untrusted PDF files. Do not visit untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-013A Adobe Reader and Acrobat Vulnerabilities Original release date: Last revised: -- Source: US-CERT Systems Affected * Adobe Reader and Acrobat 9.2 and earlier 9.x versions * Adobe Reader and Acrobat 8.1.7 and earlier 8.x versions Overview Adobe has released Security bulletin APSB10-02, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. I. Description Adobe Security Advisory APSB10-02 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader 9.2 and earlier 9.x versions and 8.1.7 and earlier 8.x versions. Further details are available in the US-CERT Vulnerability Notes Database. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a website. Some of these vulnerabilities are being actively exploited. II. III. Solution Update Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB10-02 and update vulnerable versions of Adobe Reader and Acrobat. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; un-check Enable Acrobat JavaScript). Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. 2. Open the Edit menu. 3. Choose the preferences option. 4. Choose the Internet section. 5. Un-check the "Display PDF in browser" check box. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Adobe Security Bulletin APSB10-02 - <http://www.adobe.com/support/security/bulletins/apsb10-02.html> * Vulnerability Note VU#508357 - <https://www.kb.cert.org/vuls/id/508357> * Vulnerability Note VU#773545 - <https://www.kb.cert.org/vuls/id/773545> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-013A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-013A Feedback VU#508357" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 13, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS0402NucaIvSvh1ZAQJ3NQf+IbEop63x4l0P2ns/qPIVL3XaBd6xx11n +8eqQk0+ZtpmrPb03UjWaeh1tkNu98R4sMWZQENOWVbbeYLzAKLHPNf48ewqvzbl UvmW/kLxdu88Ux1BPNpJahX3zZgGqIswYSlGyIhlkpiLhUVrzfssykwyYbGZvGVn so9Euz4/1ZThOgAFoGY8xsqXVZ45lcS6YY2ACkl84r6BBcayzVtIsvfxKDfNMvfP bxjrXNqoLB/9n6x150uo2iF1dtB6uj/V+GVRFZa/X6lySTp/R+InBK8mpsxWMPB4 /la9+twnIB5cPHpNq1WVPhxbElsM3JCAndKEiLLTencMYPLc4i1cLQ== =KC5F -----END PGP SIGNATURE-----

Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow attackers to cause a denial of service (NULL pointer dereference) via unspecified vectors. The Doc.media.newPlayer method in Adobe Acrobat and Reader contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Adobe Reader and Acrobat are prone to a denial-of-service vulnerability. Successfully exploiting this issue may allow attackers to crash the affected applications, denying service to legitimate users. NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Adobe Reader/Acrobat Code Execution Vulnerability SECUNIA ADVISORY ID: SA37690 VERIFY ADVISORY: http://secunia.com/advisories/37690/ DESCRIPTION: A vulnerability has been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code. The vulnerability is reported in versions 9.2 and prior. SOLUTION: Do not open untrusted PDF files. Do not visit untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-013A Adobe Reader and Acrobat Vulnerabilities Original release date: Last revised: -- Source: US-CERT Systems Affected * Adobe Reader and Acrobat 9.2 and earlier 9.x versions * Adobe Reader and Acrobat 8.1.7 and earlier 8.x versions Overview Adobe has released Security bulletin APSB10-02, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. I. These vulnerabilities affect Reader 9.2 and earlier 9.x versions and 8.1.7 and earlier 8.x versions. Further details are available in the US-CERT Vulnerability Notes Database. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a website. Some of these vulnerabilities are being actively exploited. II. III. Solution Update Adobe has released updates to address this issue. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; un-check Enable Acrobat JavaScript). Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. 2. Open the Edit menu. 3. Choose the preferences option. 4. Choose the Internet section. 5. Un-check the "Display PDF in browser" check box. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Adobe Security Bulletin APSB10-02 - <http://www.adobe.com/support/security/bulletins/apsb10-02.html> * Vulnerability Note VU#508357 - <https://www.kb.cert.org/vuls/id/508357> * Vulnerability Note VU#773545 - <https://www.kb.cert.org/vuls/id/773545> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-013A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-013A Feedback VU#508357" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 13, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS0402NucaIvSvh1ZAQJ3NQf+IbEop63x4l0P2ns/qPIVL3XaBd6xx11n +8eqQk0+ZtpmrPb03UjWaeh1tkNu98R4sMWZQENOWVbbeYLzAKLHPNf48ewqvzbl UvmW/kLxdu88Ux1BPNpJahX3zZgGqIswYSlGyIhlkpiLhUVrzfssykwyYbGZvGVn so9Euz4/1ZThOgAFoGY8xsqXVZ45lcS6YY2ACkl84r6BBcayzVtIsvfxKDfNMvfP bxjrXNqoLB/9n6x150uo2iF1dtB6uj/V+GVRFZa/X6lySTp/R+InBK8mpsxWMPB4 /la9+twnIB5cPHpNq1WVPhxbElsM3JCAndKEiLLTencMYPLc4i1cLQ== =KC5F -----END PGP SIGNATURE-----

The default configuration of Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, does not enable the Enhanced Security feature, which has unspecified impact and attack vectors, related to a "script injection vulnerability," as demonstrated by Acrobat Forms Data Format (FDF) behavior that allows cross-site scripting (XSS) by user-assisted remote attackers. The Doc.media.newPlayer method in Adobe Acrobat and Reader contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. An attacker can exploit this issue to obtain the contents of sensitive PDF files or to perform cross-site scripting attacks against domains hosting PDF files. NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Adobe Reader/Acrobat Code Execution Vulnerability SECUNIA ADVISORY ID: SA37690 VERIFY ADVISORY: http://secunia.com/advisories/37690/ DESCRIPTION: A vulnerability has been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code. The vulnerability is reported in versions 9.2 and prior. SOLUTION: Do not open untrusted PDF files. Do not visit untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . For more information: SA37690 SOLUTION: Adobe Reader 7.x and Acrobat 7.x: Upgrade to version 8.2 or 9.3. Please see the vendor's advisory for more information. NOTE: Support has ended for Adobe Reader 7.x and Acrobat 7.x on Windows, Macintosh, and UNIX. CHANGELOG: 2010-01-13: Updated CVE references. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-013A Adobe Reader and Acrobat Vulnerabilities Original release date: Last revised: -- Source: US-CERT Systems Affected * Adobe Reader and Acrobat 9.2 and earlier 9.x versions * Adobe Reader and Acrobat 8.1.7 and earlier 8.x versions Overview Adobe has released Security bulletin APSB10-02, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. I. These vulnerabilities affect Reader 9.2 and earlier 9.x versions and 8.1.7 and earlier 8.x versions. Further details are available in the US-CERT Vulnerability Notes Database. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a website. Some of these vulnerabilities are being actively exploited. II. III. Solution Update Adobe has released updates to address this issue. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; un-check Enable Acrobat JavaScript). Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. 2. Open the Edit menu. 3. Choose the preferences option. 4. Choose the Internet section. 5. Un-check the "Display PDF in browser" check box. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Adobe Security Bulletin APSB10-02 - <http://www.adobe.com/support/security/bulletins/apsb10-02.html> * Vulnerability Note VU#508357 - <https://www.kb.cert.org/vuls/id/508357> * Vulnerability Note VU#773545 - <https://www.kb.cert.org/vuls/id/773545> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-013A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-013A Feedback VU#508357" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 13, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS0402NucaIvSvh1ZAQJ3NQf+IbEop63x4l0P2ns/qPIVL3XaBd6xx11n +8eqQk0+ZtpmrPb03UjWaeh1tkNu98R4sMWZQENOWVbbeYLzAKLHPNf48ewqvzbl UvmW/kLxdu88Ux1BPNpJahX3zZgGqIswYSlGyIhlkpiLhUVrzfssykwyYbGZvGVn so9Euz4/1ZThOgAFoGY8xsqXVZ45lcS6YY2ACkl84r6BBcayzVtIsvfxKDfNMvfP bxjrXNqoLB/9n6x150uo2iF1dtB6uj/V+GVRFZa/X6lySTp/R+InBK8mpsxWMPB4 /la9+twnIB5cPHpNq1WVPhxbElsM3JCAndKEiLLTencMYPLc4i1cLQ== =KC5F -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia integrated with Microsoft WSUS http://secunia.com/blog/71/ ---------------------------------------------------------------------- TITLE: Red Hat update for acroread SECUNIA ADVISORY ID: SA38215 VERIFY ADVISORY: http://secunia.com/advisories/38215/ DESCRIPTION: Red Hat has issued an update for acroread. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a user's system. For more information: SA37690 SOLUTION: Updated packages are available via Red Hat Network

The 3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow attackers to execute arbitrary code via unspecified vectors, related to a "DLL-loading vulnerability.". An attacker can exploit this issue to execute arbitrary code. Failed exploit attempts will likely cause denial-of-service conditions. This issue affects Reader and Acrobat 9.2 and prior versions. NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Adobe Reader/Acrobat Code Execution Vulnerability SECUNIA ADVISORY ID: SA37690 VERIFY ADVISORY: http://secunia.com/advisories/37690/ DESCRIPTION: A vulnerability has been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system. SOLUTION: Do not open untrusted PDF files. Do not visit untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . For more information: SA37690 SOLUTION: Adobe Reader 7.x and Acrobat 7.x: Upgrade to version 8.2 or 9.3. Please see the vendor's advisory for more information. NOTE: Support has ended for Adobe Reader 7.x and Acrobat 7.x on Windows, Macintosh, and UNIX. CHANGELOG: 2010-01-13: Updated CVE references. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-013A Adobe Reader and Acrobat Vulnerabilities Original release date: Last revised: -- Source: US-CERT Systems Affected * Adobe Reader and Acrobat 9.2 and earlier 9.x versions * Adobe Reader and Acrobat 8.1.7 and earlier 8.x versions Overview Adobe has released Security bulletin APSB10-02, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. I. Further details are available in the US-CERT Vulnerability Notes Database. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a website. Some of these vulnerabilities are being actively exploited. II. III. Solution Update Adobe has released updates to address this issue. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; un-check Enable Acrobat JavaScript). Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. 2. Open the Edit menu. 3. Choose the preferences option. 4. Choose the Internet section. 5. Un-check the "Display PDF in browser" check box. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Adobe Security Bulletin APSB10-02 - <http://www.adobe.com/support/security/bulletins/apsb10-02.html> * Vulnerability Note VU#508357 - <https://www.kb.cert.org/vuls/id/508357> * Vulnerability Note VU#773545 - <https://www.kb.cert.org/vuls/id/773545> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-013A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-013A Feedback VU#508357" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 13, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS0402NucaIvSvh1ZAQJ3NQf+IbEop63x4l0P2ns/qPIVL3XaBd6xx11n +8eqQk0+ZtpmrPb03UjWaeh1tkNu98R4sMWZQENOWVbbeYLzAKLHPNf48ewqvzbl UvmW/kLxdu88Ux1BPNpJahX3zZgGqIswYSlGyIhlkpiLhUVrzfssykwyYbGZvGVn so9Euz4/1ZThOgAFoGY8xsqXVZ45lcS6YY2ACkl84r6BBcayzVtIsvfxKDfNMvfP bxjrXNqoLB/9n6x150uo2iF1dtB6uj/V+GVRFZa/X6lySTp/R+InBK8mpsxWMPB4 /la9+twnIB5cPHpNq1WVPhxbElsM3JCAndKEiLLTencMYPLc4i1cLQ== =KC5F -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia integrated with Microsoft WSUS http://secunia.com/blog/71/ ---------------------------------------------------------------------- TITLE: Red Hat update for acroread SECUNIA ADVISORY ID: SA38215 VERIFY ADVISORY: http://secunia.com/advisories/38215/ DESCRIPTION: Red Hat has issued an update for acroread. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a user's system. For more information: SA37690 SOLUTION: Updated packages are available via Red Hat Network

The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994. CVE-2009-2994 Is a different vulnerability.by the attacker ' Array Bounds Problem ' Arbitrary code may be executed via vectors related to. Failed exploit attempts will likely cause denial-of-service conditions. This issue affects Reader and Acrobat 9.2 and prior versions. NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. An array indexing error vulnerability exists in Adobe Reader and Acrobat's 3difr.x3d when processing U3D CLOD Mesh Declaration blocks. Users tricked into opening a PDF document containing a specially crafted U3D model will trigger memory corruption, resulting in the execution of arbitrary instructions. The Adobe Reader browser plug-in is available for several web browsers and operating systems and will automatically open PDF documents on websites. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Adobe Reader/Acrobat Code Execution Vulnerability SECUNIA ADVISORY ID: SA37690 VERIFY ADVISORY: http://secunia.com/advisories/37690/ DESCRIPTION: A vulnerability has been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system. NOTE: This vulnerability is currently being actively exploited. SOLUTION: Do not open untrusted PDF files. Do not visit untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 9.3.4 >= 9.3.4 Description =========== Multiple vulnerabilities were discovered in Adobe Reader. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. Impact ====== A remote attacker might entice a user to open a specially crafted PDF file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or bypass intended sandbox restrictions, make cross-domain requests, inject arbitrary web script or HTML, or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.3.4" References ========== [ 1 ] APSA10-01 http://www.adobe.com/support/security/advisories/apsa10-01.html [ 2 ] APSB10-02 http://www.adobe.com/support/security/bulletins/apsb10-02.html [ 3 ] APSB10-07 http://www.adobe.com/support/security/bulletins/apsb10-07.html [ 4 ] APSB10-09 http://www.adobe.com/support/security/bulletins/apsb10-09.html [ 5 ] APSB10-14 http://www.adobe.com/support/security/bulletins/apsb10-14.html [ 6 ] APSB10-16 http://www.adobe.com/support/security/bulletins/apsb10-16.html [ 7 ] CVE-2009-3953 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3953 [ 8 ] CVE-2009-4324 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324 [ 9 ] CVE-2010-0186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0186 [ 10 ] CVE-2010-0188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188 [ 11 ] CVE-2010-0190 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0190 [ 12 ] CVE-2010-0191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0191 [ 13 ] CVE-2010-0192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0192 [ 14 ] CVE-2010-0193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0193 [ 15 ] CVE-2010-0194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0194 [ 16 ] CVE-2010-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0195 [ 17 ] CVE-2010-0196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0196 [ 18 ] CVE-2010-0197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0197 [ 19 ] CVE-2010-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0198 [ 20 ] CVE-2010-0199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0199 [ 21 ] CVE-2010-0201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0201 [ 22 ] CVE-2010-0202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0202 [ 23 ] CVE-2010-0203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0203 [ 24 ] CVE-2010-0204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0204 [ 25 ] CVE-2010-1241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1241 [ 26 ] CVE-2010-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1285 [ 27 ] CVE-2010-1295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1295 [ 28 ] CVE-2010-1297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297 [ 29 ] CVE-2010-2168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2168 [ 30 ] CVE-2010-2201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2201 [ 31 ] CVE-2010-2202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2202 [ 32 ] CVE-2010-2203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2203 [ 33 ] CVE-2010-2204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2204 [ 34 ] CVE-2010-2205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2205 [ 35 ] CVE-2010-2206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2206 [ 36 ] CVE-2010-2207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2207 [ 37 ] CVE-2010-2208 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2208 [ 38 ] CVE-2010-2209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2209 [ 39 ] CVE-2010-2210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2210 [ 40 ] CVE-2010-2211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2211 [ 41 ] CVE-2010-2212 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2212 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201009-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted JPC_MS_RGN marker in the Jp2c stream of a JpxDecode encoded data stream, which triggers an integer sign extension that bypasses a sanity check, leading to memory corruption. The Doc.media.newPlayer method in Adobe Acrobat and Reader contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Adobe Reader and Acrobat are prone to a memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code. Failed exploit attempts will likely cause denial-of-service conditions. This issue affects Reader and Acrobat 9.2 and prior versions. NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. iDefense Security Advisory 01.12.10 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 12, 2010 I. For more information, please visit following pages: http://www.adobe.com/products/reader/ http://www.adobe.com/products/acrobat/ II. The vulnerability occurs when processing the Jp2c stream of a JpxDecode encoded data stream within a PDF file. During the processing of a JPC_MS_RGN marker, an integer sign extension may cause a bounds check to be bypassed. This results in an exploitable memory corruption vulnerability. III. The attacker will have to create a malicious PDF file and convince the victim to open it. This can be accomplished by embedding the PDF file into an IFrame inside of a Web page, which will result in automatic exploitation once the page is viewed. The file could also be e-mailed as an attachment or placed on a file share. In these cases, a user would have to manually open the file to trigger exploitation. If preview is enabled in Windows Explorer, Acrobat will try to generate a preview for PDF files when a folder containing PDF files is accessed, thus triggering the exploitation. IV. DETECTION iDefense has confirmed the existence of this vulnerability in latest version of Adobe Reader, at the time of testing, version 9.1.0. Previous versions may also be affected. Adobe has stated that all 9.2 and below versions, as well as all 8.1.7 and below versions are vulnerable. V. WORKAROUND None of the following workarounds will prevent exploitation, but they can reduce potential attack vectors and make exploitation more difficult. Prevent PDF documents from being opened automatically by the Web browser Disable JavaScript Disable PDFShell extension by removing or renaming the Acrord32info.exe file VI. VENDOR RESPONSE Adobe has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://www.adobe.com/support/security/bulletins/apsb10-02.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-3955 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/06/2009 Initial Contact 08/06/2009 Initial Response 09/16/2009 Vendor requested POC. iDefense sent POC. 09/17/2009 Vendor response. 01/12/2010 Coordinated public disclosure. IX. CREDIT This vulnerability was reported to iDefense by Code Audit Labs http://www.vulnhunt.com. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Adobe Reader/Acrobat Code Execution Vulnerability SECUNIA ADVISORY ID: SA37690 VERIFY ADVISORY: http://secunia.com/advisories/37690/ DESCRIPTION: A vulnerability has been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system. NOTE: This vulnerability is currently being actively exploited. SOLUTION: Do not open untrusted PDF files. Do not visit untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Integer overflow in the U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a malformed PDF document. An attacker can exploit this issue by supplying a malicious PDF file or webpage. Failed attempts will likely result in denial-of-service conditions. NOTE: This issue was previously covered in BID 37667 (Adobe Acrobat and Reader January 2010 Multiple Remote Vulnerabilities), but has been given its own record to better document it. The Adobe Reader browser plug-in is available for several web browsers and operating systems and will automatically open PDF documents on websites. They are used to create, view, search, digitally sign, verify, print, and collaborate on Adobe PDF files. II. III. AFFECTED PRODUCTS -------------------------------- Adobe Reader version 9.2 and prior Adobe Acrobat version 9.2 and prior IV. Exploits - PoCs & Binary Analysis ---------------------------------------- In-depth binary analysis of the vulnerability and a code execution exploit have been released by VUPEN Security through the VUPEN Exploits & PoCs Service : http://www.vupen.com/exploits V. SOLUTION ---------------- Upgrade to version 9.3 or 8.2. VI. CREDIT -------------- The vulnerability was discovered by Nicolas JOLY of VUPEN Security VII. ABOUT VUPEN Security --------------------------------- VUPEN is a leading IT security research company providing vulnerability management services to allow enterprises and organizations to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. VUPEN also provides research services for security vendors (antivirus, IDS, IPS,etc) to supplement their internal vulnerability research efforts and quickly develop vulnerability-based and exploit-based signatures, rules, and filters, and proactively protect their customers against potential threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services * VUPEN Exploits and In-Depth Vulnerability Analysis: http://www.vupen.com/exploits VIII. REFERENCES ---------------------- http://www.vupen.com/english/advisories/2010/0103 http://www.adobe.com/support/security/bulletins/apsb10-02.html IX. DISCLOSURE TIMELINE ----------------------------------- 2009-11-06 - Vendor notified 2009-11-06 - Vendor response 2009-12-10 - Status update received 2010-01-07 - Status update received 2009-01-13 - Coordinated public Disclosure . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Adobe Reader/Acrobat Code Execution Vulnerability SECUNIA ADVISORY ID: SA37690 VERIFY ADVISORY: http://secunia.com/advisories/37690/ DESCRIPTION: A vulnerability has been reported in Adobe Reader and Acrobat, which can be exploited by malicious people to compromise a user's system. NOTE: This vulnerability is currently being actively exploited. The vulnerability is reported in versions 9.2 and prior. SOLUTION: Do not open untrusted PDF files. Do not visit untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Intellicom NetBiter WebSCADA devices use default passwords for the HICP network configuration service, which makes it easier for remote attackers to modify network settings and cause a denial of service. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: this issue was originally reported to be hard-coded passwords, not default passwords. The IntelliCom NetBiter Config HICP configuration utility has a buffer overflow vulnerability that can be triggered by a specially crafted hostname (hn) value. An attacker with network access could exploit this vulnerability to execute arbitrary code with the privileges of the user running NetBiter Config. IntelliCom Provided by NetBiter The password set on the device at the factory may be used by a remote third party. IntelliCom Provided by NetBiter The device is Ethernet and IP To configure network settings HICP The protocol is used. NetBiter The device is factory set HICP The password for can be obtained by methods other than the product documentation.Without changing from the factory password NetBiter When operating the device, the remote third party who obtained the password may change the network settings or change the password. HICP Access to the service may be disrupted. Also, HICP Since passwords are transmitted in clear text, the password may be intercepted by a third party intercepting the communication. Successful exploits may allow attackers to gain privileged access to the device or network; other attacks may also be possible. NOTE: This BID is being retired as it has been determined to not be a vulnerability. The default password and instructions on changing it are detailed in the product documentation. Netbiter Webscada Firmware is prone to a denial-of-service vulnerability

Stack-based buffer overflow in the NetBiterConfig utility (NetBiterConfig.exe) 1.3.0 for Intellicom NetBiter WebSCADA allows remote attackers to execute arbitrary code via a long hn (hostname) parameter in a crafted HICP-protocol UDP packet. IntelliCom NetBiter devices ship with default passwords for the HICP network configuration service. An attacker with network access could exploit this vulnerability to execute arbitrary code with the privileges of the user running NetBiter Config. Successful exploits may allow attackers to gain privileged access to the device or network; other attacks may also be possible. NOTE: This BID is being retired as it has been determined to not be a vulnerability. The default password and instructions on changing it are detailed in the product documentation. Intellicom 'NetBiterConfig.exe' is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition

The (1) CHAP and (2) MS-CHAP-V2 authentication capabilities in the PPP Access Concentrator (PPPAC) function in Internet Initiative Japan SEIL/B1 firmware 1.00 through 2.52 use the same challenge for each authentication attempt, which allows remote attackers to bypass authentication via a replay attack. As a result, the third party may gain access to the network. According the developer, when L2TP/IPsec is being used, the authentication challenges are protected by the encryption provided by IPsec, and therefore the probability of being affected by this issue are reduced. SEIL/B1 is prone to an authentication-bypass vulnerability affecting CHAP and MS-CHAP-V2 authentication. Versions prior to SEIL/B1 2.60 are vulnerable. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: SEIL Routers PPP Access Concentrator Replay Vulnerability SECUNIA ADVISORY ID: SA37628 VERIFY ADVISORY: http://secunia.com/advisories/37628/ DESCRIPTION: A vulnerability has been reported in the SEIL B1 router, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Update to version 2.60. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: SEIL: http://www.seil.jp/seilseries/security/2009/a00697.php JVN: http://jvn.jp/en/jp/JVN49602378/index.html http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000079.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. A novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources.CVE-2009-3563 Unknown CVE-2024-1309 Unknown CVE-2024-2169 AffectedCVE-2009-3563 Unknown CVE-2024-1309 Unknown CVE-2024-2169 Affected. NTP for, mode 7 A vulnerability exists due to packet processing. NTP Then "restrict ... noquery" or "restrict ... ignore" There are no restrictions due to the settings of IP From the address, an invalid mode 7 request or mode 7 If you receive an error response, mode 7 Returns and logs the error message. NTP The sender address was spoofed. mode 7 A vulnerability exists due to packet processing.Service operation obstruction by a remote third party (DoS) You may be attacked. NTP is prone to a remote denial-of-service vulnerability because it fails to properly handle certain incoming network packets. An attacker can exploit this issue to cause the application to consume excessive CPU resources and fill disk space with log messages. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 7377623e9f89c5f6f6cc7af577974458 2008.0/i586/ntp-4.2.4-10.3mdv2008.0.i586.rpm 977fdaf289c9eff53fb6d563b8a60ede 2008.0/i586/ntp-client-4.2.4-10.3mdv2008.0.i586.rpm e2701dc192a578b141f9408d355522b6 2008.0/i586/ntp-doc-4.2.4-10.3mdv2008.0.i586.rpm 167e3a9dbf1bd10fd576e6a91a2cbc10 2008.0/SRPMS/ntp-4.2.4-10.3mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 4fa28ef04548ded3dc604ea61a671cc5 2008.0/x86_64/ntp-4.2.4-10.3mdv2008.0.x86_64.rpm b79353be7c2da1fadf3bc55c2c06a6a6 2008.0/x86_64/ntp-client-4.2.4-10.3mdv2008.0.x86_64.rpm c93dd45fc32ece044874c09aac85ce66 2008.0/x86_64/ntp-doc-4.2.4-10.3mdv2008.0.x86_64.rpm 167e3a9dbf1bd10fd576e6a91a2cbc10 2008.0/SRPMS/ntp-4.2.4-10.3mdv2008.0.src.rpm Mandriva Linux 2009.0: 6a38837b845970b62520f48273362485 2009.0/i586/ntp-4.2.4-18.5mdv2009.0.i586.rpm 4f9d98a186c4ca4348f8296fde0bf174 2009.0/i586/ntp-client-4.2.4-18.5mdv2009.0.i586.rpm 0ae26de5f1bddba4c2718a55463d94b7 2009.0/i586/ntp-doc-4.2.4-18.5mdv2009.0.i586.rpm 45b55bdbde84289b20e295b9dbf188fb 2009.0/SRPMS/ntp-4.2.4-18.5mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: e31f3f71e730e5777d9832cd76430b17 2009.0/x86_64/ntp-4.2.4-18.5mdv2009.0.x86_64.rpm 67a998da616d287fe9e15092bbd45ff6 2009.0/x86_64/ntp-client-4.2.4-18.5mdv2009.0.x86_64.rpm ab02dd7a3457f0ba75248390827c69a4 2009.0/x86_64/ntp-doc-4.2.4-18.5mdv2009.0.x86_64.rpm 45b55bdbde84289b20e295b9dbf188fb 2009.0/SRPMS/ntp-4.2.4-18.5mdv2009.0.src.rpm Mandriva Linux 2009.1: b6597f0ee96ec99c7ddbe5e18a588e48 2009.1/i586/ntp-4.2.4-22.3mdv2009.1.i586.rpm 069667f851886c39daa0309a5e920619 2009.1/i586/ntp-client-4.2.4-22.3mdv2009.1.i586.rpm 9d5b87f008f00ad30b3c652e5f62eea2 2009.1/i586/ntp-doc-4.2.4-22.3mdv2009.1.i586.rpm e2686dd1237f529bb08f2837052fb46f 2009.1/SRPMS/ntp-4.2.4-22.3mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: e88121b38c942c572b61ba7631130104 2009.1/x86_64/ntp-4.2.4-22.3mdv2009.1.x86_64.rpm c10eaf7ecbeb3b5db5eac978cb2ae78e 2009.1/x86_64/ntp-client-4.2.4-22.3mdv2009.1.x86_64.rpm 8ff34e79ed1f88fa2e7b7e8030232a30 2009.1/x86_64/ntp-doc-4.2.4-22.3mdv2009.1.x86_64.rpm e2686dd1237f529bb08f2837052fb46f 2009.1/SRPMS/ntp-4.2.4-22.3mdv2009.1.src.rpm Mandriva Linux 2010.0: 2913258a9be65654a3ce5e16c1bd5b25 2010.0/i586/ntp-4.2.4-27.1mdv2010.0.i586.rpm 90cf8d7f8fb468461f8b8baf7d97daa4 2010.0/i586/ntp-client-4.2.4-27.1mdv2010.0.i586.rpm 0b8527559ef05049461cea2f5a83bd6d 2010.0/i586/ntp-doc-4.2.4-27.1mdv2010.0.i586.rpm 7bbd4271086ace434dd8a958bc7c2488 2010.0/SRPMS/ntp-4.2.4-27.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 2e938e58d48f3f581ffaab085dacc1f2 2010.0/x86_64/ntp-4.2.4-27.1mdv2010.0.x86_64.rpm cde3421867c549169751f2964420a578 2010.0/x86_64/ntp-client-4.2.4-27.1mdv2010.0.x86_64.rpm d9799e7286a49420699d3995e8bc1e47 2010.0/x86_64/ntp-doc-4.2.4-27.1mdv2010.0.x86_64.rpm 7bbd4271086ace434dd8a958bc7c2488 2010.0/SRPMS/ntp-4.2.4-27.1mdv2010.0.src.rpm Corporate 3.0: 65dda36544e7a43175abfd64aa725b34 corporate/3.0/i586/ntp-4.2.0-2.4.C30mdk.i586.rpm a485cad0631598335af0e89ea399ff9d corporate/3.0/SRPMS/ntp-4.2.0-2.4.C30mdk.src.rpm Corporate 3.0/X86_64: 44130a38552f20b3f34d176c47aa5aab corporate/3.0/x86_64/ntp-4.2.0-2.4.C30mdk.x86_64.rpm a485cad0631598335af0e89ea399ff9d corporate/3.0/SRPMS/ntp-4.2.0-2.4.C30mdk.src.rpm Corporate 4.0: a2f5a598865d390f7c537fc9e1a9a758 corporate/4.0/i586/ntp-4.2.0-21.7.20060mlcs4.i586.rpm f7eb3884bc0aa71f8237d9500d24489e corporate/4.0/i586/ntp-client-4.2.0-21.7.20060mlcs4.i586.rpm d2ed46d981570f66763f85c822b14179 corporate/4.0/SRPMS/ntp-4.2.0-21.7.20060mlcs4.src.rpm Corporate 4.0/X86_64: 1bd4395c9c80b583bad4ce5085c0d557 corporate/4.0/x86_64/ntp-4.2.0-21.7.20060mlcs4.x86_64.rpm 95f812f672cf79fccee411154c23d6ee corporate/4.0/x86_64/ntp-client-4.2.0-21.7.20060mlcs4.x86_64.rpm d2ed46d981570f66763f85c822b14179 corporate/4.0/SRPMS/ntp-4.2.0-21.7.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 16e3975f3e4bb9a830eb1e8166f2fec7 mes5/i586/ntp-4.2.4-18.5mdvmes5.i586.rpm 2af9623d6f3685d54dd4db31f9622f7a mes5/i586/ntp-client-4.2.4-18.5mdvmes5.i586.rpm 5abb771d456b4094d123c5cf24701aee mes5/i586/ntp-doc-4.2.4-18.5mdvmes5.i586.rpm 086a05988392a6602c023f4e453bcc32 mes5/SRPMS/ntp-4.2.4-18.5mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 9b40b186bf9ebeb70c1350f9a158ac92 mes5/x86_64/ntp-4.2.4-18.5mdvmes5.x86_64.rpm f4a42229dc9b408b04f0c83aa3a25720 mes5/x86_64/ntp-client-4.2.4-18.5mdvmes5.x86_64.rpm 2022447e5d9dbf6ee1a6e594935b1d04 mes5/x86_64/ntp-doc-4.2.4-18.5mdvmes5.x86_64.rpm 086a05988392a6602c023f4e453bcc32 mes5/SRPMS/ntp-4.2.4-18.5mdvmes5.src.rpm Multi Network Firewall 2.0: 56a2596fd513295f0700508c08a6a3da mnf/2.0/i586/ntp-4.2.0-2.4.C30mdk.i586.rpm f8218643f02c3168e0331852630835a0 mnf/2.0/SRPMS/ntp-4.2.0-2.4.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLHtsAmqjQ0CJFipgRAi1pAKDUH87qI312n3XHGnl4TgVNC+IuvACbBhUw nLO5FqSyfvZaqSNZ93vTSUw= =XCg1 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2010-0004 Synopsis: ESX Service Console and vMA third party updates Issue date: 2010-03-03 Updated on: 2010-03-03 (initial release of advisory) CVE numbers: CVE-2009-2905 CVE-2008-4552 CVE-2008-4316 CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-1387 CVE-2009-0590 CVE-2009-4022 CVE-2009-3560 CVE-2009-3720 CVE-2009-2904 CVE-2009-3563 CVE-2009-2695 CVE-2009-2849 CVE-2009-2695 CVE-2009-2908 CVE-2009-3228 CVE-2009-3286 CVE-2009-3547 CVE-2009-3613 CVE-2009-3612 CVE-2009-3620 CVE-2009-3621 CVE-2009-3726 CVE-2008-3916 CVE-2009-1189 CVE-2009-0115 - ------------------------------------------------------------------------ 1. Summary ESX Service Console updates for newt, nfs-utils, and glib2 packages. vMA updates for newt, nfs-util, glib2, kpartx, libvolume-id, device-mapper-multipath, fipscheck, dbus, dbus-libs, ed, openssl, bind, expat, openssh, ntp and kernel packages. 2. Relevant releases VMware ESX 4.0.0 without patch ESX400-201002404-SG, ESX400-201002407-SG, ESX400-201002406-SG VMware vMA 4.0 before patch 3 3. Problem Description a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1 Newt is a programming library for color text mode, widget based user interfaces. Newt can be used to add stacked windows, entry widgets, checkboxes, radio buttons, labels, plain text fields, scrollbars, etc., to text mode user interfaces. A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially-crafted text dialog box display request (direct or via a custom application), leading to a denial of service (application crash) or, potentially, arbitrary code execution with the privileges of the user running the application using the newt library. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2905 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-201002406-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 3 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. vMA and Service Console update for vMA package nfs-utils to 1.0.9-42.el5 The nfs-utils package provides a daemon for the kernel NFS server and related tools. It was discovered that nfs-utils did not use tcp_wrappers correctly. Certain hosts access rules defined in "/etc/hosts.allow" and "/etc/hosts.deny" may not have been honored, possibly allowing remote attackers to bypass intended access restrictions. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4552 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-201002407-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 3 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. vMA and Service Console package glib2 updated to 2.12.3-4.el5_3.1 GLib is the low-level core library that forms the basis for projects such as GTK+ and GNOME. It provides data structure handling for C, portability wrappers, and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system. Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either from or to a base64 representation. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4316 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-201002404-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 3 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. d. vMA and Service Console update for openssl to 0.9.8e-12.el5 SSL is a toolkit implementing SSL v2/v3 and TLS protocols with full- strength cryptography world-wide. Multiple denial of service flaws were discovered in OpenSSL's DTLS implementation. A remote attacker could use these flaws to cause a DTLS server to use excessive amounts of memory, or crash on an invalid memory access or NULL pointer dereference. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386, CVE-2009-1387 to these issues. An input validation flaw was found in the handling of the BMPString and UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex() function. An attacker could use this flaw to create a specially-crafted X.509 certificate that could cause applications using the affected function to crash when printing certificate contents. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0590 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX affected, patch pending ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 3 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. e. vMA and Service Console package bind updated to 9.3.6-4.P1.el5_4.1 It was discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-4022 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not applicable ESX 4.0 ESX affected, patch pending ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 3 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. f. vMA and Service Console package expat updated to 1.95.8-8.3.el5_4.2. Two buffer over-read flaws were found in the way Expat handled malformed UTF-8 sequences when processing XML files. A specially- crafted XML file could cause applications using Expat to fail while parsing the file. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-3560 and CVE-2009-3720 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not applicable ESX 4.0 ESX affected, patch pending ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX affected, patch pending vMA 4.0 RHEL5 Patch 3 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. g. vMA and Service Console package openssh update to 4.3p2-36.el5_4.2 A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2904 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not applicable ESX 4.0 ESX affected, patch pending ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 3 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. h. vMA and Service Console package ntp updated to ntp-4.2.2p1-9.el5_4.1.i386.rpm A flaw was discovered in the way ntpd handled certain malformed NTP packets. ntpd logged information about all such packets and replied with an NTP packet that was treated as malformed when received by another ntpd. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3563 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not applicable ESX 4.0 ESX affected, patch pending ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX affected, patch pending vMA 4.0 RHEL5 Patch 3 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. i. vMA update for package kernel to 2.6.18-164.9.1.el5 Updated vMA package kernel addresses the security issues listed below. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2849 to the security issue fixed in kernel 2.6.18-128.2.1 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228, CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues fixed in kernel 2.6.18-128.6.1 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621, CVE-2009-3726 to the security issues fixed in kernel 2.6.18-128.9.1 The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX affected, patch pending ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 3 ** * hosted products are VMware Workstation, Player, ACE, Fusion. ** vMA is updated to kernel version 2.6.18-164.9.1 j. vMA 4.0 updates for the packages kpartx, libvolume-id, device-mapper-multipath, fipscheck, dbus, dbus-libs, and ed kpartx updated to 0.4.7-23.el5_3.4, libvolume-id updated to 095-14.20.el5 device-mapper-multipath package updated to 0.4.7-23.el5_3.4, fipscheck updated to 1.0.3-1.el5, dbus updated to 1.1.2-12.el5, dbus-libs updated to 1.1.2-12.el5, and ed package updated to 0.2-39.el5_2. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3916, CVE-2009-1189 and CVE-2009-0115 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 3 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESX 4.0 ------- https://hostupdate.vmware.com/software/VUM/OFFLINE/release-192-20100228-732 240/ESX400-201002001.zip md5sum: de62cbccaffa4b2b6831617f18c1ccb4 sha1sum: 4083f191fa4acd6600c9a87e4852f9f5700e91ab http://kb.vmware.com/kb/1018403 Note: ESX400-201002001 contains the following security bulletins ESX400-201002404-SG, ESX400-201002407-SG, and ESX400-201002406-SG. To install an individual bulletin use esxupdate with the -b option. esxupdate --bundle ESX400-201002001.zip -b ESX400-201002404-SG \ -b ESX400-201002407-SG -b ESX400-201002406-SG update vMA 4.0 ------- To update VIMA 1 Log in to VIMA as vi-admin. 2 type 'sudo /usr/sbin/vima-update update' this will apply all currently available updates. See http://tinyurl.com/yfekgrx for more information. 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4552 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2695 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2849 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2695 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3612 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3916 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0115 - ------------------------------------------------------------------------ 6. Change log 2010-03-03 VMSA-2010-0004 Initial security advisory after release of bulletins for ESX 4.0 on 2010-03-03 and release of vMA Patch 3 on 2010-02-25. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2010 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFLj1c6S2KysvBH1xkRAnl5AJ9RcHVB7qooSwOPFdVoDFTjohDypgCfZ44O 2z0ICIcntM88ZONMfDNUM6Y= =14fN -----END PGP SIGNATURE----- . Product/Patch kit ITRC Download Location MD5 and SHA1 Checksum HP Tru64 UNIX v 5.1B-4 PK6 (BL27) T64KIT1001787-V51BB27-ES-20100817 http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001787-V51BB27-ES-20100817 MD5 results: 2b3a21a96b7855d9ca223f483bd5bfed SHA1 results: ac2221c9d025008b258ac8592a210e16e775fbcf HP Tru64 UNIX v 5.1B-5 PK7 (BL28) T64KIT1001786-V51BB28-ES-20100816 http://www13.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001786-V51BB28-ES-20100816 MD5 results: b34d028797577408d565da27d93c30a9 SHA1 results: b34d028797577408d565da27d93c30a9 Note: The patch kit installation instructions and the Patch Summary and Release Notes documents provide patch kit installation and removal instructions and a summary of each patch. Please read these documents prior to installing patches. =========================================================== Ubuntu Security Notice USN-867-1 December 08, 2009 ntp vulnerability CVE-2009-3563 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: ntp 1:4.2.0a+stable-8.1ubuntu6.3 ntp-server 1:4.2.0a+stable-8.1ubuntu6.3 Ubuntu 8.04 LTS: ntp 1:4.2.4p4+dfsg-3ubuntu2.3 Ubuntu 8.10: ntp 1:4.2.4p4+dfsg-6ubuntu2.4 Ubuntu 9.04: ntp 1:4.2.4p4+dfsg-7ubuntu5.2 Ubuntu 9.10: ntp 1:4.2.4p6+dfsg-1ubuntu5.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Robin Park and Dmitri Vinokurov discovered a logic error in ntpd. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.3.diff.gz Size/MD5: 262833 1fdb567debfe1ce10ffc44ec492d4aa5 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.3.dsc Size/MD5: 872 a6f59fefbf4050684aa38de8b24c54b3 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable.orig.tar.gz Size/MD5: 2272395 30f8b3d5b970c14dce5c6d8c922afa3e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.0a+stable-8.1ubuntu6.3_all.deb Size/MD5: 891204 35969710cca05eabef8399e53de0bdb5 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a+stable-8.1ubuntu6.3_amd64.deb Size/MD5: 35022 cf299ac36cb52399b7b80a7aa6b00c77 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a+stable-8.1ubuntu6.3_amd64.deb Size/MD5: 136402 14d2d9f6ec9a8f4edb2d674538b642a8 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.3_amd64.deb Size/MD5: 270524 05dfaa4fdf895ebfdf61ee43d97ef9c6 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a+stable-8.1ubuntu6.3_amd64.deb Size/MD5: 47932 ee2a72cdc8d20e545443bbcf086c6f82 http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a+stable-8.1ubuntu6.3_amd64.deb Size/MD5: 224268 d9daac981b2dd6d16d69d4bfc0f1d4bf i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a+stable-8.1ubuntu6.3_i386.deb Size/MD5: 33926 4a79ecdb4d1fa3d407fca23c00292a9d http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a+stable-8.1ubuntu6.3_i386.deb Size/MD5: 121710 77db2cb6c9daa84d6174fbe277a96c44 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.3_i386.deb Size/MD5: 256764 7aeb8e664a3ff16608fc880a108a8645 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a+stable-8.1ubuntu6.3_i386.deb Size/MD5: 44598 1e3067b9f7fee43a3f0b18ec9d4b356b http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a+stable-8.1ubuntu6.3_i386.deb Size/MD5: 198516 a0066ee286571189f7f6099bd8a2c220 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a+stable-8.1ubuntu6.3_powerpc.deb Size/MD5: 37162 3b19f883b00809d36ae9bd79114955c1 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a+stable-8.1ubuntu6.3_powerpc.deb Size/MD5: 135184 d1419b2d9aff1392c78bab2911114c2a http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.3_powerpc.deb Size/MD5: 271468 856ffca2e1d79bfd730aec3bcc1ce497 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a+stable-8.1ubuntu6.3_powerpc.deb Size/MD5: 49266 2cee0d14d9d1deafb78b26041d1ed05a http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a+stable-8.1ubuntu6.3_powerpc.deb Size/MD5: 222168 42ef5dfaddb9e1fe9b9933119cdbe9ab sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a+stable-8.1ubuntu6.3_sparc.deb Size/MD5: 34428 09539a35a435d11f12ed9f5bd9534771 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a+stable-8.1ubuntu6.3_sparc.deb Size/MD5: 126814 8e2066b695d32e08355bfdc0f571c705 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.3_sparc.deb Size/MD5: 261652 1e4142216eb7ff527ce1f59b2ad2d0af http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a+stable-8.1ubuntu6.3_sparc.deb Size/MD5: 46790 7d456f67bea9e6c3f2452a5d6a847f67 http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a+stable-8.1ubuntu6.3_sparc.deb Size/MD5: 207566 433dca719ea61cca73b993a530299fae Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.3.diff.gz Size/MD5: 287172 dfb60aa2cd60f61907856f5b50c8fc46 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.3.dsc Size/MD5: 1046 251a7ead6fcf835535176b89ed7cc3d4 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz Size/MD5: 2835029 dc2b3ac9cc04b0f29df35467514c9884 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.4p4+dfsg-3ubuntu2.3_all.deb Size/MD5: 928116 28eb96c89717c9fdfe39b3f140428484 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.3_amd64.deb Size/MD5: 477388 bc91b335e5963954d4284d0b57b37c40 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.3_amd64.deb Size/MD5: 65194 185195f8e2df78f7dfbba5b88be482ce i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.3_i386.deb Size/MD5: 432592 0ec673d7b4507cb992091a7b63007826 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.3_i386.deb Size/MD5: 61224 fbf4533c390ea05b7149e370815983e1 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.3_lpia.deb Size/MD5: 435450 1be0d440cf6bcf5048139c856b85106b http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.3_lpia.deb Size/MD5: 61184 a1b2a4c34beee7210e322b2f05d94095 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.3_powerpc.deb Size/MD5: 490538 e6adb5a7bde67fc04b543664e6ef748f http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.3_powerpc.deb Size/MD5: 66780 35b709a20016e07b383362610ae2b45a sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.3_sparc.deb Size/MD5: 442346 212fc209067ce419756fa2d6f486fd33 http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.3_sparc.deb Size/MD5: 61964 7937872f5231323d82c98f0ace751a79 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.4.diff.gz Size/MD5: 305723 ea6556c8f4053f2abd79e4cf96633a65 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.4.dsc Size/MD5: 1555 fa669b54aac2751215e1fbac226bf51e http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz Size/MD5: 2835029 dc2b3ac9cc04b0f29df35467514c9884 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.4p4+dfsg-6ubuntu2.4_all.deb Size/MD5: 928754 eaa802a30b795ce27417c0f8fd612564 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.4_amd64.deb Size/MD5: 487270 83aef0ae73d841ca98c1aff95b68b974 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.4_amd64.deb Size/MD5: 66118 b1d338d727c1fbb479a0298e67cf920c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.4_i386.deb Size/MD5: 442316 9441f50fefcd831651417c8e66353769 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.4_i386.deb Size/MD5: 62320 67f26e8efd2233911b3ee5d5c779da52 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.4_lpia.deb Size/MD5: 441714 cc6ffa5cf9f82b707ebf77291c0c7c2b http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.4_lpia.deb Size/MD5: 62086 d4c4d6efa2ae6c85b400d73bd39cac8d powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.4_powerpc.deb Size/MD5: 491332 f4016ec402c0665df5241555af9a04ed http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.4_powerpc.deb Size/MD5: 67198 47c3dd10eae821a9d1abcf77a85d6651 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.4_sparc.deb Size/MD5: 449572 4a168bf44988c1da63a39bd14b17b682 http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.4_sparc.deb Size/MD5: 62834 0ae1f43f7f327de4ab787c911f0fd1ca Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-7ubuntu5.2.diff.gz Size/MD5: 306032 90b99d80d9e52e4db7e30b96002834b4 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-7ubuntu5.2.dsc Size/MD5: 1556 b6f57df7732c6fd3a29de6d4c65c421d http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz Size/MD5: 2835029 dc2b3ac9cc04b0f29df35467514c9884 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.4p4+dfsg-7ubuntu5.2_all.deb Size/MD5: 929066 4230567b7ef012596cd5e291df13df76 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-7ubuntu5.2_amd64.deb Size/MD5: 487628 3789b894fe98014ed8b62fc910088d2a http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-7ubuntu5.2_amd64.deb Size/MD5: 66442 b43e6e46f0c035961fa2e382bd883fe2 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-7ubuntu5.2_i386.deb Size/MD5: 442634 efaf8cc0f84114fe6d426827f22e3db4 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-7ubuntu5.2_i386.deb Size/MD5: 62642 7c9ce030867f9809b49634bdcc2a57a3 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-7ubuntu5.2_lpia.deb Size/MD5: 442086 4dd3ea7d09c746a592b0b622f4fcb753 http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-7ubuntu5.2_lpia.deb Size/MD5: 62410 77fa9c143489ea55da37adcd9f268e6b powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-7ubuntu5.2_powerpc.deb Size/MD5: 491526 d04d12ed5ebc7968a90894d92ca094c6 http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-7ubuntu5.2_powerpc.deb Size/MD5: 67530 55cffc037f6a88b24abd399925e700c3 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-7ubuntu5.2_sparc.deb Size/MD5: 449666 7dbdc0aa05e90a9363dfcae003c3e531 http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-7ubuntu5.2_sparc.deb Size/MD5: 63156 4647b041df35cabb86fb0789e3a083ce Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p6+dfsg-1ubuntu5.1.diff.gz Size/MD5: 344395 26dd6961151053346b36474a18d6412f http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p6+dfsg-1ubuntu5.1.dsc Size/MD5: 1575 c86cc4fe026ee6830d6564cabeaedc61 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p6+dfsg.orig.tar.gz Size/MD5: 2836728 bddc66cdc7c35c0cb22cc84cad770c65 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.4p6+dfsg-1ubuntu5.1_all.deb Size/MD5: 931324 bcc11545b9399ca7e09268a85fd6eabf amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p6+dfsg-1ubuntu5.1_amd64.deb Size/MD5: 529994 c766915925a1cccbd27332232a45e016 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p6+dfsg-1ubuntu5.1_amd64.deb Size/MD5: 70098 968cdde0e47a775cf13b922c7f2308f5 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p6+dfsg-1ubuntu5.1_i386.deb Size/MD5: 490892 83e3785020b3cb659b6559cb51632333 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p6+dfsg-1ubuntu5.1_i386.deb Size/MD5: 66770 34bd54ff829c032049dc8d7340984b4c lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p6+dfsg-1ubuntu5.1_lpia.deb Size/MD5: 487552 f7ad919e64533aed59112c2fe5c49fd9 http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p6+dfsg-1ubuntu5.1_lpia.deb Size/MD5: 66316 4a2cd9cdf5cfa46ad3784c37f7c29502 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p6+dfsg-1ubuntu5.1_powerpc.deb Size/MD5: 528880 401e4a455acdf2a14c5f556e8cae1911 http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p6+dfsg-1ubuntu5.1_powerpc.deb Size/MD5: 69390 9e0e3535fbe3ffe61be245ddd22e5d6c sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p6+dfsg-1ubuntu5.1_sparc.deb Size/MD5: 499646 6059b8a5f9f216b8de00eed901af902e http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p6+dfsg-1ubuntu5.1_sparc.deb Size/MD5: 67272 8d04c1e93ca4acd7a4eaac04008326b3 . HP TCP/IP Services for OpenVMS v5.4, v5.5, v5.6, and v5.7 (only affected by CVE-2009-3563) on Itanium and Alpha platforms. Patch kit installation instructions are provided in the file readme.txt . ESXi userworld update for ntp The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source. A vulnerability was discovered which may allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. This update also includes security fixes that were first addressed in version openssl-0.9.8e-12.el5.i386.rpm. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. This update fixes a flaw found in pam_krb5. In some non-default configurations (specifically, where pam_krb5 would be the first module to prompt for a password), a remote attacker could use this flaw to recognize valid usernames, which would aid a dictionary-based password guess attack. Service Console package bind updated to 9.3.6-4.P1.el5_4.2 BIND (Berkeley Internet Name Daemon) is by far the most widely used Domain Name System (DNS) software on the Internet. A vulnerability was discovered which could allow remote attacker to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain. A vulnerability was found in the way that bind handles out-of- bailiwick data accompanying a secure response without re-fetching from the original source, which could allow remote attackers to have an unspecified impact via a crafted response. NOTE: ESX does not use the BIND name service daemon by default. Service Console package gcc updated to 3.2.3-60 The GNU Compiler Collection includes front ends for C, C++, Objective-C, Fortran, Java, and Ada, as well as libraries for these languages GNU Libtool's ltdl.c attempts to open .la library files in the current working directory. This could allow a local user to gain privileges via a Trojan horse file. The GNU C Compiler collection (gcc) provided in ESX contains a statically linked version of the vulnerable code, and is being replaced. Service Console package sudo updated to 1.6.9p17-6.el5_4 Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. When a pseudo-command is enabled, sudo permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file. When the runas_default option is used, sudo does not properly set group memberships, which allows local users to gain privileges via a sudo command. Corrected: 2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) CVE Name: CVE-2009-3563 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. II. III. IV. Workaround Proper filtering of mode 7 NTP packets by a firewall can limit the number of systems used to attack your resources. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/ntp/ntpd # make obj && make depend && make && make install # /etc/rc.d/ntpd restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.2 RELENG_6_4 src/UPDATING 1.416.2.40.2.13 src/sys/conf/newvers.sh 1.69.2.18.2.15 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.1.2.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.20 src/sys/conf/newvers.sh 1.69.2.15.2.19 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.20.1 RELENG_7 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.2 RELENG_7_2 src/UPDATING 1.507.2.23.2.9 src/sys/conf/newvers.sh 1.72.2.11.2.10 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.4.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.13 src/sys/conf/newvers.sh 1.72.2.9.2.14 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.2.1 RELENG_8 src/contrib/ntp/ntpd/ntp_request.c 1.2.2.1 RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh 1.83.2.6.2.5 src/contrib/ntp/ntpd/ntp_request.c 1.2.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r201679 releng/6.4/ r201679 releng/6.3/ r201679 stable/7/ r201679 releng/7.2/ r201679 releng/7.1/ r201679 stable/8/ r201679 releng/8.0/ r201679 head/ r200576 - ------------------------------------------------------------------------- VII. Release Date: 2011-03-28 Last Updated: 2011-03-24 ------------------------------------------------------------------------------ Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running XNTP. The vulnerability could be exploited remotely create a Denial of Service (DoS). References: CVE-2009-3563 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running XNTP. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2009-3563 (AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following patches to resolve this vulnerability. The patches are available by contacting HP Support. http://itrc.hp.com HP-UX Release / Patch ID B.11.11 (11i v1) / PHNE_41907 B.11.23 (11i v2) / PHNE_41908 B.11.31 (11i v3) / PHNE_41177 MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== InternetSrvcs.INETSVCS-BOOT action: install patch PHNE_41907 or subsequent HP-UX B.11.23 ================== InternetSrvcs.INETSVCS2-BOOT action: install patch PHNE_41908 or subsequent HP-UX B.11.31 ================== NTP.NTP-RUN action: install patch PHNE_41177 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 28 March 2011 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

rpwizPppoe.htm in Huawei MT882 V100R002B020 ARG-T running firmware 3.7.9.98 contains a form that does not disable the autocomplete setting for the password parameter, which makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete. Huawei MT882l is a small ADSL modem. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Huawei MT882 Multiple Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA37568 VERIFY ADVISORY: http://secunia.com/advisories/37568/ DESCRIPTION: DecodeX01 has reported multiple vulnerabilities in Huawei MT882, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "BackButton" parameter in Forms/error_1, "wzConnFlag" in Forms/fresh_pppoe_1, "diag_pppindex_argen" and "DiagStartFlag" in Forms/rpDiag_argen_1, "wzdmz_active" and "wzdmzHostIP" in Forms/rpNATdmz_argen_1, "wzVIRTUALSVR_endPort", "wzVIRTUALSVR_endPortLocal", "wzVIRTUALSVR_IndexFlag", "wzVIRTUALSVR_localIP", "wzVIRTUALSVR_startPort", and "wzVIRTUALSVR_startPortLocal" in Forms/rpNATvirsvr_argen_1, "Connect_DialFlag", "Connect_DialHidden", and "Connect_Flag" in Forms/rpStatus_argen_1, "Telephone_select" and "wzFirstFlag" in Forms/rpwizard_1, and "wzConnectFlag" in Forms/rpwizPppoe_1 is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in version 3.7.9.98. Other version may also be affected. SOLUTION: Filter malicious characters and character sequences in a proxy. PROVIDED AND/OR DISCOVERED BY: DecodeX01 ORIGINAL ADVISORY: http://www.exploit-db.com/exploits/10276 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

HP Operations Manager has a default password of OvW*busr1 for the ovwebusr account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3099 and CVE-2009-3843. Operations Manager is prone to a file-upload vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in multiple scripts in Forms/ in Huawei MT882 V100R002B020 ARG-T running firmware 3.7.9.98 allow remote attackers to inject arbitrary web script or HTML via the (1) BackButton parameter to error_1; (2) wzConnFlag parameter to fresh_pppoe_1; (3) diag_pppindex_argen and (4) DiagStartFlag parameters to rpDiag_argen_1; (5) wzdmz_active and (6) wzdmzHostIP parameters to rpNATdmz_argen_1; (7) wzVIRTUALSVR_endPort, (8) wzVIRTUALSVR_endPortLocal, (9) wzVIRTUALSVR_IndexFlag, (10) wzVIRTUALSVR_localIP, (11) wzVIRTUALSVR_startPort, and (12) wzVIRTUALSVR_startPortLocal parameters to rpNATvirsvr_argen_1; (13) Connect_DialFlag, (14) Connect_DialHidden, and (15) Connect_Flag parameters to rpStatus_argen_1; (16) Telephone_select, and (17) wzFirstFlag parameters to rpwizard_1; and (18) wzConnectFlag parameter to rpwizPppoe_1. (1) error_1 To BackButton Parameters (2) fresh_pppoe_1 To wzConnFlag Parameters (3) rpDiag_argen_1 To diag_pppindex_argen Parameters (4) rpDiag_argen_1 To DiagStartFlag Parameters (5) rpNATdmz_argen_1 To wzdmz_active Parameters (6) rpNATdmz_argen_1 To wzdmzHostIP Parameters (7) rpNATvirsvr_argen_1 To wzVIRTUALSVR_endPort Parameters (8) rpNATvirsvr_argen_1 To wzVIRTUALSVR_endPortLocal Parameters (9) rpNATvirsvr_argen_1 To wzVIRTUALSVR_IndexFlag Parameters (10) rpNATvirsvr_argen_1 To wzVIRTUALSVR_localIP Parameters (11) rpNATvirsvr_argen_1 To wzVIRTUALSVR_startPort Parameters (12) rpNATvirsvr_argen_1 To wzVIRTUALSVR_startPortLocal Parameters (13) rpStatus_argen_1 To Connect_DialFlag Parameters (14) rpStatus_argen_1 To Connect_DialHidden Parameters (15) rpStatus_argen_1 To Connect_Flag Parameters (16) rpwizard_1 To Telephone_select Parameters (17) rpwizard_1 To wzFirstFlag Parameters (18) rpwizPppoe_1 To wzConnectFlag Parameters. Huawei MT882 is prone to multiple cross-site scripting vulnerabilities and an information-disclosure vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The attacker may also obtain sensitive information. Huawei MT882 firmware 3.7.9.98 is vulnerable; other versions may also be affected. Huawei MT882l is a small ADSL modem. Multiple scripts in Forms/ of the MT882l cat do not properly filter parameter requests submitted by users. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Huawei MT882 Multiple Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA37568 VERIFY ADVISORY: http://secunia.com/advisories/37568/ DESCRIPTION: DecodeX01 has reported multiple vulnerabilities in Huawei MT882, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "BackButton" parameter in Forms/error_1, "wzConnFlag" in Forms/fresh_pppoe_1, "diag_pppindex_argen" and "DiagStartFlag" in Forms/rpDiag_argen_1, "wzdmz_active" and "wzdmzHostIP" in Forms/rpNATdmz_argen_1, "wzVIRTUALSVR_endPort", "wzVIRTUALSVR_endPortLocal", "wzVIRTUALSVR_IndexFlag", "wzVIRTUALSVR_localIP", "wzVIRTUALSVR_startPort", and "wzVIRTUALSVR_startPortLocal" in Forms/rpNATvirsvr_argen_1, "Connect_DialFlag", "Connect_DialHidden", and "Connect_Flag" in Forms/rpStatus_argen_1, "Telephone_select" and "wzFirstFlag" in Forms/rpwizard_1, and "wzConnectFlag" in Forms/rpwizPppoe_1 is not properly sanitised before being returned to the user. The vulnerabilities are reported in version 3.7.9.98. SOLUTION: Filter malicious characters and character sequences in a proxy. PROVIDED AND/OR DISCOVERED BY: DecodeX01 ORIGINAL ADVISORY: http://www.exploit-db.com/exploits/10276 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Java for Mac OS X 10.5 before Update 6 and 10.6 before Update 1 accepts expired certificates for applets, which makes it easier for remote attackers to execute arbitrary code via an applet. Successful exploits will allow attackers to bypass certain security restrictions and trick users into running untrusted Java applets with the privileges of trusted applets. The issue affects the following: Mac OS X v10.5.8 Mac OS X Server v10.5.8 Mac OS X v10.6.2 Mac OS X Server v10.6.2. Mac OS is an operating system that runs on Apple's Macintosh series of computers. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. This fixes some vulnerabilities, which can be exploited by malicious people to potentially disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or to compromise a user's system. SOLUTION: Apply updates. http://support.apple.com/kb/DL971 PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Simon Heimlicher, ETH Zurich. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3969 http://support.apple.com/kb/HT3970 OTHER REFERENCES: SA37231: http://secunia.com/advisories/37231/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------