VARIoT IoT vulnerabilities database
| VAR-201109-0060 | CVE-2011-0342 |
InduSoft ISSymbol ActiveX Control Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201109-0367 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the InduSoft ISSymbol ActiveX control in ISSymbol.ocx 301.1104.601.0 in InduSoft Web Studio 7.0B2 hotfix 7.0.01.04 allow remote attackers to execute arbitrary code via a long parameter to the (1) Open, (2) Close, or (3) SetCurrentLanguage method. InduSoft ISSymbol ActiveX Control has a buffer overflow vulnerability. Due to boundary condition errors when processing 'Open()', 'Close()' and 'SetCurrentLanguage()' methods, it can be exploited by an attacker to cause a buffer overflow. Failed exploit attempts will likely result in denial-of-service conditions.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: Remote
======================================================================
3) Vendor's Description of Software
"InduSoft Web Studio is a powerful collection of automation tools that
provide all the automation building blocks to develop HMIs, SCADA
systems and embedded instrumentation solutions. Utilize InduSoft
integrated Web technologies to take advantage of Internet/intranet
connectivity."
Link:
http://www.indusoft.com/indusoftart.php?catid=1&name=IWS/webstudio
======================================================================
4) Description of Vulnerability
Secunia Research has discovered multiple vulnerabilities in InduSoft
ISSymbol ActiveX control, which can be exploited by malicious people
to compromise a user's system.
Successful exploitation of the vulnerabilities allows execution of
arbitrary code.
======================================================================
5) Solution
Install Service Pack 1.
======================================================================
6) Time Table
09/06/2011 - Vendor notified
15/06/2011 - Vendor response.
30/08/2011 - Vendor releases a hotfix.
01/09/2011 - Public disclosure.
======================================================================
7) Credits
Discovered by Dmitriy Pletnev, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2011-0342 for the vulnerabilities.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2011-61/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
InduSoft ISSymbol ActiveX Control Multiple Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA44875
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44875/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44875
RELEASE DATE:
2011-09-02
DISCUSS ADVISORY:
http://secunia.com/advisories/44875/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44875/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44875
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Secunia Research has discovered multiple vulnerabilities in InduSoft
ISSymbol ActiveX control, which can be exploited by malicious people
to compromise a user's system.
The vulnerabilities are confirmed in ISSymbol.ocx version
301.1104.601.0 included in InduSoft Web Studio version 7.0B2 hotfix
7.0.01.04.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2011-61/
InduSoft:
http://www.indusoft.com/hotfixes/hotfixes.php
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0095 | CVE-2011-2577 |
plural Cisco Service disruption in products ( crash ) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201108-0204 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs, when using software versions before TC 4.0.0 or F9.1, allows remote attackers to cause a denial of service (crash) via a crafted SIP packet to port 5060 or 5061, aka Bug ID CSCtq46500. The problem is Bug ID CSCtq46500 It is a problem.By a third party 5060 and 5061 Crafted against the port SIP Service disruption via packets ( crash ) There is a possibility of being put into a state. Cisco TelePresence Codecs are prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the device to crash, denying service to legitimate users.
This issue is documented by Cisco Bug ID CSCtq46500.
Cisco has released free software updates that address this
vulnerability.
Users can determine the software version of a Cisco TelePresence unit by
entering the IP address of the codec in a web browser, authenticating
(if the device is configured for authentication), and then selecting the
system info menu option. The version number will follow the Software
Version text in the System Info window.
Alternatively, users can determine the software version by issuing the
"xStatus SystemUnit" command from a device's application programmer
interface. The software version that is running on the codec is
displayed following the SystemUnit Software Version text. The following
example displays "xStatus SystemUnit" output from a system that is
running software version TC4.0:
xStatus SystemUnit
*s SystemUnit ProductType: "Cisco TelePresence Codec"
*s SystemUnit ProductId: "Cisco TelePresence Codec C90"
*s SystemUnit ProductPlatform: "C90"
*s SystemUnit Uptime: 597095
*s SystemUnit Software Application: "Endpoint"
*s SystemUnit Software Version: "TC4.0"
*s SystemUnit Software Name: "s52000"
*s SystemUnit Software ReleaseDate: "2010-11-01"
*s SystemUnit Software MaxVideoCalls: 3
*s SystemUnit Software MaxAudioCalls: 4
*s SystemUnit Software ReleaseKey: "true"
*s SystemUnit Software OptionKeys NaturalPresenter: "true"
*s SystemUnit Software OptionKeys MultiSite: "true"
*s SystemUnit Software OptionKeys PremiumResolution: "true"
*s SystemUnit Hardware Module SerialNumber: "B1AD25A00003"
*s SystemUnit Hardware Module Identifier: "0"
*s SystemUnit Hardware MainBoard SerialNumber: "PH0497201"
*s SystemUnit Hardware MainBoard Identifier: "101401-3 [04]"
*s SystemUnit Hardware VideoBoard SerialNumber: "PH0497874"
*s SystemUnit Hardware VideoBoard Identifier: "101560-1 [02]"
*s SystemUnit Hardware AudioBoard SerialNumber: "N/A"
*s SystemUnit Hardware AudioBoard Identifier: ""
*s SystemUnit Hardware BootSoftware: "U-Boot 2009.03-65"
*s SystemUnit State System: Initialized
*s SystemUnit State MaxNumberOfCalls: 3
*s SystemUnit State MaxNumberOfActiveCalls: 3
*s SystemUnit State NumberOfActiveCalls: 1
*s SystemUnit State NumberOfSuspendedCalls: 0
*s SystemUnit State NumberOfInProgressCalls: 0
*s SystemUnit State Subsystem Application: Initialized
*s SystemUnit ContactInfo: "helpdesk@company.com"
** end
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Affected devices are part systems that provide Cisco TelePresence
Endpoints for immersive environments, conference rooms, individual
desktops, and home offices. This vulnerability is triggered by a crafted
Session Initiation Protocol (SIP) packet that is sent to an affected
device on port 5060 or 5061.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtq46500 ("Specifically crafted SIP packet may crash the device")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability could result in a
system crash that may lead to a denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
There are no workarounds available that mitigate this vulnerability.
However, there is an Applied Mitigations Bulletin available at
http://www.cisco.com/warp/public/707/cisco-amb-20110831-tandberg.shtml
that describes how to filter SIP packets sent to the device.
Obtaining Fixed Software
========================
Cisco has released free software updates that addresses this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by David Klein of Sense of
Security.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110831-tandberg.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-Aug-31 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Aug 11, 2011 Document ID: 113098
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk5eWDwACgkQQXnnBKKRMNAFAQD7Bf8+G0VKbE37nc95p1vOhAvh
DKCbu0g+YxMlo6+Iua8A/0qgCKk47eCVVO97ejvRkbAHxjOzVu9GBG4uTuQLoqK8
=WGqM
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. 19-Sep-2011
Last Update. -
Vendor Notification Date. 21-Feb-2011
Product. Cisco TelePresence Series
Platform. C <= TC4.1.2, MXP <= F9.1
Severity Rating. Low - Medium
Impact. Cookie/credential theft,
impersonation,
loss of confidentiality,
client-side code execution,
denial of service.
Solution Status. Vendor patch
References. 1. CVE-2011-2544 (CSCtq46488)
2. CVE-2011-2543 (CSCtq46496)
3. CVE-2011-2577 (CSCtq46500)
Details. The C & MXP Series are the
Endpoints used on desks or in boardrooms to provide users with a
termination point for Video Conferencing.
1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488):
Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for
managing, configuring and reporting. It is possible to set the Call ID
(with H.323 or SIP) to a HTML value. If a call is made to another
endpoint and an authenticated user browses to the web interface on the
endpoint receiving the call (e.g. to view call statistics), the
HTML will render locally within the context of the logged in user. From
this point it is possible to make changes to the system as the
authenticated user. The flaw is due to the flexibility of the H.323 ID
or SIP Display Name fields and failure to correctly validate user input.
Examples (MXP):
Rebooting the system: <IMG SRC="/reboot&Yes=please">
The attacker may also choose to change passwords in the system, disable
encryption or enable telnet:
<IMG SRC=/html_select_status?reload=other.ssi&telnet=On>
<IMG SRC=/html_select_status?reload=security.ssi&/Configuration/
Conference/Encryption/Mode=Off&/Configuration/SystemUnit/Password=test>
2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496):
Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for
setting and getting configuration.
Example syntax is:
http://ip/getxml?location=/Configuration/Video
The request is sent to a locally listening shell (tshell). This is the
case for all requests relating to performing an action on the system (e.g.
config get or set). The shell then sends the input to the "main"
application (/app/main, id=0), and the data is passed as a parameter.
It was discovered that the getXML handle does not properly perform
length checking on the user supplied input before passing it to the
tshell. Furthermore, there is no length checking performed in the tshell
and no bounds checking performed in the main application where the
parameter is consumed. As such, it is possible to send input that
exceeds the size of the receiving buffer, subsequently causing an
invalid address to be read. This causes a reboot on the Endpoints. The
VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but
it will restart the process itself which drops all calls.
Proof of Concept: GET
/wsgi/getxml?location="+("A"*5200)+("\x60"*4)+("X"*4)+"HTTP/1.1\r\n
Host: 192.168.6.99\r\n\r\n"
Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670
Illegal memory access at: 0x5858585c
Registers:
GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037
0f315580
GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896
0000000b
GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005
00000002
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
129e5960
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
129e5960
NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002
As you can see, the crash string is passed as a parameter in GPR 8.
The severity of this issue is compounded by the fact that the main
application runs as root, this could potentially lead to arbitrary code
execution.
3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500):
Cisco TelePresence Endpoints utilise SIP for the call setup protocol.
Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the
receive field causes the system to reboot.
Proof of Concept: MXP:
Exception 0x1100 : Data TLB load miss Active task
FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req
from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr.
accessed)
Solution.
Upgrade to TC4.2 for the C series to fix validation issues.
Discovered by.
About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the countries largest
organisations.
Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA
T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU
The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf
Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php
| VAR-201108-0336 | No CVE | Ingres Database IIPROMPT Unspecified Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Ingres Database is prone to an unspecified vulnerability that can be exploited to overflow data.
The impact is currently unknown; however, this class of vulnerability may allow attackers to gain access to sensitive information, corrupt memory or cause a denial-of-service condition.
Ingres Database versions 2.6, 9.1, 9.2, 9.3, and 10.0 for Windows are vulnerable.
| VAR-201108-0303 | No CVE | SAP NetWeaver 'EPS_DELETE_FILE' Arbitrary File Removal Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The \"EPS_DELETE_FILE\" function has an input validation error, and an attacker submits a directory traversal sequence request to delete any file. To successfully exploit the vulnerability you need access to the default SAP account TMSADM or SAPCPIC. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
SAP NetWeaver "EPS_DELETE_FILE" Arbitrary File Deletion Vulnerability
SECUNIA ADVISORY ID:
SA45715
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45715/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45715
RELEASE DATE:
2011-08-27
DISCUSS ADVISORY:
http://secunia.com/advisories/45715/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45715/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45715
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Alexey Sintsov has reported a vulnerability in SAP NetWeaver, which
can be exploited by malicious users to manipulate certain data.
TMSADM or SAPCPIC.
SOLUTION:
Apply fixes. Please see the vendor's advisory for details.
PROVIDED AND/OR DISCOVERED BY:
Alexey Sintsov, Digital Security Research Group (DSecRG).
ORIGINAL ADVISORY:
SAP:
https://service.sap.com/sap/support/notes/1554030
Digital Security Research Group:
http://dsecrg.com/pages/vul/show.php?id=331
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201109-0092 | CVE-2011-2763 |
LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability
Related entries in the VARIoT exploits database: VAR-E-201108-0401, VAR-E-201108-0400 |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php. LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability.
LifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable. Discovered: 07-13-11
By: Spencer McIntyre (zeroSteiner) SecureState R&D Team
www.securestate.com
Background:
-----------
Multiple vulnerabilities within the LifeSize Room appliance.
Vulnerability Summaries:
------------------------
Login page can be bypassed, granting administrative access to the web interface.
Unauthenticated OS command injection is possible through the web interface.
The easiest way to perform these attacks is using a web proxy.
Authentication By Pass:
-----------------------
Following the request to /gateway.php that references the LSRoom_Remoting.authenticate
function, modify the AMF data in the response from the server to change "false" to "true"
Example:
Original False AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\x00\x00\x00\x02\x01\x00"
Modified True AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\xff\xff\xff\xff\x01\x01"
Command Injection:
------------------
The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand
within the encoded AMF data. The original parameter for the vulnerable function is
"pref -l /var/system/upgrade/status" Replace this part with the command to be executed.
Authentication to the web application is not necessary however a valid PHP session ID
must be passed within the request.
References:
-----------
CVE-2011-2762 - authentication bypass
CVE-2011-2763 - OS command injection
| VAR-201109-0091 | CVE-2011-2762 |
LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability
Related entries in the VARIoT exploits database: VAR-E-201108-0401, VAR-E-201108-0400 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) allows remote attackers to bypass authentication via unspecified data associated with a "true" authentication status, related to AMF data and the LSRoom_Remoting.authenticate function in gateway.php. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability.
Exploiting these issues could allow an attacker to bypass authentication or execute arbitrary commands in the context of the application.
LifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable.
Unauthenticated OS command injection is possible through the web interface.
The easiest way to perform these attacks is using a web proxy.
Authentication By Pass:
-----------------------
Following the request to /gateway.php that references the LSRoom_Remoting.authenticate
function, modify the AMF data in the response from the server to change "false" to "true"
Example:
Original False AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\x00\x00\x00\x02\x01\x00"
Modified True AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\xff\xff\xff\xff\x01\x01"
Command Injection:
------------------
The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand
within the encoded AMF data. The original parameter for the vulnerable function is
"pref -l /var/system/upgrade/status" Replace this part with the command to be executed.
Authentication to the web application is not necessary however a valid PHP session ID
must be passed within the request.
References:
-----------
CVE-2011-2762 - authentication bypass
CVE-2011-2763 - OS command injection
| VAR-201109-0061 | CVE-2011-0258 | Apple of QuickTime Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted image description associated with an mp4v tag in a movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the way Quicktime handles 'mp4v' codec information. When parsing the video description table it will read the size field preceding the 'mp4v' tag and use that size to create an allocation to hold the data. It will then copy the correct amount of data into that buffer, but then does some endian changes on a fixed portion of the buffer without checking its size. The resulting memory corruption could result in remote code execution under the context of the current user. Apple QuickTime is prone to a buffer-overflow vulnerability because of a failure to properly bounds check user-supplied data.
Successful exploits will allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions.
Versions prior to QuickTime 7.7 are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4826
-- Disclosure Timeline:
2011-06-03 - Vulnerability reported to vendor
2011-08-31 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201108-0099 | CVE-2011-2561 | Cisco Unified Communications Manager Service disruption in ( Service stop ) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The SIP process in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 7.x before 7.1(5b)su4 and 8.x before 8.0(1) does not properly handle SDP data within a SIP call in certain situations related to use of the g729ar8 codec for a Media Termination Point (MTP), which allows remote attackers to cause a denial of service (service outage) via a crafted call, aka Bug ID CSCtc61990. The problem is Bug ID CSCtc61990 It is a problem.Denial of service via a crafted call by a third party ( Service stop ) There is a possibility of being put into a state. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. Single channel audio may occur when configuring MTP with g729ar8 codec. Under certain conditions, service interruptions may occur. The SIP process generates a stack trace when processing the session description protocol SDP portion of a SIP call.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCtf97162
CSCtc61990
CSCth43256.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
Two of the vulnerabilities described in this advisory also affect the
Cisco Intercompany Media Engine.
A separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine.
The first DoS vulnerability involves the Packet Capture Service which
is enabled by default. The Packet Capture Service fails to timeout or
close idle TCP connections. The Packet Capture Service should be disabled in
the Cisco Unified Communications Manager Administration Interface by
setting the service parameter to False. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561.
The third DoS vulnerability involves a coredump when processing
certain SIP INVITE messages. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562.
The remaining two DoS vulnerabilities involve the Service
Advertisement Framework (SAF). Successful exploitation could cause the device to
reload. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. Cisco Intercompany Media
Engine Release 8.x is also affected by these vulnerabilities. A
separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services. In
certain instances, the affected Cisco Unified Communications Manager
processes will restart, but repeated attacks may result in a
sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table.
+---------------------------------------+
| Cisco Unified | Recommended |
| Communications Manager | Releases |
| Version | |
|-------------------------+-------------|
| 6.x | 6.1(5)SU3 |
|-------------------------+-------------|
| 7.x | 7.1(5b)SU4 |
|-------------------------+-------------|
| 8.0 | 8.0(3a)SU2 |
|-------------------------+-------------|
| 8.5 | 8.5(1)SU2, |
| | 8.6(1) |
+---------------------------------------+
Workarounds
===========
A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by
default.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save.
Note: For a SIP processing change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
It is possible to mitigate these vulnerabilities by implementing
filtering on screening devices and only permitting access to TCP
ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that
require SIP access to Cisco Unified Communications Manager servers.
A workaround exists for the DoS vulnerabilities involving the Packet
Capture Service in Cisco Communications Manager version 4.x.
Customers who do not require the Packet Capture Service for
troubleshooting can use the following instructions to disable this
process:
* Step 1: Log into the Cisco Unified Communications Manager
Administration web interface.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save.
Note: For the Packet Capture Service change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Multiple Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA45738
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45738/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45738/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45738/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Unified
Communications Manager, which can be exploited by malicious people to
cause a DoS (Denial of Service).
Note: This vulnerability only affects version 7.0.x and later.
The vulnerabilities are reported in versions 6.x, 7.x, and 8.x.
SOLUTION:
Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or
8.6(1).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0092 | CVE-2011-2562 | Cisco Unified Communications Manager Service disruption in ( Service stop ) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5)su2, 7.x before 7.1(5b)su3, 8.x before 8.0(3a)su1, and 8.5 before 8.5(1) allows remote attackers to cause a denial of service (service outage) via a SIP INVITE message, aka Bug ID CSCth43256. Cisco Unified Communications Manager There is a service disruption ( Service stop ) There is a vulnerability that becomes a condition. The problem is Bug ID CSCth43256 It is a problem.By a third party SIP INVITE Service disruption via message ( Service stop ) There is a possibility of being put into a state.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCtf97162
CSCtc61990
CSCth43256.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
Two of the vulnerabilities described in this advisory also affect the
Cisco Intercompany Media Engine.
A separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine.
The first DoS vulnerability involves the Packet Capture Service which
is enabled by default. The Packet Capture Service fails to timeout or
close idle TCP connections. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). One-way audio may be observed when an MTP
is configured with the g729ar8 codec only. In certain situations, an
interruption in service may occur and a stack trace will be generated
by the Session Initiation Protocol (SIP) process when processing the
Session Description Protocol SDP portion of a SIP call. This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562.
The remaining two DoS vulnerabilities involve the Service
Advertisement Framework (SAF). Successful exploitation could cause the device to
reload. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. Cisco Intercompany Media
Engine Release 8.x is also affected by these vulnerabilities. A
separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table. SIP processing is enabled by
default.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
It is possible to mitigate these vulnerabilities by implementing
filtering on screening devices and only permitting access to TCP
ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that
require SIP access to Cisco Unified Communications Manager servers.
Customers who do not require the Packet Capture Service for
troubleshooting can use the following instructions to disable this
process:
* Step 1: Log into the Cisco Unified Communications Manager
Administration web interface.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Multiple Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA45738
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45738/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45738/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45738/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Unified
Communications Manager, which can be exploited by malicious people to
cause a DoS (Denial of Service).
Note: This vulnerability only affects version 7.0.x and later.
The vulnerabilities are reported in versions 6.x, 7.x, and 8.x.
SOLUTION:
Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or
8.6(1).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0098 | CVE-2011-2560 | Cisco Unified Communications Manager Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Packet Capture Service in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x does not properly handle idle TCP connections, which allows remote attackers to cause a denial of service (memory consumption and restart) by making many connections, aka Bug ID CSCtf97162. The problem is Bug ID CSCtf97162 It is a problem.Service operation disruption by establishing many connections by a third party ( Memory corruption and restart ) There is a possibility of being put into a state. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCtf97162
CSCtc61990
CSCth43256.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
Two of the vulnerabilities described in this advisory also affect the
Cisco Intercompany Media Engine.
A separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). One-way audio may be observed when an MTP
is configured with the g729ar8 codec only. In certain situations, an
interruption in service may occur and a stack trace will be generated
by the Session Initiation Protocol (SIP) process when processing the
Session Description Protocol SDP portion of a SIP call. This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561.
The third DoS vulnerability involves a coredump when processing
certain SIP INVITE messages. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562.
The remaining two DoS vulnerabilities involve the Service
Advertisement Framework (SAF). Successful exploitation could cause the device to
reload. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. Cisco Intercompany Media
Engine Release 8.x is also affected by these vulnerabilities. A
separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table.
+---------------------------------------+
| Cisco Unified | Recommended |
| Communications Manager | Releases |
| Version | |
|-------------------------+-------------|
| 6.x | 6.1(5)SU3 |
|-------------------------+-------------|
| 7.x | 7.1(5b)SU4 |
|-------------------------+-------------|
| 8.0 | 8.0(3a)SU2 |
|-------------------------+-------------|
| 8.5 | 8.5(1)SU2, |
| | 8.6(1) |
+---------------------------------------+
Workarounds
===========
A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by
default.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save.
Note: For a SIP processing change to take effect, the Cisco
CallManager service must be restarted.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Packet Capture Service Denial of
Service
SECUNIA ADVISORY ID:
SA45741
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45741/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45741
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45741/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45741/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45741
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco Unified Communications
Manager, which can be exploited by malicious people to cause a DoS
(Denial of Service).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0093 | CVE-2011-2563 | Cisco Unified Communications Manager and Cisco Intercompany Media Engine Vulnerability in |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth26669. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. The Service Advertisement Framework (SAF) has a denial of service attack. An unauthenticated attacker can use these vulnerabilities to send specially crafted SAF packets to the affected device. The attacker exploits the vulnerability to overload the device.
An attacker can exploit these issues to cause an affected device to reload, denying service to legitimate users.
These issues are being tracked by Cisco Bug IDs CSCth26669 and CSCth19417.
Intercompany Media Engine versions 8.0.x are affected.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
Products Confirmed Not Vulnerable
+--------------------------------
All supported versions of Cisco Unified Communications Manager are
affected by one or more of the vulnerabilities described in this
advisory.
The first DoS vulnerability involves the Packet Capture Service which
is enabled by default. The Packet Capture Service fails to timeout or
close idle TCP connections. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). One-way audio may be observed when an MTP
is configured with the g729ar8 codec only. In certain situations, an
interruption in service may occur and a stack trace will be generated
by the Session Initiation Protocol (SIP) process when processing the
Session Description Protocol SDP portion of a SIP call. This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561.
The third DoS vulnerability involves a coredump when processing
certain SIP INVITE messages. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services. In
certain instances, the affected Cisco Unified Communications Manager
processes will restart, but repeated attacks may result in a
sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table.
+---------------------------------------+
| Cisco Unified | Recommended |
| Communications Manager | Releases |
| Version | |
|-------------------------+-------------|
| 6.x | 6.1(5)SU3 |
|-------------------------+-------------|
| 7.x | 7.1(5b)SU4 |
|-------------------------+-------------|
| 8.0 | 8.0(3a)SU2 |
|-------------------------+-------------|
| 8.5 | 8.5(1)SU2, |
| | 8.6(1) |
+---------------------------------------+
Workarounds
===========
A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by
default. Customers who do not require SIP processing can use the
following instructions to disable SIP processing:
* Step 1: Log into the Cisco Unified Communications Manager
Administration Interface.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save.
Note: For a SIP processing change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
It is possible to mitigate these vulnerabilities by implementing
filtering on screening devices and only permitting access to TCP
ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that
require SIP access to Cisco Unified Communications Manager servers.
A workaround exists for the DoS vulnerabilities involving the Packet
Capture Service in Cisco Communications Manager version 4.x.
Customers who do not require the Packet Capture Service for
troubleshooting can use the following instructions to disable this
process:
* Step 1: Log into the Cisco Unified Communications Manager
Administration web interface.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save.
Note: For the Packet Capture Service change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
There are no available workarounds to mitigate these vulnerabilities.
Details
=======
Cisco Intercompany Media Engine provides a technique for establishing
direct IP connectivity between enterprises by combining peer-to-peer
technologies with the existing public switched telephone network
(PSTN) infrastructure. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Multiple Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA45738
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45738/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45738/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45738/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Unified
Communications Manager, which can be exploited by malicious people to
cause a DoS (Denial of Service).
Note: This vulnerability only affects version 7.0.x and later.
The vulnerabilities are reported in versions 6.x, 7.x, and 8.x.
SOLUTION:
Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or
8.6(1).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0094 | CVE-2011-2564 | Cisco Unified Communications Manager and Cisco Intercompany Media Engine Vulnerability in |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth19417. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. An unauthenticated attacker can send a specially crafted SAF packet to the affected device. The attacker can exploit the vulnerability to reload the device.
These issues are being tracked by Cisco Bug IDs CSCth26669 and CSCth19417.
Intercompany Media Engine versions 8.0.x are affected.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
Products Confirmed Not Vulnerable
+--------------------------------
All supported versions of Cisco Unified Communications Manager are
affected by one or more of the vulnerabilities described in this
advisory.
The first DoS vulnerability involves the Packet Capture Service which
is enabled by default. The Packet Capture Service fails to timeout or
close idle TCP connections. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). One-way audio may be observed when an MTP
is configured with the g729ar8 codec only. In certain situations, an
interruption in service may occur and a stack trace will be generated
by the Session Initiation Protocol (SIP) process when processing the
Session Description Protocol SDP portion of a SIP call. This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561.
The third DoS vulnerability involves a coredump when processing
certain SIP INVITE messages. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services. In
certain instances, the affected Cisco Unified Communications Manager
processes will restart, but repeated attacks may result in a
sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table.
+---------------------------------------+
| Cisco Unified | Recommended |
| Communications Manager | Releases |
| Version | |
|-------------------------+-------------|
| 6.x | 6.1(5)SU3 |
|-------------------------+-------------|
| 7.x | 7.1(5b)SU4 |
|-------------------------+-------------|
| 8.0 | 8.0(3a)SU2 |
|-------------------------+-------------|
| 8.5 | 8.5(1)SU2, |
| | 8.6(1) |
+---------------------------------------+
Workarounds
===========
A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by
default. Customers who do not require SIP processing can use the
following instructions to disable SIP processing:
* Step 1: Log into the Cisco Unified Communications Manager
Administration Interface.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save.
Note: For a SIP processing change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
It is possible to mitigate these vulnerabilities by implementing
filtering on screening devices and only permitting access to TCP
ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that
require SIP access to Cisco Unified Communications Manager servers.
A workaround exists for the DoS vulnerabilities involving the Packet
Capture Service in Cisco Communications Manager version 4.x.
Customers who do not require the Packet Capture Service for
troubleshooting can use the following instructions to disable this
process:
* Step 1: Log into the Cisco Unified Communications Manager
Administration web interface.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save.
Note: For the Packet Capture Service change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
There are no available workarounds to mitigate these vulnerabilities.
Details
=======
Cisco Intercompany Media Engine provides a technique for establishing
direct IP connectivity between enterprises by combining peer-to-peer
technologies with the existing public switched telephone network
(PSTN) infrastructure. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Multiple Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA45738
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45738/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45738/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45738/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Unified
Communications Manager, which can be exploited by malicious people to
cause a DoS (Denial of Service).
Note: This vulnerability only affects version 7.0.x and later.
The vulnerabilities are reported in versions 6.x, 7.x, and 8.x.
SOLUTION:
Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or
8.6(1).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0132 | CVE-2011-3192 |
Apache HTTPD 1.3/2.x Range header DoS vulnerability
Related entries in the VARIoT exploits database: VAR-E-201108-0001, VAR-E-201108-0002, VAR-E-201112-0005 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. Apache HTTPD server contains a denial-of-service vulnerability in the way multiple overlapping ranges are handled. Both the 'Range' header and the 'Range-Request' header are vulnerable. An attack tool, commonly known as 'Apache Killer', has been released in the wild. The attack tool causes a significant increase in CPU and memory usage on the server.
Successful exploits will result in a denial-of-service condition.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker might obtain sensitive information, gain privileges,
send requests to unintended servers behind proxies, bypass certain
security restrictions, obtain the values of HTTPOnly cookies, or cause
a Denial of Service in various ways.
A local attacker could gain escalated privileges.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Apache HTTP Server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.22-r1"
References
==========
[ 1 ] CVE-2010-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408
[ 2 ] CVE-2010-0434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434
[ 3 ] CVE-2010-1452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452
[ 4 ] CVE-2010-2791
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791
[ 5 ] CVE-2011-3192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192
[ 6 ] CVE-2011-3348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3348
[ 7 ] CVE-2011-3368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368
[ 8 ] CVE-2011-3607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3607
[ 9 ] CVE-2011-4317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4317
[ 10 ] CVE-2012-0021
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0021
[ 11 ] CVE-2012-0031
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0031
[ 12 ] CVE-2012-0053
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0053
[ 13 ] CVE-2012-0883
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0883
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201206-25.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
HP System Management Homepage (SMH) before v7.0 running on Linux and Windows. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02997184
Version: 4
HPSBUX02702 SSRT100606 rev.4 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-09-08
Last Updated: 2011-09-23
-----------------------------------------------------------------------------
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache Web Server. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS).
References: CVE-2011-3192, CVE-2011-0419
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.17 containing Apache v2.2.15.07 or earlier
HP-UX B.11.11 running HP-UX Apache Web Server Suite v2.33 containing Apache v2.0.64.01 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2011-3192 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8
CVE-2011-0419 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
This bulletin will be revised when additional information becomes available.
HP has provided the following software updates to resolve these vulnerabilities.
HP-UX Web Server Suite (WSS) v3.18 containing Apache v2.2.15.08
The WSS v3.18 update is available for download from the following location
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW318
HP-UX 11i Releases / Apache Depot name
B.11.23 & B.11.31 (32-bit) / HPUXWS22ATW-B318-32.depot
B.11.23 & B.11.31 (64-bit) / HPUXWS22ATW-B318-64.depot
HP-UX Web Server Suite (WSS) v2.33 containing Apache v2.0.64.01 and earlier
The WSS v2.33 preliminary update is available for download from the following location
ftp://srt10606:P2xg=AD5@ftp.usa.hp.com or
https://ftp.usa.hp.com/hprc/home with
username srt10606 and password P2xg=AD5
NOTE: CVE-2011-0419 is not resolved in the WSS v2.33 depot below.
HP-UX 11i Release / Apache Depot name
B.11.11 / Apache-2.0-CVE-2011-3192-Fix-11.11.depot
B.11.23 (32 & 64-bit) / No longer supported. Upgrade to WSS v 3.18
B.11.31 (32 & 64-bit) / No longer supported. Upgrade to WSS v 3.18
Alternatives to Installing the WSS v2.33 Preliminary Patch
The Apache Software Foundation has documented a work around. For customers not wanting to install the WSS v2.33 preliminary patch, the following are recommended.
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.
2) Limit the size of the request field to a few hundred bytes.
3) Use mod_headers to completely disallow the use of Range headers.
Please refer to the Apache advisory for details. http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3c20110826103531.998348F82@minotaur.apache.org%3e
MANUAL ACTIONS: Yes - Update
For B.11.23 and B.11.31 install HP-UX Web Server Suite v3.18 or subsequent.
For B.11.11 install HP-UX Web Server Suite v2.33 or subsequent.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX Web Server Suite v3.18
HP-UX B.11.23
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
action: install revision B.2.2.15.08 or subsequent
HP-UX Web Server Suite v2.33
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.64.01 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 8 September 2011 Initial release
Version:2 (rev.2) - 8 September 2011 Updated affectivity, recommendations, typos
Version:3 (rev.3) - 22 September 2011 New source for depots
Version:4 (rev.4) - 23 September 2011 Apache WSS 2.33 depot for B.11.11 available
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk6BAtkACgkQ4B86/C0qfVkSawCgo1Kh0PqJsgb9du7mlIChfMAb
l84AniniivdPKtMblybUY1mLV942e+1n
=v0q9
-----END PGP SIGNATURE-----
. This update fixes this bug. This vulnerability
allows an attacker to cause Apache HTTPD to use an excessive amount of
memory, causing a denial of service.
CVE-2010-1452
A vulnerability has been found in mod_dav that allows an attacker to
cause a daemon crash, causing a denial of service. This issue only
affects the Debian 5.0 oldstable/lenny distribution.
The regression has been fixed in the following packages:
For the oldstable distribution (lenny), this problem has been fixed
in version 2.2.9-10+lenny11.
For the stable distribution (squeeze), this problem has been fixed in
version 2.2.16-6+squeeze3.
For the testing distribution (wheezy), this problem will be fixed in
version 2.2.20-1.
For the unstable distribution (sid), this problem has been fixed in
version 2.2.20-1.
We recommend that you upgrade your apache2 packages.
This update also contains updated apache2-mpm-itk packages which have
been recompiled against the updated apache2 packages. The new version
number for the oldstable distribution is 2.2.6-02-1+lenny6. In the
stable distribution, apache2-mpm-itk has the same version number as
apache2. New packages are available
for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current.
Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/httpd-2.2.20-i486-1_slack13.37.txz: Upgraded.
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.20-i486-1_slack12.0.tgz
Updated package for Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.20-i486-1_slack12.1.tgz
Updated package for Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.20-i486-1_slack12.2.tgz
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.20-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.20-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.20-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.20-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.20-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.20-x86_64-1_slack13.37.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.2.20-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.2.20-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 12.0 package:
1c5d2923bf5ee56ea5b26a14f4bef750 httpd-2.2.20-i486-1_slack12.0.tgz
Slackware 12.1 package:
1afa27da8d2d897f871fb5fe91832f04 httpd-2.2.20-i486-1_slack12.1.tgz
Slackware 12.2 package:
883d978f2eb2fa09e0094096860995ef httpd-2.2.20-i486-1_slack12.2.tgz
Slackware 13.0 package:
db6935f7ce78acd0cf63bfed97497334 httpd-2.2.20-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
8c976a586a885b33c910c71a4cb655c9 httpd-2.2.20-x86_64-1_slack13.0.txz
Slackware 13.1 package:
eab2ada5def61d8734a80e887b10edc7 httpd-2.2.20-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
378da86cc706426c68cb3404bceb146c httpd-2.2.20-x86_64-1_slack13.1.txz
Slackware 13.37 package:
ac06dfbefebd419d7bebf3f18ddd1304 httpd-2.2.20-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
c650ee26fde72c7e6524784fa63ff8b8 httpd-2.2.20-x86_64-1_slack13.37.txz
Slackware -current package:
7afbbaae7ed7605620ad76dc9ae1146b n/httpd-2.2.20-i486-1.txz
Slackware x86_64 -current package:
5ef29bd575c49645496cbfc4fe657c84 n/httpd-2.2.20-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg httpd-2.2.20-i486-1_slack13.37.txz
Then, restart the httpd daemon.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Hitachi Products ByteRange Filter Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA46229
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46229/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46229
RELEASE DATE:
2011-10-30
DISCUSS ADVISORY:
http://secunia.com/advisories/46229/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46229/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46229
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Hitachi has acknowledged a vulnerability in multiple Hitachi
products, which can be exploited by malicious people to cause a DoS
(Denial of Service).
ORIGINAL ADVISORY:
Hitachi (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS11-020/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS11-021/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS11-022/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0311 | No CVE | Citrix Access Gateway login page cross-site scripting vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Citrix Access Gateway is a universal SSL VPN device. Part of the input on the relevant login page is missing filtering before returning to the user, and the attacker can exploit the vulnerability for cross-site scripting attacks, executing arbitrary HTML and script code on the target user's browser. Get sensitive information or hijack user sessions. The Citrix Access Gateway is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Citrix Access Gateway Enterprise Edition versions 9.2-49.8 and prior are vulnerable. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Citrix Access Gateway Unspecified Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA45726
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45726/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45726
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45726/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45726/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45726
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Citrix Access Gateway, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Certain unspecified input related to the logon portal is not properly
sanitised before being returned to the user.
SOLUTION:
Apply update.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX129971
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0296 | No CVE | SAP Netweaver \"EPS_DELETE_FILE()\" Arbitrary File Removal Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SAP NetWeaver is a service-oriented application and integration platform. Provides a development and runtime environment for SAP applications, as well as custom development and integration with other applications and systems. SAP NetWeaver has any file deletion vulnerability in the implementation of EPS_DELETE_FILE(). This vulnerability can be exploited by remote attackers to delete any file on the affected computer or to steal the hash of the SAP server account in the Windows environment through SMBRelay attack. An attacker can use the default SAP account (such as TMSADM or SAPCPIC) to remotely execute the function EPS_DELETE_FILE to delete any file in the OS, or send a hash of the SAP account to the remote host or perform a smbrelay attack.
Attackers can exploit this issue with directory-traversal strings ('../') to delete arbitrary files; this may aid in launching further attacks
| VAR-201108-0291 | CVE-2011-2827 | Google Chrome Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to text searching. Google Chrome Has a deficiency in processing related to text search. (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible.
Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-4 Safari 5.1.1
Safari 5.1.1 is now available and addresses the following:
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a malicious website may cause the execution of
arbitrary Javascript in the context of installed Safari Extensions
Description: A directory traversal issue existed in the handling of
safari-extension:// URLs. Visiting a malicious website may cause
execution of arbitrary Javascript in the context of installed Safari
Extensions, which may have context-dependent ramifications including
files from the user's system being sent to a remote server.
CVE-ID
CVE-2011-3229 : Aaron Sigel of vtty.com
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: A policy issue existed in the handling of file:// URLs.
This issue does not affect Windows systems.
CVE-ID
CVE-2011-3230 : Aaron Sigel of vtty.com
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: An uninitialized memory access issue existed in the
handling of SSL certificates. This issue does not affect OS X Lion
systems or Windows systems.
CVE-ID
CVE-2011-3231 : Jason Broccardo of Fermi National Accelerator
Laboratory
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-1440 : Jose A. Vazquez of spa-s3c.blogspot.com
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2811 : Apple
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2815 : SkyLined of Google Chrome Security Team
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3233 : Sadrul Habib Chowdhury of the Chromium development
community, Cris Neckar and Abhishek Arya (Inferno) of Google Chrome
Security Team
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3238 : Martin Barbella
CVE-2011-3239 : Slawomir Blazek
CVE-2011-3241 : Apple
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: A maliciously crafted website may be able to track the URLs
that a user visits within a frame
Description: A cross-origin issue existed in the handling of the
beforeload event.
CVE-ID
CVE-2011-2800 : Juho Nurminen
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
window.open method.
CVE-ID
CVE-2011-2805 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
document.documentURI property.
CVE-ID
CVE-2011-2819 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of
inactive DOM windows.
CVE-ID
CVE-2011-3243 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2
Impact: In Private Browsing mode, cookies may be set even if "Block
cookies" is set to "Always"
Description: A logic issue existed in the handling of cookies in
Private Browsing mode. This issue does not affect Windows systems.
CVE-ID
CVE-2011-3242 : John Adamczyk
Safari 5.1.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari for OS X Lion v10.7.2
The download file is named: Safari5.1.1Lion.dmg
Its SHA-1 digest is: 368113397d35475a0a4d0b0dbf3b31f543cfb4c5
Safari for Mac OS X v10.6.8
The download file is named: Safari5.1.1SnowLeopard.dmg
Its SHA-1 digest is: 4c588d86032ab24984b721354748f028b559fb37
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 5a2d3e0c0e601938f1d64d517e6a8199cd563d10
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: f0094f19b7a6b0a96a4fe6407b0037223ae44b15
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 3dbfe52e5be6409d0ad1fcb22e747963e10db218
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlLv6AAoJEGnF2JsdZQeeqOUH/RWDBq5xXEegxI+N92+9lB42
J6ZBcO8rrigAhYz59ZJG0NF8VGZI0DSFI+dxC8XeoKfiamvkaZo1lYGLdqWiTkxz
6ODprWbfGVcwFd9rNeCbIc9E5FV0SRbS1xCv+JnrwR2i2raqgAEWc4CpAcH5mgqT
5G2cWhwS8EMUNXZz/C0IjkfNBAjQ2c9BHVHj0Wid5vyXutju3WOcBXwqcbTpNANI
NiVHf5ucaRep6110riIYazuCdFLCcwZDaySw2n2ZhelliTz1tpCa7uVoJfZjyeyw
xwY/QjLDBTSpUYDTPC//XG7ZswptKHFjrX4KtxD9XTltq5wNGJavJzKf2qa4jrM=
=ZXdu
-----END PGP SIGNATURE-----
| VAR-201108-0287 | CVE-2011-2823 | Google Chrome Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a line box. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible.
Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-4 Safari 5.1.1
Safari 5.1.1 is now available and addresses the following:
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a malicious website may cause the execution of
arbitrary Javascript in the context of installed Safari Extensions
Description: A directory traversal issue existed in the handling of
safari-extension:// URLs. Visiting a malicious website may cause
execution of arbitrary Javascript in the context of installed Safari
Extensions, which may have context-dependent ramifications including
files from the user's system being sent to a remote server.
CVE-ID
CVE-2011-3229 : Aaron Sigel of vtty.com
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: A policy issue existed in the handling of file:// URLs.
This issue does not affect Windows systems.
CVE-ID
CVE-2011-3230 : Aaron Sigel of vtty.com
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: An uninitialized memory access issue existed in the
handling of SSL certificates. This issue does not affect OS X Lion
systems or Windows systems.
CVE-ID
CVE-2011-3231 : Jason Broccardo of Fermi National Accelerator
Laboratory
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-1440 : Jose A. Vazquez of spa-s3c.blogspot.com
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2811 : Apple
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2815 : SkyLined of Google Chrome Security Team
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3233 : Sadrul Habib Chowdhury of the Chromium development
community, Cris Neckar and Abhishek Arya (Inferno) of Google Chrome
Security Team
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3238 : Martin Barbella
CVE-2011-3239 : Slawomir Blazek
CVE-2011-3241 : Apple
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: A maliciously crafted website may be able to track the URLs
that a user visits within a frame
Description: A cross-origin issue existed in the handling of the
beforeload event.
CVE-ID
CVE-2011-2800 : Juho Nurminen
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
window.open method.
CVE-ID
CVE-2011-2805 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
document.documentURI property.
CVE-ID
CVE-2011-2819 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of
inactive DOM windows.
CVE-ID
CVE-2011-3243 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2
Impact: In Private Browsing mode, cookies may be set even if "Block
cookies" is set to "Always"
Description: A logic issue existed in the handling of cookies in
Private Browsing mode. This issue does not affect Windows systems.
CVE-ID
CVE-2011-3242 : John Adamczyk
Safari 5.1.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari for OS X Lion v10.7.2
The download file is named: Safari5.1.1Lion.dmg
Its SHA-1 digest is: 368113397d35475a0a4d0b0dbf3b31f543cfb4c5
Safari for Mac OS X v10.6.8
The download file is named: Safari5.1.1SnowLeopard.dmg
Its SHA-1 digest is: 4c588d86032ab24984b721354748f028b559fb37
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 5a2d3e0c0e601938f1d64d517e6a8199cd563d10
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: f0094f19b7a6b0a96a4fe6407b0037223ae44b15
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 3dbfe52e5be6409d0ad1fcb22e747963e10db218
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlLv6AAoJEGnF2JsdZQeeqOUH/RWDBq5xXEegxI+N92+9lB42
J6ZBcO8rrigAhYz59ZJG0NF8VGZI0DSFI+dxC8XeoKfiamvkaZo1lYGLdqWiTkxz
6ODprWbfGVcwFd9rNeCbIc9E5FV0SRbS1xCv+JnrwR2i2raqgAEWc4CpAcH5mgqT
5G2cWhwS8EMUNXZz/C0IjkfNBAjQ2c9BHVHj0Wid5vyXutju3WOcBXwqcbTpNANI
NiVHf5ucaRep6110riIYazuCdFLCcwZDaySw2n2ZhelliTz1tpCa7uVoJfZjyeyw
xwY/QjLDBTSpUYDTPC//XG7ZswptKHFjrX4KtxD9XTltq5wNGJavJzKf2qa4jrM=
=ZXdu
-----END PGP SIGNATURE-----
| VAR-201108-0289 | CVE-2011-2825 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving custom fonts. Used in multiple products Webkit There is a service disruption (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing and utilization of font objects. When the code parses the @font-face CSS element it does not validate that the font-family is legitimate. Later, if the same font-family is applied within CSS the code will access an invalid element of its internal font object. This can be leveraged by a remote attacker to execute code under the context of the user running the browser. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible.
Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google).
These could be used in a malicious web site to direct the user to a
spoofed site that visually appears to be a legitimate domain. This
issue is addressed through an improved domain name validity check.
This issue does not affect OS X systems.
CVE-ID
CVE-2012-0640 : nshah
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista,
XP SP2 or later
Impact: HTTP authentication credentials may be inadvertently
disclosed to another site
Description: If a site uses HTTP authentication and redirects to
another site, the authentication credentials may be sent to the other
site. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA48288
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48288/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48288
RELEASE DATE:
2012-03-09
DISCUSS ADVISORY:
http://secunia.com/advisories/48288/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48288/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48288
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
iOS, which can be exploited by malicious people with physical access
to bypass certain security restrictions and by malicious people to
disclose sensitive information, conduct cross-site scripting attacks,
bypass certain security restrictions, and compromise a user's device.
1) An error within the CFNetwork component when handling URLs can be
exploited to disclose sensitive information by tricking the user into
visiting a malicious website.
3) A logic error within the kernel does not properly handle debug
system calls and can be exploited to bypass the sandbox
restrictions.
4) An integer overflow error within the libresolv library when
handling DNS resource records can be exploited to corrupt heap
memory.
9) A cross-origin error in the WebKit component can be exploited to
bypass the same-origin policy and disclose a cookie by tricking the
user into visiting a malicious website.
10) An error within the WebKit component when handling drag-and-drop
actions can be exploited to conduct cross-site scripting attacks.
11) Multiple unspecified errors within the WebKit component can be
exploited to conduct cross-site scripting attacks.
12) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
SOLUTION:
Apply iOS 5.1 Software Update.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Erling Ellingsen, Facebook.
2, 8) pod2g.
3) 2012 iOS Jailbreak Dream Team.
5) Roland Kohler, the German Federal Ministry of Economics and
Technology.
6) Eric Melville, American Express.
9) Sergey Glazunov.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT5192
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-03-07-2 iOS 5.1 Software Update
iOS 5.1 Software Update is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
unexpected request headers.
CVE-ID
CVE-2012-0641 : Erling Ellingsen of Facebook
HFS
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Mounting a maliciously crafted disk image may lead to a
device shutdown or arbitrary code execution
Description: An integer underflow existed with the handling of HFS
catalog files.
CVE-ID
CVE-2012-0642 : pod2g
Kernel
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious program could bypass sandbox restrictions
Description: A logic issue existed in the handling of debug system
calls. This may allow a malicious program to gain code execution in
other programs with the same user privileges.
CVE-ID
CVE-2012-0643 : 2012 iOS Jailbreak Dream Team
libresolv
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Applications that use the libresolv library may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An integer overflow existed in the handling of DNS
resource records, which may lead to heap memory corruption.
CVE-ID
CVE-2011-3453 : Ilja van Sprundel of IOActive
Passcode Lock
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A race condition issue existed in the handling of slide
to dial gestures. This may allow a person with physical access to the
device to bypass the Passcode Lock screen.
CVE-ID
CVE-2012-0644 : Roland Kohler of the German Federal Ministry of
Economics and Technology
Safari
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Web page visits may be recorded in browser history even when
Private Browsing is active
Description: Safari's Private Browsing is designed to prevent
recording of a browsing session. Pages visited as a result of a site
using the JavaScript methods pushState or replaceState were recorded
in the browser history even when Private Browsing mode was active.
This issue is addressed by not recording such visits when Private
Browsing is active.
CVE-ID
CVE-2012-0585 : Eric Melville of American Express
Siri
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: An attacker with physical access to a locked phone could get
access to frontmost email message
Description: A design issue existed in Siri's lock screen
restrictions. If Siri was enabled for use on the lock screen, and
Mail was open with a message selected behind the lock screen, a voice
command could be used to send that message to an arbitrary recipient.
This issue is addressed by disabling forwarding of active messages
from the lock screen.
CVE-ID
CVE-2012-0645
VPN
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A maliciously crafted system configuration file may lead to
arbitrary code execution with system privileges
Description: A format string vulnerability existed in the handling
of racoon configuration files.
CVE-ID
CVE-2012-0646 : pod2g
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of cookies
Description: A cross-origin issue existed in WebKit, which may allow
cookies to be disclosed across origins.
CVE-ID
CVE-2011-3887 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website and dragging content
with the mouse may lead to a cross-site scripting attack
Description: A cross-origin issue existed in WebKit, which may allow
content to be dragged and dropped across origins.
CVE-ID
CVE-2012-0590 : Adam Barth of Google Chrome Security Team
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: Multiple cross-origin issues existed in WebKit.
CVE-ID
CVE-2011-3881 : Sergey Glazunov
CVE-2012-0586 : Sergey Glazunov
CVE-2012-0587 : Sergey Glazunov
CVE-2012-0588 : Jochen Eisinger of Google Chrome Team
CVE-2012-0589 : Alan Austin of polyvore.com
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-2825 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-2833 : Apple
CVE-2011-2846 : Arthur Gerkis, miaubiz
CVE-2011-2847 : miaubiz, Abhishek Arya (Inferno) of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2854 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2855 : Arthur Gerkis, wushi of team509 working with iDefense
VCP
CVE-2011-2857 : miaubiz
CVE-2011-2860 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2867 : Dirk Schulze
CVE-2011-2868 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2869 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2870 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2871 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2872 : Abhishek Arya (Inferno) and Cris Neckar of Google
Chrome Security Team using AddressSanitizer
CVE-2011-2873 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2877 : miaubiz
CVE-2011-3885 : miaubiz
CVE-2011-3888 : miaubiz
CVE-2011-3897 : pa_kt working with TippingPoint's Zero Day Initiative
CVE-2011-3908 : Aki Helin of OUSPG
CVE-2011-3909 : Google Chrome Security Team (scarybeasts) and Chu
CVE-2011-3928 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2012-0591 : miaubiz, and Martin Barbella
CVE-2012-0592 : Alexander Gavrun working with TippingPoint's Zero Day
Initiative
CVE-2012-0593 : Lei Zhang of the Chromium development community
CVE-2012-0594 : Adam Klein of the Chromium development community
CVE-2012-0595 : Apple
CVE-2012-0596 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0597 : miaubiz
CVE-2012-0598 : Sergey Glazunov
CVE-2012-0599 : Dmytro Gorbunov of SaveSources.com
CVE-2012-0600 : Marshall Greenblatt, Dharani Govindan of Google
Chrome, miaubiz, Aki Helin of OUSPG, Apple
CVE-2012-0601 : Apple
CVE-2012-0602 : Apple
CVE-2012-0603 : Apple
CVE-2012-0604 : Apple
CVE-2012-0605 : Apple
CVE-2012-0606 : Apple
CVE-2012-0607 : Apple
CVE-2012-0608 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0609 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0610 : miaubiz, Martin Barbella using AddressSanitizer
CVE-2012-0611 : Martin Barbella using AddressSanitizer
CVE-2012-0612 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0613 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0614 : miaubiz, Martin Barbella using AddressSanitizer
CVE-2012-0615 : Martin Barbella using AddressSanitizer
CVE-2012-0616 : miaubiz
CVE-2012-0617 : Martin Barbella using AddressSanitizer
CVE-2012-0618 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0619 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0620 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0621 : Martin Barbella using AddressSanitizer
CVE-2012-0622 : Dave Levin and Abhishek Arya of the Google Chrome
Security Team
CVE-2012-0623 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0624 : Martin Barbella using AddressSanitizer
CVE-2012-0625 : Martin Barbella
CVE-2012-0626 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0627 : Apple
CVE-2012-0628 : Slawomir Blazek, miaubiz, Abhishek Arya (Inferno) of
Google Chrome Security Team using AddressSanitizer
CVE-2012-0629 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2012-0630 : Sergio Villar Senin of Igalia
CVE-2012-0631 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2012-0632 : Cris Neckar of the Google Chrome Security Team using
AddressSanitizer
CVE-2012-0633 : Apple
CVE-2012-0635 : Julien Chaffraix of the Chromium development
community, Martin Barbella using AddressSanitizer
Installation note:
This update is only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "5.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPV6M3AAoJEGnF2JsdZQeef/cIAKBSn0czLzJO9fu6ZyjLRvxq
4pIZgfyEVGBzpn+9IeiGFTkkVf+bOsA+Q3RlcsG5g0RlbyFgnuWu59HHsnkrElbM
bCfnnTF5eYZX/3fnLzxpX7BUsEona3nf1gHfR24OeEn36C8rZ6rZJfMLqCJNNZGY
RDSga1oeMN/AbgZuR9sYKudkE0GOmkLZfR2G4WXmrU+JncR6XoROUwoJBPhg8z90
HAxgDEbduuLLOSe7CHLS3apbh0L2tmxPCWpiBmEMg6PTlFF0HhJQJ0wusrUc8nX6
7TDsAho73wCOpChzBGQeemc6+UEN2uDmUgwVkN6n4D/qN1u6E+d3coUXOlb8hIY=
=qPeE
-----END PGP SIGNATURE-----
| VAR-201108-0285 | CVE-2011-2821 | libxml2 Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Double free vulnerability in libxml2, as used in Google Chrome before 13.0.782.215, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted XPath expression. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible.
Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-05-09-1 OS X Lion v10.7.4 and Security Update 2012-002
OS X Lion v10.7.4 and Security Update 2012-002 is now available and
addresses the following:
Login Window
Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: Remote admins and persons with physical access to the system
may obtain account information
Description: An issue existed in the handling of network account
logins. The login process recorded sensitive information in the
system log, where other users of the system could read it. The
sensitive information may persist in saved logs after installation of
this update. See http://support.apple.com/kb/TS4272 for more
information on how to securely remove any remaining records. This
issue only affects systems running OS X Lion v10.7.3 with users of
Legacy File Vault and/or networked home directories.
CVE-ID
CVE-2012-0652 : Terry Reeves and Tim Winningham of the Ohio State
University, Markus 'Jaroneko' Raty of the Finnish Academy of Fine
Arts, Jaakko Pero of Aalto University, Mark Cohen of Oregon State
University, Paul Nelson
Bluetooth
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A temporary file race condition issue existed in
blued's initialization routine.
CVE-ID
CVE-2012-0649 : Aaron Sigel of vtty.com
curl
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
curl disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by enabling empty fragments.
CVE-ID
CVE-2011-3389 : Apple
curl
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Using curl or libcurl with a maliciously crafted URL may
lead to protocol-specific data injection attacks
Description: A data injection issue existed in curl's handling of
URLs. This issue is addressed through improved validation of URLs.
This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2012-0036
Directory Service
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: A remote attacker may obtain sensitive information
Description: Multiple issues existed in the directory server's
handling of messages from the network. By sending a maliciously
crafted message, a remote attacker could cause the directory server
to disclose memory from its address space, potentially revealing
account credentials or other sensitive information. This issue does
not affect OS X Lion systems. The Directory Server is disabled by
default in non-server installations of OS X.
CVE-ID
CVE-2012-0651 : Agustin Azubel
HFS
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Mounting a maliciously crafted disk image may lead to a
system shutdown or arbitrary code execution
Description: An integer underflow existed in the handling of HFS
catalog files.
CVE-ID
CVE-2012-0642 : pod2g
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF files. This issue does not affect OS X
Lion systems.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: Multiple vulnerabilities in libpng
Description: libpng is updated to version 1.5.5 to address multiple
vulnerabilities, the most serious of which may lead to information
disclosure. Further information is available via the libpng website
at http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-2692
CVE-2011-3328
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue is addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
Kernel
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: When FileVault is used, the disk may contain unencrypted
user data
Description: An issue in the kernel's handling of the sleep image
used for hibernation left some data unencrypted on disk even when
FileVault was enabled. This issue is addressed through improved
handling of the sleep image, and by overwriting the existing sleep
image when updating to OS X v10.7.4. This issue does not affect
systems prior to OS X Lion.
CVE-ID
CVE-2011-3212 : Felix Groebert of Google Security Team
libarchive
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Extracting a maliciously crafted archive may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple buffer overflows existed in the handling of
tar archives and iso9660 files.
CVE-ID
CVE-2011-1777
CVE-2011-1778
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Verifying a maliciously crafted X.509 certificate, such as
when visiting a maliciously crafted website, may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of X.509 certificates.
CVE-ID
CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme
Prado of Conselho da Justica Federal, Ryan Sleevi of Google
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Support for X.509 certificates with insecure-length RSA keys
may expose users to spoofing and information disclosure
Description: Certificates signed using RSA keys with insecure key
lengths were accepted by libsecurity. This issue is addressed by
rejecting certificates containing RSA keys less than 1024 bits.
CVE-ID
CVE-2012-0655
libxml
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues are addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
LoginUIFramework
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: If the Guest user is enabled, a user with physical access to
the computer may be able to log in to a user other than the Guest
user without entering a password
Description: A race condition existed in the handling of Guest user
logins. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2012-0656 : Francisco Gomez (espectalll123)
PHP
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Multiple vulnerabilities in PHP
Description: PHP is updated to version 5.3.10 to address several
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP web site at
http://www.php.net
CVE-ID
CVE-2011-4566
CVE-2011-4885
CVE-2012-0830
Quartz Composer
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A user with physical access to the computer may be able to
cause Safari to launch if the screen is locked and the RSS Visualizer
screen saver is used
Description: An access control issue existed in Quartz Composer's
handling of screen savers. This issue is addressed through improved
checking for whether or not the screen is locked.
CVE-ID
CVE-2012-0657 : Aaron Sigel of vtty.com
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file during progressive
download may lead to an unexpected application termination or
arbitrary code execution
Description: A buffer overflow existed in the handling of audio
sample tables.
CVE-ID
CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of MPEG
files.
CVE-ID
CVE-2012-0659 : An anonymous researcher working with HP's Zero Day
Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer underflow existed in the handling of MPEG
files.
CVE-ID
CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability
Research
QuickTime
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue existed in the handling of
JPEG2000 encoded movie files. This issue does not affect systems
prior to OS X Lion.
CVE-ID
CVE-2012-0661 : Damian Put working with HP's Zero Day Initiative
Ruby
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Multiple vulnerabilities in Ruby
Description: Ruby is updated to 1.8.7-p357 to address multiple
vulnerabilities.
CVE-ID
CVE-2011-1004
CVE-2011-1005
CVE-2011-4815
Samba
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: If SMB file sharing is enabled, an unauthenticated remote
attacker may cause a denial of service or arbitrary code execution
with system privileges
Description: Multiple buffer overflows existed in Samba's handling
of remote procedure calls. These issues do not
affect OS X Lion systems.
CVE-ID
CVE-2012-0870 : Andy Davis of NGS Secure
CVE-2012-1182 : An anonymous researcher working with HP's Zero Day
Initiative
Security Framework
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework.
Processing untrusted input with the Security framework could result
in memory corruption. This issue does not affect 32-bit processes.
CVE-ID
CVE-2012-0662 : aazubel working with HP's Zero Day Initiative
Time Machine
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may access a user's Time Machine backup
credentials
Description: The user may designate a Time Capsule or remote AFP
volume attached to an AirPort Base Station to be used for Time
Machine backups. Beginning with AirPort Base Station and Time Capsule
Firmware Update 7.6, Time Capsules and Base Stations support a secure
SRP-based authentication mechanism over AFP. However, Time Machine
did not require that the SRP-based authentication mechanism was used
for subsequent backup operations, even if Time Machine was initially
configured or had ever contacted a Time Capsule or Base Station that
supported it. An attacker who is able to spoof the remote volume
could gain access to user's Time Capsule credentials, although not
backup data, sent by the user's system. This issue is addressed by
requiring use of the SRP-based authentication mechanism if the backup
destination has ever supported it.
CVE-ID
CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc.
X11
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Applications that use libXfont to process LZW-compressed
data may be vulnerable to an unexpected application termination or
arbitrary code execution
Description: A buffer overflow existed in libXfont's handling of
LZW-compressed data. This issue is addressed by updating libXfont to
version 1.4.4.
CVE-ID
CVE-2011-2895 : Tomas Hoger of Red Hat
Note: Additionally, this update filters dynamic linker environment
variables from a customized environment property list in the user's
home directory, if present.
OS X Lion v10.7.4 and Security Update 2012-002 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2012-002 or OS X v10.7.4.
For OS X Lion v10.7.3
The download file is named: MacOSXUpd10.7.4.dmg
Its SHA-1 digest is: 04c53a6148ebd8c5733459620b7c1e2172352d36
For OS X Lion v10.7 and v10.7.2
The download file is named: MacOSXUpdCombo10.7.4.dmg
Its SHA-1 digest is: b11d511a50d9b728532688768fcdee9c1930037f
For OS X Lion Server v10.7.3
The download file is named: MacOSXServerUpd10.7.4.dmg
Its SHA-1 digest is: 3cb5699c8ecf7d70145f3692555557f7206618b2
For OS X Lion Server v10.7 and v10.7.2
The download file is named: MacOSXServerUpdCombo10.7.4.dmg
Its SHA-1 digest is: 917207e922056718b9924ef73caa5fcac06b7240
For Mac OS X v10.6.8
The download file is named: SecUpd2012-002Snow.dmg
Its SHA-1 digest is: 9669fbd9952419e70ac20109cf4db37f9932e9f8
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-002.dmg
Its SHA-1 digest is: 34da2dcbc8d45362f1d5e3b1b218112a729ae1c3
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPqtkzAAoJEGnF2JsdZQeee2MIAKAcBIY6k0LU2fDLThFoAgKh
WkYpGmCwa7L6n02geHzWrUCK/P/0yGWzDDqLfKlKuKbXdEIRP2wZTlvrqZHLzNO/
nXgz3HN1Xbll8yVXrGMEsoTD23Q+2/ZKLGMlSDw3vgBTVi/g4Rcer4Eew5mTkaoA
j4WkrzgVUIxCMrsWMMwu1SVaizBuTYbNVzCzV3JPF1H0zVtVKgwWjhTdOJ/RDksD
sjZG1XIEqVyv1rNk5BtjxVPFaJGpf9mcHiH8XyKQ0bC6ToM2r3B++Layoc5k1K0V
OxKGSfWOEbWi/KR6vlXyVbe7JnU7a/V0C25HXhnoMEtoTCleZACEByLVtBC87LU=
=6Eiz
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03360041
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03360041
Version: 1
HPSBMU02786 SSRT100877 rev.1 - HP System Management Homepage (SMH) Running on
Linux and Windows, Remote Unauthorized Access, Disclosure of Information,
Data Modification, Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2012-06-26
Last Updated: 2012-06-26
Potential Security Impact: Remote unauthorized access, disclosure of
information, data modification, Denial of Service (DoS), execution of
arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP System
Management Homepage (SMH) running on Linux and Windows.
References: CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3379,
CVE-2011-3607, CVE-2011-4078, CVE-2011-4108, CVE-2011-4153, CVE-2011-4317,
CVE-2011-4415, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2011-4885,
CVE-2012-0021, CVE-2012-0027, CVE-2012-0031, CVE-2012-0036, CVE-2012-0053,
CVE-2012-0057, CVE-2012-0830, CVE-2012-1165, CVE-2012-1823,
CVE-2012-2012 (AUTOCOMPLETE enabled), CVE-2012-2013 (DoS),
CVE-2012-2014 (Improper input validation), CVE-2012-2015 (Privilege
Elevation),
CVE-2012-2016 (Information disclosure),
SSRT100336, SSRT100753, SSRT100669, SSRT100676,
SSRT100695, SSRT100714, SSRT100760, SSRT100786,
SSRT100787, SSRT100815, SSRT100840, SSRT100843, SSRT100869
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP System Management Homepage (SMH) before v7.1.1 running on Linux and
Windows.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-2012 (AV:N/AC:L/Au:N/C:C/I:C/A:P) 9.7
CVE-2012-2013 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2012-2014 (AV:N/AC:M/Au:S/C:N/I:N/A:N) 6.8
CVE-2012-2015 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 6.5
CVE-2012-2016 (AV:L/AC:M/Au:S/C:C/I:N/A:N) 4.4
CVE-2011-1944 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2011-2821 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-2834 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2011-3379 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-3607 (AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4
CVE-2011-4078 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-4108 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2011-4153 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-4317 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2011-4415 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1.2
CVE-2011-4576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-4577 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-4619 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-4885 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-0021 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6
CVE-2012-0027 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-0031 (AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6
CVE-2012-0036 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2012-0053 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2012-0057 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2012-0830 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2012-1165 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-1823 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided HP System Management Homepage v7.1.1 or subsequent to resolve
the vulnerabilities. HP System Management Homepage v7.1.1 is available here:
HP System Management Homepage for Windows x64
[Download here] or enter the following URL into the browser address window.
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail
s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati
onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa
meId%253D4091409%257CswEnvOID%253D4064%257CswLang%253D8%257CswItem%253DMTX-ab
0d4e9bb4654a8da503eccfd9%257Cmode%253D3%257Caction%253DdriverDocument&javax.p
ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign
ette.cachetoken
HP System Management Homepage for Windows x86
[Download here] or enter the following URL into the browser address window.
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail
s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati
onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa
meId%253D4091409%257CswEnvOID%253D4022%257CswLang%253D8%257CswItem%253DMTX-f7
c0d15d28474255bd0ec23136%257Cmode%253D3%257Caction%253DdriverDocument&javax.p
ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign
ette.cachetoken
HP System Management Homepage for Linux (AMD64/EM64T)
[Download here] or enter the following URL into the browser address window.
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail
s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati
onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa
meId%253D4091409%257CswEnvOID%253D4035%257CswLang%253D8%257CswItem%253DMTX-18
d373dd1361400fbaca892942%257Cmode%253D3%257Caction%253DdriverDocument&javax.p
ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign
ette.cachetoken
HP System Management Homepage for Linux (x86)
[Download here] or enter the following URL into the browser address window.
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail
s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati
onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa
meId%253D4091409%257CswEnvOID%253D4006%257CswLang%253D8%257CswItem%253DMTX-9e
8a0188f97d48139dcb466509%257Cmode%253D3%257Caction%253DdriverDocument&javax.p
ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign
ette.cachetoken
HISTORY
Version:1 (rev.1) 26 June 2012 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Low: libxml2 security and bug fix update
Advisory ID: RHSA-2011:1749-03
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1749.html
Issue date: 2011-12-06
CVE Names: CVE-2010-4008 CVE-2010-4494 CVE-2011-0216
CVE-2011-1944 CVE-2011-2821 CVE-2011-2834
=====================================================================
1. Summary:
Updated libxml2 packages that fix several security issues and various bugs
are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
The libxml2 library is a development toolbox providing the implementation
of various XML standards. One of those standards is the XML Path Language
(XPath), which is a language for addressing parts of an XML document.
An off-by-one error, leading to a heap-based buffer overflow, was found in
the way libxml2 parsed certain XML files. A remote attacker could provide
a specially-crafted XML file that, when opened in an application linked
against libxml2, would cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2011-0216)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libxml2 parsed certain XPath expressions. (CVE-2011-1944)
Multiple flaws were found in the way libxml2 parsed certain XPath
expressions. (CVE-2010-4008, CVE-2010-4494, CVE-2011-2821,
CVE-2011-2834)
Note: Red Hat does not ship any applications that use libxml2 in a way that
would allow the CVE-2011-1944, CVE-2010-4008, CVE-2010-4494, CVE-2011-2821,
and CVE-2011-2834 flaws to be exploited; however, third-party applications
may allow XPath expressions to be passed which could trigger these flaws.
Red Hat would like to thank the Google Security Team for reporting the
CVE-2010-4008 issue. Upstream acknowledges Bui Quang Minh from Bkis as the
original reporter of CVE-2010-4008.
This update also fixes the following bugs:
* A number of patches have been applied to harden the XPath processing code
in libxml2, such as fixing memory leaks, rounding errors, XPath numbers
evaluations, and a potential error in encoding conversion. (BZ#732335)
All users of libxml2 are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. The desktop must
be restarted (log out, then log back in) for this update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
645341 - CVE-2010-4008 libxml2: Crash (stack frame overflow or NULL pointer dereference) by traversal of XPath axis
665963 - CVE-2010-4494 libxml2: double-free in XPath processing code
709747 - CVE-2011-1944 libxml, libxml2: Heap-based buffer overflow by adding new namespace node to an existing nodeset or merging nodesets
724906 - CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding
732335 - Fix various problems and harden the XPath evaluation engine
735712 - CVE-2011-2821 libxml2: double free caused by malformed XPath expression in XSLT
735751 - CVE-2011-2834 libxml2: double-free caused by malformed XPath expression in XSLT
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libxml2-2.7.6-4.el6.src.rpm
i386:
libxml2-2.7.6-4.el6.i686.rpm
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-python-2.7.6-4.el6.i686.rpm
x86_64:
libxml2-2.7.6-4.el6.i686.rpm
libxml2-2.7.6-4.el6.x86_64.rpm
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-debuginfo-2.7.6-4.el6.x86_64.rpm
libxml2-python-2.7.6-4.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libxml2-2.7.6-4.el6.src.rpm
i386:
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-devel-2.7.6-4.el6.i686.rpm
libxml2-static-2.7.6-4.el6.i686.rpm
x86_64:
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-debuginfo-2.7.6-4.el6.x86_64.rpm
libxml2-devel-2.7.6-4.el6.i686.rpm
libxml2-devel-2.7.6-4.el6.x86_64.rpm
libxml2-static-2.7.6-4.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libxml2-2.7.6-4.el6.src.rpm
x86_64:
libxml2-2.7.6-4.el6.i686.rpm
libxml2-2.7.6-4.el6.x86_64.rpm
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-debuginfo-2.7.6-4.el6.x86_64.rpm
libxml2-python-2.7.6-4.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libxml2-2.7.6-4.el6.src.rpm
x86_64:
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-debuginfo-2.7.6-4.el6.x86_64.rpm
libxml2-devel-2.7.6-4.el6.i686.rpm
libxml2-devel-2.7.6-4.el6.x86_64.rpm
libxml2-static-2.7.6-4.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libxml2-2.7.6-4.el6.src.rpm
i386:
libxml2-2.7.6-4.el6.i686.rpm
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-devel-2.7.6-4.el6.i686.rpm
libxml2-python-2.7.6-4.el6.i686.rpm
ppc64:
libxml2-2.7.6-4.el6.ppc.rpm
libxml2-2.7.6-4.el6.ppc64.rpm
libxml2-debuginfo-2.7.6-4.el6.ppc.rpm
libxml2-debuginfo-2.7.6-4.el6.ppc64.rpm
libxml2-devel-2.7.6-4.el6.ppc.rpm
libxml2-devel-2.7.6-4.el6.ppc64.rpm
libxml2-python-2.7.6-4.el6.ppc64.rpm
s390x:
libxml2-2.7.6-4.el6.s390.rpm
libxml2-2.7.6-4.el6.s390x.rpm
libxml2-debuginfo-2.7.6-4.el6.s390.rpm
libxml2-debuginfo-2.7.6-4.el6.s390x.rpm
libxml2-devel-2.7.6-4.el6.s390.rpm
libxml2-devel-2.7.6-4.el6.s390x.rpm
libxml2-python-2.7.6-4.el6.s390x.rpm
x86_64:
libxml2-2.7.6-4.el6.i686.rpm
libxml2-2.7.6-4.el6.x86_64.rpm
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-debuginfo-2.7.6-4.el6.x86_64.rpm
libxml2-devel-2.7.6-4.el6.i686.rpm
libxml2-devel-2.7.6-4.el6.x86_64.rpm
libxml2-python-2.7.6-4.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libxml2-2.7.6-4.el6.src.rpm
i386:
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-static-2.7.6-4.el6.i686.rpm
ppc64:
libxml2-debuginfo-2.7.6-4.el6.ppc64.rpm
libxml2-static-2.7.6-4.el6.ppc64.rpm
s390x:
libxml2-debuginfo-2.7.6-4.el6.s390x.rpm
libxml2-static-2.7.6-4.el6.s390x.rpm
x86_64:
libxml2-debuginfo-2.7.6-4.el6.x86_64.rpm
libxml2-static-2.7.6-4.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libxml2-2.7.6-4.el6.src.rpm
i386:
libxml2-2.7.6-4.el6.i686.rpm
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-devel-2.7.6-4.el6.i686.rpm
libxml2-python-2.7.6-4.el6.i686.rpm
x86_64:
libxml2-2.7.6-4.el6.i686.rpm
libxml2-2.7.6-4.el6.x86_64.rpm
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-debuginfo-2.7.6-4.el6.x86_64.rpm
libxml2-devel-2.7.6-4.el6.i686.rpm
libxml2-devel-2.7.6-4.el6.x86_64.rpm
libxml2-python-2.7.6-4.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libxml2-2.7.6-4.el6.src.rpm
i386:
libxml2-debuginfo-2.7.6-4.el6.i686.rpm
libxml2-static-2.7.6-4.el6.i686.rpm
x86_64:
libxml2-debuginfo-2.7.6-4.el6.x86_64.rpm
libxml2-static-2.7.6-4.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2010-4008.html
https://www.redhat.com/security/data/cve/CVE-2010-4494.html
https://www.redhat.com/security/data/cve/CVE-2011-0216.html
https://www.redhat.com/security/data/cve/CVE-2011-1944.html
https://www.redhat.com/security/data/cve/CVE-2011-2821.html
https://www.redhat.com/security/data/cve/CVE-2011-2834.html
https://access.redhat.com/security/updates/classification/#low
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFO3jihXlSAg2UNWIIRAij5AJ9pwIiLcpRzdp4Kiwz3qP8xWNCoJQCdG3YK
IwJxCxcGs/EbkeMAWwbL/tg=
=idwN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4
protocol. This issue was addressed by disabling DNAv4 on unencrypted
Wi-Fi networks
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
CVE-ID
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-3589 : Dave Mandelin of Mozilla
CVE-2012-3590 : Apple Product Security
CVE-2012-3591 : Apple Product Security
CVE-2012-3592 : Apple Product Security
CVE-2012-3678 : Apple Product Security
CVE-2012-3679 : Chris Leary of Mozilla
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About". - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: libxml2: Multiple vulnerabilities
Date: October 26, 2011
Bugs: #345555, #370715, #386985
ID: 201110-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in libxml2 which could lead to
execution of arbitrary code or a Denial of Service.
Background
==========
libxml2 is the XML C parser and toolkit developed for the Gnome
project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libxml2 < 2.7.8-r3 >= 2.7.8-r3
Description
===========
Multiple vulnerabilities have been discovered in libxml2. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libxml2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.8-r3"
References
==========
[ 1 ] CVE-2010-4008
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4008
[ 2 ] CVE-2010-4494
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4494
[ 3 ] CVE-2011-1944
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1944
[ 4 ] CVE-2011-2821
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2821
[ 5 ] CVE-2011-2834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2834
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-26.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201108-0358 | No CVE | Inductive Automation Ignition Remote Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Ignition is prone to an information-disclosure vulnerability.
Exploiting this issue could allow an attacker to gain access to potentially sensitive information. Information obtained may aid in further attacks.
Versions prior to Ignition 7.2.8.178 are vulnerable. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Inductive Automation Ignition File Disclosure Vulnerability
SECUNIA ADVISORY ID:
SA45896
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45896/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45896
RELEASE DATE:
2011-09-06
DISCUSS ADVISORY:
http://secunia.com/advisories/45896/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45896/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45896
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Inductive Automation Ignition,
which can be exploited by malicious people to disclose potentially
sensitive information.
Certain unspecified input passed via the URL is not properly verified
before being used to display files. This can be exploited to disclose
the contents of files.
SOLUTION:
Update to version 7.2.8.178.
PROVIDED AND/OR DISCOVERED BY:
Rub\xe9n Santamarta via ICS-CERT.
ORIGINAL ADVISORY:
http://www.us-cert.gov/control_systems/pdf/ICSA-11-231-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------