VARIoT IoT vulnerabilities database
| VAR-200902-0455 | CVE-2009-0018 | Apple Mac OS of Remote Apple Event Server memory leak vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Remote Apple Events server in Apple Mac OS X 10.4.11 and 10.5.6 does not properly initialize a buffer, which allows remote attackers to read portions of memory. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001.
The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues.
A remote attacker may exploit this issue to gain access to memory contents, which may aid in further attacks.
The issue affects Mac OS X v10.4.11 and v10.5.6 (client and server).
1) A race condition error in the AFP Server can be exploited to
trigger the execution of an infinite loop by sending a specially
crafted file enumeration request.
2) An error in the handling of movie files using the Pixlet codec can
be exploited to trigger a memory corruption.
3) An error in the Resource Manager related to CarbonCore can be
exploited to trigger a memory corruption via a file containing a
specially crafted resource fork.
Successful exploitation of vulnerabilities #2 and #3 may allow
execution of arbitrary code.
4) Certificate Assistant handles temporary files in an insecure
manner. This can be exploited to overwrite arbitrary files with the
privileges of the user running the application.
5) Two errors in ClamAV can be exploited to cause a crash or
potentially execute arbitrary code.
For more information:
SA32663
SA32926
6) An error in CoreText when processing specially crafted Unicode
strings can be exploited to cause a heap-based buffer overflow via
e.g. a specially crafted web page.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
7) The dscl program accepts passwords passed via command line
arguments. This can be exploited by local users to obtain the
received passwords via the process list.
8) Multiple errors in fetchmail can be exploited by malicious people
to cause a crash via overly large e-mail headers.
For more information:
SA30742
9) Folder Manager creates the "Downloads" folder with global read
permissions after a user deletes it. This can be exploited by
unprivileged local users to gain access to the "Downloads" folder.
10) An error in the fseventsd program can be exploited to disclose
normally restricted filesystem activity via the FSEvents framework.
11) An error in perl when processing Unicode characters can be
exploited to trigger a memory corruption and potentially execute
arbitrary code.
This is related to:
SA27546
12) An error handling problem in csregprinter can be exploited to
cause a heap-based buffer overflow and potentially gain system
privileges.
13) Multiple errors in python have an unknown impact or can be
exploited to cause a crash or potentially compromise a vulnerable
system.
15) An error in Server Manager while validating authentication
credentials can be exploited to alter the system configuration.
16) An integer overflow in the SMB implementation can be exploited to
cause a heap-based buffer overflow by tricking a user into connecting
to a malicious SMB server.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
17) An error in the SMB implementation can be exploited to exhaust
available memory resources and cause a system shutdown by tricking a
user into connecting to a malicious SMB server.
18) An error in SquirrelMail can be exploited to inject and execute
arbitrary HTML and script code via a specially crafted email.
For more information:
SA32143
19) Multiple errors in the X11 server can be exploited by malicious,
local users to cause a DoS, disclose potentially sensitive
information, or gain escalated privileges.
For more information:
SA30627
20) Multiple errors in FreeType can be exploited to cause a DoS or
compromise an application using the library.
For more information:
SA20100
SA24768
SA30600
21) Multiple errors in LibX11 can be exploited by malicious, local
users to disclose sensitive information, cause a DoS, and gain
escalated privileges.
For more information:
SA24741
22) Xterm creates TTY devices accessible to all users, when used with
"luit". This can be exploited to e.g. write data to another user's
Xterm.
SOLUTION:
Apply Apple Security Update 2009-001.
http://www.apple.com/support/downloads/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
6) Rosyna of Unsanity
9) Graham Perrin of CENTRIM, University of Brighton
10) Mark Dalrymple
12) Lars Haulin
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3438
OTHER REFERENCES:
SA20100:
http://secunia.com/advisories/20100/
SA24741:
http://secunia.com/advisories/24741/
SA24768:
http://secunia.com/advisories/24768/
SA26837:
http://secunia.com/advisories/26837/
SA27546:
http://secunia.com/advisories/27546/
SA30600:
http://secunia.com/advisories/30600/
SA30627:
http://secunia.com/advisories/30627/
SA30742:
http://secunia.com/advisories/30742/
SA31305:
http://secunia.com/advisories/31305/
SA32143:
http://secunia.com/advisories/32143/
SA32663:
http://secunia.com/advisories/32663/
SA32926:
http://secunia.com/advisories/32926/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0692 | No CVE | 3Com OfficeConnect Wireless Cable/DSL Router SaveCfgFile bypasses authentication vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
3Com OfficeConnect Wireless Cable/DSL is a small wireless router. The OfficeConnect Wireless Cable/DSL Router has a web console enabled by default for device management. Even if the http daemon does not allow access to HTML pages and web consoles without authentication, you can still call and execute existing CGI programs. System Tools-->Configuration-->Backup Configuration saves the actual configuration file to a plain text file called config.bin. Unauthenticated users can directly call the SaveCfgFile CGI program and download the configuration information, user, System configuration of sensitive information such as passwords and WIFI keys. This vulnerability can also be exploited remotely from the Internet if the Remote Administration option is enabled. The following is an example of sensitive content in the config.bin file: [...]pppoe_username=xxxxxxxxxxxxxxxpppoe_password=xxxxxxxxxpppoe_service_name=xxxxxxxxx[...]mradius_username=xxxxxxmradius_password=xxxxxxmradius_secret=xxxxxxx[...]http_username=xxxxxlogin_password=xxxxxhttp_passwd=xxxxx[.. .]AuthName=xxxxxxxAuthPassword=xxxxsnmpStatus=xxxxxxxsnmpRoCommunity=xxxxxxxxsnmpRwCommunity=xxxxxxxx[...]multi_dmz_wan_ip1=xxxxxxxxxx[...]lan_macaddr=xxxxxxxxxxxxx[...]. The 3Com OfficeConnect Wireless Cable/DSL Gateway is prone to an access-validation vulnerability because of a lack of authentication when users access specific administration applications.
Attackers can exploit this issue to obtain sensitive information that may aid in further attacks.
The 3Com OfficeConnect Wireless Cable/DSL Gateway firmware 1.2.0 is vulnerable; other versions may also be affected
| VAR-200902-0885 | CVE-2009-0601 | Wireshark Format string vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable. Wireshark is prone to multiple denial-of-service vulnerabilities.
Exploiting these issues may allow attackers to crash the application, denying service to legitimate users. Attackers may be able to leverage some of these vulnerabilities to execute arbitrary code, but this has not been confirmed.
These issues affect Wireshark 0.99.6 through 1.0.5. If the user is tricked into grabbing malicious packets from the network or opening a malicious packet capture file, it may cause Wireshark to crash. This fixes some
vulnerabilities, which can be exploited by malicious people to
potentially compromise a user's system. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200906-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Wireshark: Multiple vulnerabilities
Date: June 30, 2009
Bugs: #242996, #248425, #258013, #264571, #271062
ID: 200906-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in Wireshark which allow
for Denial of Service (application crash) or remote code execution.
Background
==========
Wireshark is a versatile network protocol analyzer.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/wireshark < 1.0.8 >= 1.0.8
Description
===========
Multiple vulnerabilities have been discovered in Wireshark:
* David Maciejak discovered a vulnerability in packet-usb.c in the
USB dissector via a malformed USB Request Block (URB)
(CVE-2008-4680).
* Florent Drouin and David Maciejak reported an unspecified
vulnerability in the Bluetooth RFCOMM dissector (CVE-2008-4681).
* A malformed Tamos CommView capture file (aka .ncf file) with an
"unknown/unexpected packet type" triggers a failed assertion in
wtap.c (CVE-2008-4682).
* An unchecked packet length parameter in the dissect_btacl()
function in packet-bthci_acl.c in the Bluetooth ACL dissector causes
an erroneous tvb_memcpy() call (CVE-2008-4683).
* A vulnerability where packet-frame does not properly handle
exceptions thrown by post dissectors caused by a certain series of
packets (CVE-2008-4684).
* Mike Davies reported a use-after-free vulnerability in the
dissect_q931_cause_ie() function in packet-q931.c in the Q.931
dissector via certain packets that trigger an exception
(CVE-2008-4685).
* The Security Vulnerability Research Team of Bkis reported that the
SMTP dissector could consume excessive amounts of CPU and memory
(CVE-2008-5285).
* The vendor reported that the WLCCP dissector could go into an
infinite loop (CVE-2008-6472).
* babi discovered a buffer overflow in wiretap/netscreen.c via a
malformed NetScreen snoop file (CVE-2009-0599).
* A specially crafted Tektronix K12 text capture file can cause an
application crash (CVE-2009-0600).
* An unspecified vulnerability with unknown impact and attack vectors
(CVE-2009-1266).
* Marty Adkins and Chris Maynard discovered a parsing error in the
dissector for the Check Point High-Availability Protocol (CPHAP)
(CVE-2009-1268).
* Magnus Homann discovered a parsing error when loading a Tektronix
.rf5 file (CVE-2009-1269).
* The vendor reported that the PCNFSD dissector could crash
(CVE-2009-1829).
Impact
======
A remote attacker could exploit these vulnerabilities by sending
specially crafted packets on a network being monitored by Wireshark or
by enticing a user to read a malformed packet trace file which can
trigger a Denial of Service (application crash or excessive CPU and
memory usage) and possibly allow for the execution of arbitrary code
with the privileges of the user running Wireshark.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Wireshark users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.0.8"
References
==========
[ 1 ] CVE-2008-4680
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4680
[ 2 ] CVE-2008-4681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4681
[ 3 ] CVE-2008-4682
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4682
[ 4 ] CVE-2008-4683
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4683
[ 5 ] CVE-2008-4684
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4684
[ 6 ] CVE-2008-4685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4685
[ 7 ] CVE-2008-5285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5285
[ 8 ] CVE-2008-6472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6472
[ 9 ] CVE-2009-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0599
[ 10 ] CVE-2009-0600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0600
[ 11 ] CVE-2009-0601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0601
[ 12 ] CVE-2009-1210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1210
[ 13 ] CVE-2009-1266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1266
[ 14 ] CVE-2009-1268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1268
[ 15 ] CVE-2009-1269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1269
[ 16 ] CVE-2009-1829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1829
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200906-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0601
http://www.wireshark.org/security/wnpa-sec-2009-01.html
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
2d591a5772317d3587434424b8dc4a1d 2008.1/i586/dumpcap-1.0.6-0.1mdv2008.1.i586.rpm
bf65e163112b4dc5db4041c552823bcb 2008.1/i586/libwireshark0-1.0.6-0.1mdv2008.1.i586.rpm
80056b13d9146428645d6e67cb2ed8ea 2008.1/i586/libwireshark-devel-1.0.6-0.1mdv2008.1.i586.rpm
7923294ad925674ef116b6273835d8ef 2008.1/i586/rawshark-1.0.6-0.1mdv2008.1.i586.rpm
bd5a15d402a367058d61fd8dd6a2dcf9 2008.1/i586/tshark-1.0.6-0.1mdv2008.1.i586.rpm
5c7b0422b12d2eade1ce997de3766c6c 2008.1/i586/wireshark-1.0.6-0.1mdv2008.1.i586.rpm
d116f95d212119516dbca4bf1d353cf5 2008.1/i586/wireshark-tools-1.0.6-0.1mdv2008.1.i586.rpm
2a31aab490fe670da93830f464154a48 2008.1/SRPMS/wireshark-1.0.6-0.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
b7213fd4bf53ad0cb41b5cc5ab1057df 2008.1/x86_64/dumpcap-1.0.6-0.1mdv2008.1.x86_64.rpm
4e3f14a549d66f199171d6f91aa28c68 2008.1/x86_64/lib64wireshark0-1.0.6-0.1mdv2008.1.x86_64.rpm
aa39e29909ed34d5df2f0c85ac560c8f 2008.1/x86_64/lib64wireshark-devel-1.0.6-0.1mdv2008.1.x86_64.rpm
ef92c97f74a2811daf7d874755dd7777 2008.1/x86_64/rawshark-1.0.6-0.1mdv2008.1.x86_64.rpm
ea555917cd20aba1f0b4114730ad9924 2008.1/x86_64/tshark-1.0.6-0.1mdv2008.1.x86_64.rpm
c74402d6323f6a72188f214d2d002ef2 2008.1/x86_64/wireshark-1.0.6-0.1mdv2008.1.x86_64.rpm
fa5e55f0a5934c2bae263e9151a40b16 2008.1/x86_64/wireshark-tools-1.0.6-0.1mdv2008.1.x86_64.rpm
2a31aab490fe670da93830f464154a48 2008.1/SRPMS/wireshark-1.0.6-0.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
c661639631224e605d41a2985af43c93 2009.0/i586/dumpcap-1.0.6-0.1mdv2009.0.i586.rpm
bb633c409ddb95d2e6f6826b6fd2be3d 2009.0/i586/libwireshark0-1.0.6-0.1mdv2009.0.i586.rpm
5d2f7434a1dd322259907d14caf90e11 2009.0/i586/libwireshark-devel-1.0.6-0.1mdv2009.0.i586.rpm
d32a3de9e13b83d991a2d6c8577f50c2 2009.0/i586/rawshark-1.0.6-0.1mdv2009.0.i586.rpm
bcdf64d0e05d0bb964c946c83bdd5353 2009.0/i586/tshark-1.0.6-0.1mdv2009.0.i586.rpm
3537cea11294e8d1dff87c15b933c622 2009.0/i586/wireshark-1.0.6-0.1mdv2009.0.i586.rpm
c5ef95f5eb5255e10ccc12bcb0c6d77a 2009.0/i586/wireshark-tools-1.0.6-0.1mdv2009.0.i586.rpm
3efca295d42d9e1686b46ca1c020f8a2 2009.0/SRPMS/wireshark-1.0.6-0.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
90cffab44fe29d55f527ab4b76b0a0d6 2009.0/x86_64/dumpcap-1.0.6-0.1mdv2009.0.x86_64.rpm
838159ecdc95655df014d17d04434297 2009.0/x86_64/lib64wireshark0-1.0.6-0.1mdv2009.0.x86_64.rpm
d3dba0b501696a634627540517693b62 2009.0/x86_64/lib64wireshark-devel-1.0.6-0.1mdv2009.0.x86_64.rpm
bf51f59064d3ce3dd2dafd6aaaa889df 2009.0/x86_64/rawshark-1.0.6-0.1mdv2009.0.x86_64.rpm
3e33480b37b90293e1fd77c33934b9d2 2009.0/x86_64/tshark-1.0.6-0.1mdv2009.0.x86_64.rpm
6a22be605ea9e2357c8c5f38a1d6cc78 2009.0/x86_64/wireshark-1.0.6-0.1mdv2009.0.x86_64.rpm
a73dd1ee57fee0b886beb0542bdd3baa 2009.0/x86_64/wireshark-tools-1.0.6-0.1mdv2009.0.x86_64.rpm
3efca295d42d9e1686b46ca1c020f8a2 2009.0/SRPMS/wireshark-1.0.6-0.1mdv2009.0.src.rpm
Corporate 4.0:
cd40c4762bd0c4b5ffafc5023809ac04 corporate/4.0/i586/dumpcap-1.0.6-0.1.20060mlcs4.i586.rpm
629aa56a60730449858656e1ea062b84 corporate/4.0/i586/libwireshark0-1.0.6-0.1.20060mlcs4.i586.rpm
e7674da06cff0db774a65d40c8407ce1 corporate/4.0/i586/libwireshark-devel-1.0.6-0.1.20060mlcs4.i586.rpm
76530bd71bb120b5325f9a09c39a2929 corporate/4.0/i586/rawshark-1.0.6-0.1.20060mlcs4.i586.rpm
baa49a07548d639f2cb19a73c5e0df2f corporate/4.0/i586/tshark-1.0.6-0.1.20060mlcs4.i586.rpm
c08beac1b46a39cbc0a46f0d360ccc40 corporate/4.0/i586/wireshark-1.0.6-0.1.20060mlcs4.i586.rpm
9e1170ca14c27d0a9b9279eb317743ad corporate/4.0/i586/wireshark-tools-1.0.6-0.1.20060mlcs4.i586.rpm
dccd63a7f0c24d1ccbf5adac0374a460 corporate/4.0/SRPMS/wireshark-1.0.6-0.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
7d416c1d4b061a7af12eb8ddff174685 corporate/4.0/x86_64/dumpcap-1.0.6-0.1.20060mlcs4.x86_64.rpm
2c08582bff18197181d7021f471235cc corporate/4.0/x86_64/lib64wireshark0-1.0.6-0.1.20060mlcs4.x86_64.rpm
7128168a02a6dd0065d051a23992cdbe corporate/4.0/x86_64/lib64wireshark-devel-1.0.6-0.1.20060mlcs4.x86_64.rpm
fee1072986b3bbbcacbe84a5def3513d corporate/4.0/x86_64/rawshark-1.0.6-0.1.20060mlcs4.x86_64.rpm
c5a1394098d7c20613c51948b613ea2c corporate/4.0/x86_64/tshark-1.0.6-0.1.20060mlcs4.x86_64.rpm
279ada1e7a929b5df0a2e0813ee37d38 corporate/4.0/x86_64/wireshark-1.0.6-0.1.20060mlcs4.x86_64.rpm
f28beac01c20e5d108d3390c07583918 corporate/4.0/x86_64/wireshark-tools-1.0.6-0.1.20060mlcs4.x86_64.rpm
dccd63a7f0c24d1ccbf5adac0374a460 corporate/4.0/SRPMS/wireshark-1.0.6-0.1.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJpxmTmqjQ0CJFipgRAvn+AKDefbliY7WKwLriDdVzrbgoh3FkFQCfUqov
/+8NwA5cFnOJqNNg+MVuADw=
=fAWE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Wireshark NetScreen Snoop Capture File Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA33872
VERIFY ADVISORY:
http://secunia.com/advisories/33872/
CRITICAL:
Moderately critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Wireshark 1.x
http://secunia.com/advisories/product/18083/
Wireshark (formerly Ethereal) 0.x
http://secunia.com/advisories/product/1228/
DESCRIPTION:
A vulnerability has been reported in Wireshark, which can be
exploited by malicious people to potentially compromise a user's
system.
The vulnerability is caused due to a boundary error in the processing
of NetScreen Snoop capture files and can be exploited to cause a
stack-based buffer overflow.
Successful exploitation may allow execution of arbitrary code
depending on the allocation of stack variables.
The vulnerability is reported in versions 0.99.7 through 1.0.5.
SOLUTION:
Update to version 1.0.6.
PROVIDED AND/OR DISCOVERED BY:
Reported by babi in a Wireshark bug report.
ORIGINAL ADVISORY:
http://www.wireshark.org/security/wnpa-sec-2009-01.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0626 | CVE-2009-0680 | Netgear SSL312 of cgi-bin/welcome/VPN_only Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
cgi-bin/welcome/VPN_only in the web interface in Netgear SSL312 allows remote attackers to cause a denial of service (device crash) via a crafted query string, as demonstrated using directory traversal sequences. NetGear SSL312 is prone to a remote denial-of-service vulnerability.
Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. NetGear SSL312 is an SSL VPN product manufactured by Netgear that meets the remote access needs of small and medium-sized enterprises
| VAR-200902-0193 | CVE-2008-6087 | Camera Life of topic.php Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in topic.php in Camera Life 2.6.2b4 allows remote attackers to inject arbitrary web script or HTML via the name parameter. Camera Life is an open source PHP-based photo management and organization plugin
| VAR-200902-0035 | CVE-2009-0471 | Cisco IOS of HTTP Server cross-site request forgery vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in the HTTP server in Cisco IOS 12.4(23) allows remote attackers to execute arbitrary commands, as demonstrated by executing the hostname command with a level/15/configure/-/hostname request. IOS is prone to a cross-site request forgery vulnerability. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Cisco IOS Cross-Site Scripting and Cross-Site Request Forgery
SECUNIA ADVISORY ID:
SA33844
VERIFY ADVISORY:
http://secunia.com/advisories/33844/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS 12.x
http://secunia.com/advisories/product/182/
Cisco IOS R12.x
http://secunia.com/advisories/product/50/
DESCRIPTION:
Zloss has reported some vulnerabilities in Cisco IOS, which can be
exploited by malicious people to conduct cross-site scripting and
cross-site request forgery attacks.
1) Input passed via the URL when executing commands is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
2) The device allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
requests. This can be exploited to potentially alter the
configuration of the device by tricking the user into visiting a
malicious web site.
The vulnerabilities are reported in Cisco IOS firmware version
12.4(23). Other versions may also be affected.
SOLUTION:
Filter malicious characters and character sequences in a proxy.
Do not visit untrusted websites while being logged in to the device.
PROVIDED AND/OR DISCOVERED BY:
Zloss
ORIGINAL ADVISORY:
http://packetstormsecurity.org/0902-exploits/cisco12423-xss.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0690 | No CVE | ControlLogix 1756-ENBT / A EtherNet / IP Bridge Multiple Cross-Site Scripting and URL Redirection Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
ControlLogix is industrial automation control software developed by Rockwell Automation, USA. ControlLogix 1756-ENBT / A EtherNet / IP Bridge uses a web interface to display log files and status information. This interface has URL redirection and cross-site scripting vulnerabilities. If a user is tricked into following a specially crafted URL, the user's browser is redirected to another site, or arbitrary code is executed in the browser session
| VAR-200902-0037 | CVE-2009-0473 | Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge URL redirection vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Open redirect vulnerability in the web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Rockwell Logix Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Uses a web interface to display log files and status information. This web interface includes URL A redirection vulnerability exists.An attacker could be redirected to a different page than the user tried to access with a web browser. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
An attacker can exploit this issue to cause a victim's browser to redirect to a malicious site. Successfully exploiting this issue may aid in phishing attacks. Automation ControlLogix is an industrial automation control system developed by Rockwell. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
ControlLogix 1756-ENTB/A Ethernet/IP Bridge Vulnerabilities
SECUNIA ADVISORY ID:
SA33783
VERIFY ADVISORY:
http://secunia.com/advisories/33783/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting, Exposure of sensitive information
WHERE:
>From remote
OPERATING SYSTEM:
ControlLogix 1756-ENTB/A Ethernet/IP Bridge
http://secunia.com/advisories/product/21337/
DESCRIPTION:
Some vulnerabilities and a weakness have been reported in
ControlLogix 1756-ENTB/A Ethernet/IP Bridge, which can be exploited
by malicious people to conduct cross-site scripting attacks or to
disclose potentially sensitive information.
2) An unspecified error in the web interface can be exploited to
disclose potentially sensitive internal web page information.
SOLUTION:
A fixed firmware version is scheduled for release July, 2009.
Filter malicious characters and character sequences in a proxy.
PROVIDED AND/OR DISCOVERED BY:
1) US-CERT credits Daniel Peck of Digital Bond, Inc.
2) Reported by the vendor.
ORIGINAL ADVISORY:
US-CERT VU#882619:
http://www.kb.cert.org/vuls/id/882619
Rockwell Automation:
http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=57729
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0036 | CVE-2009-0472 | Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Contains a cross-site scripting vulnerability. Rockwell Logix Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Uses a web interface to display log files and status information. As a result, there is a possibility that data is forged or a user is directed to an unintended site.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Automation ControlLogix is an industrial automation control system developed by Rockwell. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
ControlLogix 1756-ENTB/A Ethernet/IP Bridge Vulnerabilities
SECUNIA ADVISORY ID:
SA33783
VERIFY ADVISORY:
http://secunia.com/advisories/33783/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting, Exposure of sensitive information
WHERE:
>From remote
OPERATING SYSTEM:
ControlLogix 1756-ENTB/A Ethernet/IP Bridge
http://secunia.com/advisories/product/21337/
DESCRIPTION:
Some vulnerabilities and a weakness have been reported in
ControlLogix 1756-ENTB/A Ethernet/IP Bridge, which can be exploited
by malicious people to conduct cross-site scripting attacks or to
disclose potentially sensitive information.
1) Certain unspecified input passed to the web interface is not
properly sanitised before being returned to the user.
2) An unspecified error in the web interface can be exploited to
disclose potentially sensitive internal web page information.
SOLUTION:
A fixed firmware version is scheduled for release July, 2009.
Filter malicious characters and character sequences in a proxy.
PROVIDED AND/OR DISCOVERED BY:
1) US-CERT credits Daniel Peck of Digital Bond, Inc.
2) Reported by the vendor.
ORIGINAL ADVISORY:
US-CERT VU#882619:
http://www.kb.cert.org/vuls/id/882619
Rockwell Automation:
http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=57729
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0479 | CVE-2009-0059 |
plural Cisco Wireless LAN Service disruption in products (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200902-0516 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.2.x before 5.2.157.0 allow remote attackers to cause a denial of service (device reload) via a web authentication (aka WebAuth) session that includes a malformed POST request to login.html. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities:
- Multiple denial-of-service vulnerabilities
- A remote privilege-escalation vulnerability
Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users.
SOLUTION:
Update to a fixed version. Please see vendor advisory for a patch
matrix.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. This security
advisory outlines details of the following vulnerabilities:
* Denial of Service Vulnerabilities (total of three)
* Privilege Escalation Vulnerability
These vulnerabilities are independent of each other.
Cisco has released free software updates that address these
vulnerabilities.
There are no workarounds available for these vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following products and software versions are affected for each
vulnerability.
Denial of Service Vulnerabilities
+--------------------------------
Two denial of service (DoS) vulnerabilities affect software versions
4.2 and later.
A third DoS vulnerability affects software versions 4.1 and later.
Privilege Escalation Vulnerability
+---------------------------------
Only WLC software version 4.2.173.0 is affected by this vulnerability.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment, use
one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version.
* From the command-line interface, type "show sysinfo" and note the
Product Version, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the "show wism module <module number> controller 1 status" command
on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and
note the Software Version, as demonstrated in the following example:
Router#show wism mod 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These devices communicate with Controller-based Access Points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight
Access Point Protocol (LWAPP).
This Security Advisory describes multiple distinct vulnerabilities in
the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These
vulnerabilities are independent of each other.
Denial of Service Vulnerabilities
+--------------------------------
These vulnerabilities are documented in the following Cisco Bug ID and
have been assigned the following Common Vulnerabilities and Exposures
(CVE) identifiers:
* CSCsq44516 - CVE-2009-0058
Web authentication is a Layer 3 security feature that causes the
controller to drop IP traffic (except DHCP and DNS related packets)
from a particular client until that client has correctly supplied
a valid username and password. An attacker may use a vulnerability
scanner to cause the device to stop servicing web authentication
or cause a reload of the device. The following error messages may
appear on the console during an active attack:
SshPmStMain/pm_st_main.c:1954/
ssh_pm_st_main_batch_addition_result:
Failed to add rule to the engine:
restoring old state
SshEnginePmApiPm/engine_pm_api_pm.c:1896/
ssh_pme_enable_policy_lookup:
Could not allocate message
* CSCsm82364 - CVE-2009-0059
An attacker may cause a device reload when sending a malformed post
to the web authentication "login.html" page. The following error
messages may appear on the WLC console during this attack:
Cisco Crash Handler
Signal generated during a signal 11,
count 193
Memory 0x14ef1e44 has been freed!
Note: A crash file is not generated during this attack. Upon receiving these IP packets, the
affected device may become unresponsive and require a reboot to
recover.
Privilege Escalation Vulnerability
+---------------------------------
A privilege escalation vulnerability exists only in WLC software version
4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain
full administrative rights on the affected system.
Note: Wireless network users are not affected by this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsv62283 and has
been assigned the Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0062.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* Certain packets may cause WebAuth services to hang or reload the
device (CSCsq44516)
CVSS Base Score - 6.1
Access Vector - Adjacent Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crash handling invalid post for webauth (CSCsq44516)
CVSS Base Score - 6.1
Access Vector - Adjacent Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* WLC TSEC driver may hang or crash the device (CSCso60979)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Local Management Users may obtain full admin rights (CSCsv62283)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.8
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the denial of service vulnerabilities may
cause the affected device to hang or reload. Repeated exploitation
could result in a sustained DoS condition. The privilege escalation
vulnerability may allow an authenticated user to obtain full
administrative rights on the affected system.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+-----------------------------------------------------+
| Vulnerability | Affected | First | Recommended |
| / Bug ID | Release | Fixed | Release |
| | | Version | |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.173.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Migrate to | 5.2.157.0 |
| CSCsq44516 | | 5.2 | |
| |----------+------------+-------------|
| | 5.1 | Contact | Contact TAC |
| | | TAC | |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | vulnerable | Vulnerable |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.112.0 | 4.2.176.0 |
| |----------+------------+-------------|
| CSCsm82364 | 5.0 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | 5.2.157.0 | 5.2.157.0 |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.117.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Migrate to | 5.2.157.0 |
| CSCso60979 | | 5.2 | |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | vulnerable | vulnerable |
|---------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.174.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Not | Not |
| CSCsv62283 | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | Vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | Vulnerable | vulnerable |
+-----------------------------------------------------+
Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510
Access Points (APs) are recommended to migrate to release 4.2.176.0.
Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are
recommended to migrate to 5.2 or later.
Workarounds
===========
There are no workarounds for any of these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. These
vulnerabilities were found during internal testing and during the
resolution of customer support cases.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-February-04 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Feb 04, 2009 Document ID: 108336
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua
xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU
=waFY
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200902-0673 | CVE-2008-4419 | plural HP Built into the product Web server HP-ChaiSOE 1.0 of HP JetDirect Web In the management interface Directory traversal vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in the HP JetDirect web administration interface in the HP-ChaiSOE 1.0 embedded web server on the LaserJet 9040mfp, LaserJet 9050mfp, and Color LaserJet 9500mfp before firmware 08.110.9; LaserJet 4345mfp and 9200C Digital Sender before firmware 09.120.9; Color LaserJet 4730mfp before firmware 46.200.9; LaserJet 2410, LaserJet 2420, and LaserJet 2430 before firmware 20080819 SPCL112A; LaserJet 4250 and LaserJet 4350 before firmware 20080819 SPCL015A; and LaserJet 9040 and LaserJet 9050 before firmware 20080819 SPCL110A allows remote attackers to read arbitrary files via directory traversal sequences in the URI. Multiple HP printers are prone to an unspecified directory-traversal vulnerability because the device's webserver fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks.
The vulnerability is caused due to an input validation error within
the embedded web server, which can be exploited to gain access to
files outside the web root via directory traversal attacks. Vulnerability Research Team
ORIGINAL ADVISORY:
HPSBPI02398 SSRT080166:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01623905
Version: 1
HPSBPI02398 SSRT080166 rev.1 - Certain HP LaserJet Printers, HP Color LaserJet Printers, and HP Digital Senders, Remote Unauthorized Access to Files
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. The vulnerability could be exploited remotely to gain unauthorized access to files.
References: CVE-2008-4419
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
The Hewlett-Packard Company thanks the Digital Defense, Inc. (DDI) Vulnerability Research Team (VRT) for reporting this vulnerability to security-alert@hp.com.
RESOLUTION
HP has provided firmware updates and preliminary firmware updates to resolve this vulnerability. The firmware updates and preliminary firmware updates are available as described below.
Note: Each firmware update has instructions for finding the firmware version installed on the product.
File - lj24x0fw_08_112_spcl112A.rfu
MD5 Sum - b3dbcc8d6d465b0a264b662b13a19685
File - lj4x50fw_08_015_spcl015A.rfu
MD5 Sum - 1acfd981cad26e002f655332b1ba5954
File - lj9050-50fw_08_110_spcl110A.rfu
MD5 Sum - ed2ded960ba70e563b58e506fbe1faae
File - InstallationInstructions.rtf
MD5 Sum - 1feb8410771d698ea9599d2fcc462a2d
Install the preliminary firmware update as described in the InstallationInstructions.rtf file.
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 4 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
\xa9Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYmjW+AfOvwtKn1ZEQJvsQCgpPvSzv5fsmj0X5VKefFVqoVNDA4Anjjo
4sKcDkXGzBXY6VTVHHBnLQ6d
=GiEL
-----END PGP SIGNATURE-----
| VAR-200902-0481 | CVE-2009-0062 |
plural Cisco Wireless LAN Elevation of privilege vulnerability in products
Related entries in the VARIoT exploits database: VAR-E-200902-0516 |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.2.173.0 allows remote authenticated users to gain privileges via unknown vectors, as demonstrated by escalation from the (1) Lobby Admin and (2) Local Management User privilege levels. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities:
- Multiple denial-of-service vulnerabilities
- A remote privilege-escalation vulnerability
Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users.
1) An unspecified error can be exploited to reload the device or to
render the web authentication functionality unusable.
2) An error when processing POST requests sent to the web
authentication login.html page can be exploited to trigger a device
reload.
The vulnerabilities affect Wireless LAN Controller software versions
4.1 and later on all platforms.
3) An error related to the TSEC driver can be exploited to render a
device unresponsive via specially crafted IP packets.
4) An unspecified error can be exploited by unprivileged users to
gain full administrative rights to an affected system.
This vulnerability affects Wireless LAN Controller software version
4.2.173.0.
SOLUTION:
Update to a fixed version. Please see vendor advisory for a patch
matrix.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0480 | CVE-2009-0061 |
plural Cisco Wireless LAN Service disruption in products (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200902-0516 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Wireless LAN Controller (WLC) TSEC driver in the Cisco 4400 WLC, Cisco Catalyst 6500 and 7600 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.x before 5.1 allows remote attackers to cause a denial of service (device crash or hang) via unknown IP packets. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities:
- Multiple denial-of-service vulnerabilities
- A remote privilege-escalation vulnerability
Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users.
SOLUTION:
Update to a fixed version. Please see vendor advisory for a patch
matrix.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. This security
advisory outlines details of the following vulnerabilities:
* Denial of Service Vulnerabilities (total of three)
* Privilege Escalation Vulnerability
These vulnerabilities are independent of each other.
Cisco has released free software updates that address these
vulnerabilities.
There are no workarounds available for these vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following products and software versions are affected for each
vulnerability.
Denial of Service Vulnerabilities
+--------------------------------
Two denial of service (DoS) vulnerabilities affect software versions
4.2 and later.
A third DoS vulnerability affects software versions 4.1 and later.
Privilege Escalation Vulnerability
+---------------------------------
Only WLC software version 4.2.173.0 is affected by this vulnerability.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment, use
one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version.
* From the command-line interface, type "show sysinfo" and note the
Product Version, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the "show wism module <module number> controller 1 status" command
on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and
note the Software Version, as demonstrated in the following example:
Router#show wism mod 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These devices communicate with Controller-based Access Points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight
Access Point Protocol (LWAPP).
This Security Advisory describes multiple distinct vulnerabilities in
the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These
vulnerabilities are independent of each other.
Denial of Service Vulnerabilities
+--------------------------------
These vulnerabilities are documented in the following Cisco Bug ID and
have been assigned the following Common Vulnerabilities and Exposures
(CVE) identifiers:
* CSCsq44516 - CVE-2009-0058
Web authentication is a Layer 3 security feature that causes the
controller to drop IP traffic (except DHCP and DNS related packets)
from a particular client until that client has correctly supplied
a valid username and password. An attacker may use a vulnerability
scanner to cause the device to stop servicing web authentication
or cause a reload of the device. The following error messages may
appear on the console during an active attack:
SshPmStMain/pm_st_main.c:1954/
ssh_pm_st_main_batch_addition_result:
Failed to add rule to the engine:
restoring old state
SshEnginePmApiPm/engine_pm_api_pm.c:1896/
ssh_pme_enable_policy_lookup:
Could not allocate message
* CSCsm82364 - CVE-2009-0059
An attacker may cause a device reload when sending a malformed post
to the web authentication "login.html" page. The following error
messages may appear on the WLC console during this attack:
Cisco Crash Handler
Signal generated during a signal 11,
count 193
Memory 0x14ef1e44 has been freed!
Note: A crash file is not generated during this attack. Upon receiving these IP packets, the
affected device may become unresponsive and require a reboot to
recover.
Privilege Escalation Vulnerability
+---------------------------------
A privilege escalation vulnerability exists only in WLC software version
4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain
full administrative rights on the affected system.
Note: Wireless network users are not affected by this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsv62283 and has
been assigned the Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0062.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* Certain packets may cause WebAuth services to hang or reload the
device (CSCsq44516)
CVSS Base Score - 6.1
Access Vector - Adjacent Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crash handling invalid post for webauth (CSCsq44516)
CVSS Base Score - 6.1
Access Vector - Adjacent Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* WLC TSEC driver may hang or crash the device (CSCso60979)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Local Management Users may obtain full admin rights (CSCsv62283)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.8
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the denial of service vulnerabilities may
cause the affected device to hang or reload. Repeated exploitation
could result in a sustained DoS condition. The privilege escalation
vulnerability may allow an authenticated user to obtain full
administrative rights on the affected system.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+-----------------------------------------------------+
| Vulnerability | Affected | First | Recommended |
| / Bug ID | Release | Fixed | Release |
| | | Version | |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.173.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Migrate to | 5.2.157.0 |
| CSCsq44516 | | 5.2 | |
| |----------+------------+-------------|
| | 5.1 | Contact | Contact TAC |
| | | TAC | |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | vulnerable | Vulnerable |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.112.0 | 4.2.176.0 |
| |----------+------------+-------------|
| CSCsm82364 | 5.0 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | 5.2.157.0 | 5.2.157.0 |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.117.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Migrate to | 5.2.157.0 |
| CSCso60979 | | 5.2 | |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | vulnerable | vulnerable |
|---------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.174.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Not | Not |
| CSCsv62283 | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | Vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | Vulnerable | vulnerable |
+-----------------------------------------------------+
Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510
Access Points (APs) are recommended to migrate to release 4.2.176.0.
Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are
recommended to migrate to 5.2 or later.
Workarounds
===========
There are no workarounds for any of these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. These
vulnerabilities were found during internal testing and during the
resolution of customer support cases.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-February-04 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Feb 04, 2009 Document ID: 108336
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua
xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU
=waFY
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200902-0478 | CVE-2009-0058 |
plural Cisco Wireless LAN Service disruption in products (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200902-0516 |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.x before 5.2 allow remote attackers to cause a denial of service (web authentication outage or device reload) via unspecified network traffic, as demonstrated by a vulnerability scanner. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities:
- Multiple denial-of-service vulnerabilities
- A remote privilege-escalation vulnerability
Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users.
SOLUTION:
Update to a fixed version. Please see vendor advisory for a patch
matrix.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. This security
advisory outlines details of the following vulnerabilities:
* Denial of Service Vulnerabilities (total of three)
* Privilege Escalation Vulnerability
These vulnerabilities are independent of each other.
Cisco has released free software updates that address these
vulnerabilities.
There are no workarounds available for these vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following products and software versions are affected for each
vulnerability.
Denial of Service Vulnerabilities
+--------------------------------
Two denial of service (DoS) vulnerabilities affect software versions
4.2 and later.
A third DoS vulnerability affects software versions 4.1 and later.
Privilege Escalation Vulnerability
+---------------------------------
Only WLC software version 4.2.173.0 is affected by this vulnerability.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment, use
one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version.
* From the command-line interface, type "show sysinfo" and note the
Product Version, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the "show wism module <module number> controller 1 status" command
on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and
note the Software Version, as demonstrated in the following example:
Router#show wism mod 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These devices communicate with Controller-based Access Points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight
Access Point Protocol (LWAPP).
This Security Advisory describes multiple distinct vulnerabilities in
the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These
vulnerabilities are independent of each other.
Denial of Service Vulnerabilities
+--------------------------------
These vulnerabilities are documented in the following Cisco Bug ID and
have been assigned the following Common Vulnerabilities and Exposures
(CVE) identifiers:
* CSCsq44516 - CVE-2009-0058
Web authentication is a Layer 3 security feature that causes the
controller to drop IP traffic (except DHCP and DNS related packets)
from a particular client until that client has correctly supplied
a valid username and password. An attacker may use a vulnerability
scanner to cause the device to stop servicing web authentication
or cause a reload of the device. The following error messages may
appear on the console during an active attack:
SshPmStMain/pm_st_main.c:1954/
ssh_pm_st_main_batch_addition_result:
Failed to add rule to the engine:
restoring old state
SshEnginePmApiPm/engine_pm_api_pm.c:1896/
ssh_pme_enable_policy_lookup:
Could not allocate message
* CSCsm82364 - CVE-2009-0059
An attacker may cause a device reload when sending a malformed post
to the web authentication "login.html" page. The following error
messages may appear on the WLC console during this attack:
Cisco Crash Handler
Signal generated during a signal 11,
count 193
Memory 0x14ef1e44 has been freed!
Note: A crash file is not generated during this attack. Upon receiving these IP packets, the
affected device may become unresponsive and require a reboot to
recover.
Privilege Escalation Vulnerability
+---------------------------------
A privilege escalation vulnerability exists only in WLC software version
4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain
full administrative rights on the affected system.
Note: Wireless network users are not affected by this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsv62283 and has
been assigned the Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0062.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* Certain packets may cause WebAuth services to hang or reload the
device (CSCsq44516)
CVSS Base Score - 6.1
Access Vector - Adjacent Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crash handling invalid post for webauth (CSCsq44516)
CVSS Base Score - 6.1
Access Vector - Adjacent Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* WLC TSEC driver may hang or crash the device (CSCso60979)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Local Management Users may obtain full admin rights (CSCsv62283)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.8
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the denial of service vulnerabilities may
cause the affected device to hang or reload. Repeated exploitation
could result in a sustained DoS condition. The privilege escalation
vulnerability may allow an authenticated user to obtain full
administrative rights on the affected system.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+-----------------------------------------------------+
| Vulnerability | Affected | First | Recommended |
| / Bug ID | Release | Fixed | Release |
| | | Version | |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.173.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Migrate to | 5.2.157.0 |
| CSCsq44516 | | 5.2 | |
| |----------+------------+-------------|
| | 5.1 | Contact | Contact TAC |
| | | TAC | |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | vulnerable | Vulnerable |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.112.0 | 4.2.176.0 |
| |----------+------------+-------------|
| CSCsm82364 | 5.0 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | 5.2.157.0 | 5.2.157.0 |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.117.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Migrate to | 5.2.157.0 |
| CSCso60979 | | 5.2 | |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | vulnerable | vulnerable |
|---------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.174.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Not | Not |
| CSCsv62283 | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | Vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | Vulnerable | vulnerable |
+-----------------------------------------------------+
Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510
Access Points (APs) are recommended to migrate to release 4.2.176.0.
Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are
recommended to migrate to 5.2 or later.
Workarounds
===========
There are no workarounds for any of these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. These
vulnerabilities were found during internal testing and during the
resolution of customer support cases.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-February-04 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Feb 04, 2009 Document ID: 108336
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua
xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU
=waFY
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200910-0132 | CVE-2009-3647 | YABSoft Mega File Hosting Script of emaullinks.php Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in emaullinks.php in YABSoft Mega File Hosting Script (aka MFH or MFHS) 1.2 allows remote attackers to inject arbitrary web script or HTML via the moudi parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NaviCOPA Web Server is a web server installed on a Windows system that automatically configures HTTP access. If a remote attacker submits a long HTTP GET request to the NaviCOPA Web Server, it can trigger a heap overflow, causing arbitrary code execution; in addition, submitting a specially crafted HTTP request containing a dot character to the server can also reveal the source code of the PHP script. NaviCOPA Web Server is prone to a remote buffer-overflow vulnerability and an information-disclosure vulnerability because the application fails to properly bounds-check or validate user-supplied input.
Successful exploits of the buffer-overflow issue may lead to the execution of arbitrary code in the context of the application or to denial-of-service conditions. Also, attackers can exploit the information-disclosure issue to retrieve arbitrary source code in the context of the webserver process. Information harvested may aid in further attacks. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
NaviCOPA Script Source Disclosure and Buffer Overflow Vulnerabilities
SECUNIA ADVISORY ID:
SA33766
VERIFY ADVISORY:
http://secunia.com/advisories/33766/
CRITICAL:
Highly critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
SOFTWARE:
NaviCOPA 3.x
http://secunia.com/advisories/product/21322/
DESCRIPTION:
e.wiZz! has discovered two vulnerabilities in NaviCOPA, which can be
exploited by malicious people to disclose potentially sensitive
information, cause a DoS (Denial of Service), or potentially
compromise a vulnerable system.
1) A boundary error in the processing of HTTP requests can be
exploited to cause a heap-based buffer overflow via an overly long
HTTP GET request. PHP scripts via specially crafted
requests containing e.g. dot characters.
The vulnerabilities are confirmed in version 3.01.
SOLUTION:
Restrict access to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
e.wiZz!
ORIGINAL ADVISORY:
http://milw0rm.com/exploits/7966
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200910-0131 | CVE-2009-3646 | InterVations NaviCOPA Web Server In Web Vulnerability to get page source code |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
InterVations NaviCOPA Web Server 3.01 allows remote attackers to obtain the source code for a web page via an HTTP request with the addition of ::$DATA after the HTML file name. NaviCOPA Web Server is a web server installed on a Windows system that automatically configures HTTP access. NaviCOPA Web Server is prone to a remote buffer-overflow vulnerability and an information-disclosure vulnerability because the application fails to properly bounds-check or validate user-supplied input.
Successful exploits of the buffer-overflow issue may lead to the execution of arbitrary code in the context of the application or to denial-of-service conditions. Also, attackers can exploit the information-disclosure issue to retrieve arbitrary source code in the context of the webserver process. Information harvested may aid in further attacks. The CB Resume Builder ('com_cbresumebuilder') component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
Input passed via the "group_id" parameter to index.php (if "option"
is set to "com_cbresumebuilder" and "task" is set to "group_member")
is not properly sanitised before being used in an SQL query. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL
code.
SOLUTION:
Edit the source code to ensure that input is properly sanitised. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
NaviCOPA Script Source Disclosure and Buffer Overflow Vulnerabilities
SECUNIA ADVISORY ID:
SA33766
VERIFY ADVISORY:
http://secunia.com/advisories/33766/
CRITICAL:
Highly critical
IMPACT:
Exposure of sensitive information, DoS, System access
WHERE:
>From remote
SOFTWARE:
NaviCOPA 3.x
http://secunia.com/advisories/product/21322/
DESCRIPTION:
e.wiZz! has discovered two vulnerabilities in NaviCOPA, which can be
exploited by malicious people to disclose potentially sensitive
information, cause a DoS (Denial of Service), or potentially
compromise a vulnerable system.
1) A boundary error in the processing of HTTP requests can be
exploited to cause a heap-based buffer overflow via an overly long
HTTP GET request. PHP scripts via specially crafted
requests containing e.g. dot characters.
The vulnerabilities are confirmed in version 3.01.
SOLUTION:
Restrict access to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
e.wiZz!
ORIGINAL ADVISORY:
http://milw0rm.com/exploits/7966
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0719 | No CVE | D-Link DIR-300 Cross Site Scripting and Security Bypass Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
D-Link DIR-300 is prone to a cross-site scripting vulnerability and a security-bypass vulnerability.
An attacker may exploit these issues to bypass authentication or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
The issues affect D-Link DIR-300 with firmware 1.04-tomi-1.1.2.
| VAR-200902-0032 | CVE-2009-0468 | Profense Web Application Firewall of ajax.html Vulnerable to cross-site request forgery |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in ajax.html in Profense Web Application Firewall 2.6.2 and 2.6.3 allow remote attackers to hijack the authentication of administrators for requests that (1) shutdown the server, (2) send ping packets, (3) enable network services, (4) configure a proxy server, and (5) modify other settings via parameters in the query string. Profense is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.
An attacker can exploit the cross-site request forgery issue to alter the settings on affected devices. This may lead to further network-based attacks.
The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
Profense 2.6.2 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Profense Web Application Firewall Cross-Site Scripting and Cross-Site
Request Forgery
SECUNIA ADVISORY ID:
SA33739
VERIFY ADVISORY:
http://secunia.com/advisories/33739/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
SOFTWARE:
Profense Web Application Firewall 2.x
http://secunia.com/advisories/product/21280/
DESCRIPTION:
Michael Brooks has discovered some vulnerabilities in Profense Web
Application Firewall, which can be exploited by malicious people to
conduct cross-site scripting and cross-site request forgery attacks.
1) Input passed via the "proxy" parameter in proxy.html is not
properly sanitised before being returned to the user.
2) The application allows users to perform certain actions via HTTP
requests without performing any validity check to verify the request.
This can be exploited to perform certain actions, e.g. to shutdown the
system, by enticing a logged-in administrator to visit a malicious web
site.
The vulnerability is reported in version 2.6.2 and confirmed in
version 2.6.3.
SOLUTION:
Do not follow untrusted links and do not visit untrusted web sites
while being logged-in to the web-based management interface.
PROVIDED AND/OR DISCOVERED BY:
Michael Brooks
ORIGINAL ADVISORY:
http://milw0rm.com/exploits/7919
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200902-0031 | CVE-2009-0467 | Profense Web Application Firewall of proxy.html Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in proxy.html in Profense Web Application Firewall 2.6.2 and 2.6.3 allows remote attackers to inject arbitrary web script or HTML via the proxy parameter in a deny_log manage action. Profense is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.
An attacker can exploit the cross-site request forgery issue to alter the settings on affected devices. This may lead to further network-based attacks. Other attacks are also possible.
Profense 2.6.2 is vulnerable; other versions may also be affected. Profense Web Application Firewal is a website firewall. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Profense Web Application Firewall Cross-Site Scripting and Cross-Site
Request Forgery
SECUNIA ADVISORY ID:
SA33739
VERIFY ADVISORY:
http://secunia.com/advisories/33739/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
SOFTWARE:
Profense Web Application Firewall 2.x
http://secunia.com/advisories/product/21280/
DESCRIPTION:
Michael Brooks has discovered some vulnerabilities in Profense Web
Application Firewall, which can be exploited by malicious people to
conduct cross-site scripting and cross-site request forgery attacks.
1) Input passed via the "proxy" parameter in proxy.html is not
properly sanitised before being returned to the user.
2) The application allows users to perform certain actions via HTTP
requests without performing any validity check to verify the request.
This can be exploited to perform certain actions, e.g. to shutdown the
system, by enticing a logged-in administrator to visit a malicious web
site.
The vulnerability is reported in version 2.6.2 and confirmed in
version 2.6.3.
SOLUTION:
Do not follow untrusted links and do not visit untrusted web sites
while being logged-in to the web-based management interface.
PROVIDED AND/OR DISCOVERED BY:
Michael Brooks
ORIGINAL ADVISORY:
http://milw0rm.com/exploits/7919
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0282 | CVE-2009-0042 | plural CA Product Arclib library Vulnerabilities that can bypass virus detection |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in the Arclib library (arclib.dll) before 7.3.0.15 in the CA Anti-Virus engine for CA Anti-Virus for the Enterprise 7.1, r8, and r8.1; Anti-Virus 2007 v8 and 2008; Internet Security Suite 2007 v3 and 2008; and other CA products allow remote attackers to bypass virus detection via a malformed archive file. Computer Associates Anti-Virus engine is prone to multiple vulnerabilities that may allow certain compressed archives to bypass the scan engine.
Successful exploits will allow attackers to distribute files containing malicious code that the antivirus engine will fail to detect.
Products with 'arclib.dll' prior to version 7.3.0.15 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title: CA20090126-01: CA Anti-Virus Engine Detection Evasion
Multiple Vulnerabilities
CA Advisory Reference: CA20090126-01
CA Advisory Date: 2009-01-26
Reported By:
Thierry Zoller and Sergio Alvarez of n.runs AG
Impact: A remote attacker can evade detection. CA has
released a new Anti-Virus engine to address the vulnerabilities.
Consequently, detection evasion can be a concern for gateway
anti-virus software if archives are not scanned, but the risk is
effectively mitigated by the desktop anti-virus engine.
Mitigating Factors: See note above.
Severity: CA has given these vulnerabilities a Low risk rating. If your product is
configured for automatic updates, you should already be protected,
and you need to take no action. If your product is not configured
for automatic updates, then you simply need to run the update
utility included with your product.
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file "arclib.dll". By
default, the file is located in the
"C:\Program Files\CA\SharedComponents\ScanEngine" directory (*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4.
File Name File Version
arclib.dll 7.3.0.15
*For eTrust Intrusion Detection 2.0 the file is located in
"Program Files\eTrust\Intrusion Detection\Common", and for eTrust
Intrusion Detection 3.0 and 3.0 sp1, the file is located in
"Program Files\CA\Intrusion Detection\Common".
For CA Anti-Virus r8.1 on non-Windows platforms:
Use the compver utility provided on the CD to determine the
version of Arclib.
Example compver utility output:
------------------------------------------------
COMPONENT NAME VERSION
------------------------------------------------
eTrust Antivirus Arclib Archive Library 7.3.0.15
... (followed by other components)
For reference, the following are file names for arclib on
non-Windows operating systems:
Operating System File name
Solaris libarclib.so
Linux libarclib.so
Mac OS X arclib.bundle
Workaround:
Do not open email attachments or download files from untrusted
sources.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777
82
Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2009 CA. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8
wj8DBQFJfyMKeSWR3+KUGYURAkyRAJ94Db9OT0mSDBo8UiSAK7AWWt5XSgCfc89J
SlKLxRwfw06DmTk2tmlcrJI=
=Kjse
-----END PGP SIGNATURE-----