VARIoT IoT vulnerabilities database
| VAR-201106-0304 | No CVE | Siemens SIMATIC PLC Memory read and write vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: critical |
Siemens SIMATIC S7 series PLC Used in various industrial fields, including energy, water conservancy, oil, natural gas, chemical, building automation, and manufacturing. Read and write users PLC Memory capacity is based on Siemens ISO-TSAP An integral part of the open architecture of the protocol allows Siemens and non-Siemens products to access programmable controller memory, input and output constants and variables. As a result, devices implementing the protocol have proven to be vulnerable.
| VAR-201106-0303 | No CVE | Siemens S7-1200 Communication Protocol Replay Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Siemens SIMATIC S7 series PLC Used in various industrial fields, including energy, water conservancy, oil, natural gas, chemical, building automation, and manufacturing. S7-1200 Trigger CPU functions During firmware update to V2.0.3 It is possible to replay the communication process between the engineering software and the controller through an open source tool later. This results in that the engineering software can issue commands to the controller at a later time (for example, setting the control) regardless of whether the controller has a password configuration. Device stopped working)
| VAR-201106-0295 | No CVE | Siemens S7-1200 WEB Service Remote Denial of Service Vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: MEDIUM |
Siemens SIMATIC S7 series PLC Used in various industrial fields, including energy, water conservancy, oil, natural gas, chemical, building automation, and manufacturing. S7-1200 During firmware update to V2.0.3 It is possible to set the controller to Stop/Detect Status, causing communication errors (for example, by running a network scan to send malformed HTTP flow). Therefore, communication errors occur at S7-1200 Web Server interface that allows the controller to enter Stop/Detect status. In automation applications, Stop/Detect A state is a state defined when an external process is stopped.
| VAR-201106-0229 | CVE-2011-2395 | Cisco IOS In Router Advertisement Guarding Vulnerabilities that bypass functions |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Neighbor Discovery (ND) protocol implementation in Cisco IOS on unspecified switches allows remote attackers to bypass the Router Advertisement Guarding functionality via a fragmented IPv6 packet in which the Router Advertisement (RA) message is contained in the second fragment, as demonstrated by (1) a packet in which the first fragment contains a long Destination Options extension header or (2) a packet in which the first fragment contains an ICMPv6 Echo Request message. IOS is prone to a security bypass vulnerability. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment
| VAR-201106-0325 | No CVE | Veri-NAC URI Processing Directory Traversal Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Veri-NAC is a network control access device. The input passed to the WEB interface via the URL lacks filtering before use, and the attacker submits a request containing a directory traversal sequence to obtain arbitrary file content. In addition, its Active Directory authentication information is stored in clear text. Veri-NAC is prone to a directory-traversal vulnerability.
Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks.
Veri-NAC firmware version prior to 8.0.10 are vulnerable. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Black Box Veri-NAC Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA44757
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44757/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44757
RELEASE DATE:
2011-06-08
DISCUSS ADVISORY:
http://secunia.com/advisories/44757/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44757/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44757
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Black Box Veri-NAC, which can be
exploited by malicious people to disclose sensitive information.
Certain input passed to the web interface via the URL is not properly
verified before being used. This can be exploited to disclose the
contents of arbitrary files via directory traversal sequences.
SOLUTION:
Update to version 8.0.10. Please contact the vendor for more
information.
PROVIDED AND/OR DISCOVERED BY:
Mikael Simovits, Techworld.
ORIGINAL ADVISORY:
http://techworld.idg.se/2.2524/1.387616/blackbox-veri-nac---produkten-som-forstor-din-it-sakerhet/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0323 | No CVE | Tele Data's Contact Management Server Directory Traversal Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Tele Data's Contact Management Server is a specially crafted HTTP server that provides contact management services. Tele Data's Contact Management Server does not properly handle directory traversal character sequences, and remote attackers can exploit the vulnerability to view system file content with WEB permissions.
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks
| VAR-201106-0026 | CVE-2011-2107 |
Adobe Flash Player Vulnerable to cross-site scripting
Related entries in the VARIoT exploits database: VAR-E-201106-0678 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.181.22 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.22 and earlier on Android, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "universal cross-site scripting vulnerability.".
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following versions are vulnerable:
Adobe Flash Player 10.3.181.16 and prior versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.3.185.22 and prior versions for Android
UPDATE (June 7, 2011): The vendor indicates there may be an impact related to the 'Authplay.dll' component of Adobe Reader and Acrobat X 10.0.3, Reader 9.x and 10.x, and Acrobat 9.x and 10.x. We will update this BID when additional details emerge. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: flash-plugin security update
Advisory ID: RHSA-2011:0850-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0850.html
Issue date: 2011-06-06
CVE Names: CVE-2011-2107
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes one security issue is now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. This
vulnerability is detailed on the Adobe security page APSB11-13, listed in
the References section. (CVE-2011-2107)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 10.3.181.22
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
5. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-10.3.181.22-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.181.22-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-10.3.181.22-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.181.22-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-10.3.181.22-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.181.22-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-10.3.181.22-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.181.22-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-10.3.181.22-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.181.22-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2107.html
https://access.redhat.com/security/updates/classification/#important
http://www.adobe.com/support/security/bulletins/apsb11-13.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFN7OqAXlSAg2UNWIIRApgjAKCldmXlUbDzD/uUwi8XnweoaBZ00gCeIzcZ
1XCuXnfYCW/M6oYmVu+sw+U=
=AUfZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Flash Player: Multiple vulnerabilities
Date: October 13, 2011
Bugs: #354207, #359019, #363179, #367031, #370215, #372899,
#378637, #384017
ID: 201110-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Flash Player might allow remote
attackers to execute arbitrary code or cause a Denial of Service.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Impact
======
By enticing a user to open a specially crafted SWF file a remote
attacker could cause a Denial of Service or the execution of arbitrary
code with the privileges of the user running the application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201106-0322 | No CVE | Golden FTP PASS Command Stack Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Golden FTP Server is a Windows platform FTP server. A stack buffer overflow vulnerability exists in the GoldenFTP PASS command because of a security vulnerability in the Golden FTP service that allows a malicious user to trigger a buffer overflow using the PASS command. This vulnerability can be exploited by remote attackers to cause sensitive information to leak.
| VAR-201106-0233 | CVE-2011-2530 | RSLinx Classic EDS Hardware Installation Tool Remote Buffer Overflow Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in RSEds.dll in RSHWare.exe in the EDS Hardware Installation Tool 1.0.5.1 and earlier in Rockwell Automation RSLinx Classic before 2.58 allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed .eds file. RSLinx Classic connects RSLogix and RSNetWorx products to Rockwell Automation networks and devices, and is also an OPC server. Execute arbitrary code. RSLinx Classic is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Failed exploit attempts will likely cause denial-of-service conditions.
RSLinx Classic 1.0.5.1 is vulnerable; other versions may also be affected
| VAR-201106-0317 | No CVE | MODACOM URoad-5000 Security Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The MODACOM URoad-5000 is a portable WiMAX/WiFi router. The MODACOM URoad-5000 device uses the modified RaLink SDK version to access standard web interfaces via HTTP. The WEB management interface can be accessed by admin:admin via a standard username/password, which can be changed later. But there is another engineer:engineer pair can also be changed by the WEB interface. MODACOM URoad-5000 is prone to a security-bypass vulnerability and a remote command-execution vulnerability.
An attacker can exploit these issues to bypass certain security restrictions and execute arbitrary commands on the affected device.
MODACOM URoad-5000 firmware version 1450 is vulnerable; other versions may also be affected
| VAR-201106-0132 | CVE-2011-1753 | Ejabberd XML Parsing Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. Ejabberd is an instant messaging server for the Jabber/XMPP protocol. There is an error in processing part of the XML input. ----------------------------------------------------------------------
Alerts when vulnerabilities pose a threat to your infrastructure
The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies.
Watch our quick solution overview:
http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY
----------------------------------------------------------------------
TITLE:
ejabberd Nested XML Entities Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA44807
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44807/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44807
RELEASE DATE:
2011-06-01
DISCUSS ADVISORY:
http://secunia.com/advisories/44807/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44807/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44807
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in ejabberd, which can be exploited
by malicious people to cause a DoS (Denial of Service).
The vulnerability is reported in version 2.1.6. Other versions may
also be affected.
SOLUTION:
Fixed in the GIT repository.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Debian credits Wouter Coekaerts.
ORIGINAL ADVISORY:
https://git.process-one.net/ejabberd/mainline/commit/bd1df027c622e1f96f9eeaac612a6a956c1ff0b6
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
For more information:
SA44807
SOLUTION:
Apply updated packages via the apt-get package manager. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201206-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: ejabberd: Multiple Denial of Service vulnerabilities
Date: June 21, 2012
Bugs: #308047, #370201, #386075
ID: 201206-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in ejabberd, the worst of
which allowing for remote Denial of Service.
Background
==========
ejabberd is the Erlang jabber daemon.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-im/ejabberd < 2.1.9 >= 2.1.9
Description
===========
Multiple vulnerabilities have been discovered in ejabberd. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All ejabberd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/ejabberd-2.1.9"
References
==========
[ 1 ] CVE-2010-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0305
[ 2 ] CVE-2011-1753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1753
[ 3 ] CVE-2011-4320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4320
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201206-10.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2248-1 security@debian.org
http://www.debian.org/security/ Nico Golde
March 31, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ejabberd
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1753
Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber server
written in Erlang, is vulnerable to the so-called "billion laughs" attack
because it does not prevent entity expansion on received data.
This allows an attacker to perform denial of service attacks against the
service by sending specially crafted XML data to it.
For the oldstable distribution (lenny), this problem has been fixed in
version 2.0.1-6+lenny3.
For the stable distribution (squeeze), this problem has been fixed in
version 2.1.5-3+squeeze1.
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 2.1.6-2.1.
We recommend that you upgrade your ejabberd packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3lVy8ACgkQHYflSXNkfP9+XwCZASQIxH5wedS/Sv5RVbLq72TX
BCQAmwa5smfQdADSxcAw9vRXuTPmuck4
=s7fb
-----END PGP SIGNATURE-----
| VAR-201106-0024 | CVE-2011-1623 | Cisco Media Processing Software Vulnerabilities that gain access |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Media Processing Software before 1.2 on Media Experience Engine (MXE) 5600 devices has a default root password, which makes it easier for context-dependent attackers to obtain access via (1) the local console, (2) an SSH session, or (3) a TELNET session, aka Bug ID CSCto77737. The Cisco MXE 5600 includes a root account for advanced debugging, but is not required for normal operations. The root account is different from the admin and user accounts. If Telnet is enabled, it can also be accessed via Telnet.
An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device.
This issue is being tracked by Cisco bug ID CSCto77737. A software upgrade is not
required to resolve this vulnerability. Customers can change the root
account password by issuing a configuration command on affected
engines. The workarounds detailed in this document provide
instructions for changing the root account password. To determine
the software release that is running on a Cisco MXE unit, log in to
the device and issue the show version command-line interface (CLI)
command to display the system banner. The following example shows a
Cisco MXE 5600 device running software version 1.2.0-34.
No other Cisco products are currently known to be affected by this
vulnerability. For instructions on how
to set or change the root password, see the Workarounds section of this
advisory.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCto77737 ("Default Credentials for root Account on MXE 5600")
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may allow an
unauthorized user to modify the software configuration and the
operating system settings or gain complete administrative control of
the device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. The passwd command will accept a null or weak password, but
Cisco highly recommends using a long, complex password. To change the
password, users will need the default password. To obtain the default
password, customers must contact the Cisco TAC. Because entitlement
will be verified, please have the product serial number available and
refer to this advisory.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20110601-mxe.shtml
Obtaining Fixed Software
========================
Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Cisco will not make free upgrade software available for affected
customers to address this vulnerability. The workaround provided in
this document describes how to change the passwords in current
releases of the software.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-mxe.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-----------------------------------------------------------+
| Revision 1.0 | 2011-June-01 | Initial public release |
+-----------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Jun 01, 2011 Document ID: 112959
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk3mYakACgkQQXnnBKKRMNDuBwD+J7cpkJXFQe5C/IHvYzNejxCB
UKzuwdqr8OD+DczVMcgA/2M/3DlTswtrsh8jTgT8ChkE0TwnNf1uSOcW4g/blNlR
=VGLK
-----END PGP SIGNATURE-----
| VAR-201106-0319 | No CVE | NetGear WNDAP350 Wireless Access Point Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The NetGear WNDAP350 is a wireless access device. The NetGear WNDAP350 wireless access point lacks the correct restrictions on access. An attacker can exploit the vulnerability to obtain sensitive information, including plain text management passwords or WPA ciphertext, through the download.php or BackupConfig.php script.
WNDAP350 with firmware 2.0.1 and 2.0.9 are vulnerable; other firmware versions may also be affected
| VAR-201106-0112 | CVE-2011-2040 |
Cisco AnyConnect SSL VPN arbitrary code execution
Related entries in the VARIoT exploits database: VAR-E-201106-0065 |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.5.3041, and 3.0.x before 3.0.629, on Linux and Mac OS X downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a Java applet, aka Bug ID CSCsy05934. The Cisco AnyConnect SSL VPN ActiveX and Java clients contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Cisco AnyConnect Secure Mobility Client is a remote access solution from Cisco that is Cisco's next-generation VPN client. WEB pages that use social engineering spoofing or other vulnerabilities to entice users to access, allowing an attacker to provide arbitrary executable programs for the helper application to download and execute.
This issue is tracked by Cisco Bug IDs CSCsy00904 and CSCsy05934. There are no workarounds for the vulnerabilities
described in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities described in this document apply to the Cisco
AnyConnect Secure Mobility Client. The affected versions are included
in the following table:
+------------------------------------------------------------+
| Vulnerability | Platform | Affected Versions |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| | Windows | 2.3.185 |
| |-----------+----------------------------|
| Arbitrary Program | | * All versions in major |
| Execution | | releases other than |
| Vulnerability | Linux, | 2.5.x and 3.0.x. |
| | Apple | * 2.5.x releases prior |
| | MacOS X | to 2.5.3041 |
| | | * 3.0.x releases prior |
| | | to 3.0.629 |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| Local Privilege | Windows | 2.3.254 |
|Escalation |-----------+----------------------------|
| Vulnerability | Linux, | |
| | Apple | Not affected |
| | MacOS X | |
+------------------------------------------------------------+
Note: Microsoft Windows Mobile versions are affected by the Arbitrary
Program Execution Vulnerability.
No other Cisco products are currently known to be affected by these
vulnerabilities. After the user logs in, the browser displays a portal
window and when the user clicks the "Start AnyConnect" link, the
process of downloading the Cisco AnyConnect Secure Mobility Client
begins. The helper application is a Java
applet on the Linux and MacOS X platforms, and either a Java applet
on the Windows platform or an ActiveX control if the browser is
capable of utilizing ActiveX controls. The downloaded helper
application is executed in the context of the originating site in the
user's web browser. This
arbitrary executable would be executed with the same operating system
privileges under which the web browser was run. Common
Vulnerabilities and Exposures (CVE) IDs CVE-2011-2039 (for
CSCsy00904) and CVE-2011-2040 (for CSCsy05934) have been assigned for
these vulnerabilities. An attacker may
engineer a web page to supply an affected version of the ActiveX
control or Java applet and still accomplish arbitrary program
execution because of the lack of authenticity validation. When this occurs, an
old version of the ActiveX control will not be instantiated if
one is presented for download. This
action accomplishes the same result as the previous
recommendation -- it deploys new, fixed versions of the ActiveX
control so that old, vulnerable versions of the control are not
instantiated if one is presented for download. This action prevents the
ActiveX control from being instantiated under any scenario.
Instructions for setting the kill bit are beyond the scope of
this document; refer to the Microsoft Support article "How to
stop an ActiveX control from running in Internet Explorer" at
http://support.microsoft.com/kb/240797 and the Microsoft Security
Vulnerability Research & Defense's "Kill-Bit FAQ" blog posts
referenced in the Microsoft Support article for more information. Note that this CLSID
did not change with new versions of the ActiveX control that
implement code signing validation.
Mitigating the risk of old versions of the Java applet can be
accomplished by blacklisting old, vulnerable versions using the Jar
blacklist feature introduced with Java SE 6 Update 14. For
information on the Jar blacklist feature refer to the Java SE 6
Update 14 release notes, available at:
http://www.oracle.com/technetwork/java/javase/6u14-137039.html
The jar files to be blacklisted are identified by the following SHA-1
message digests:
# 2.3.0254, 2.3.1003, 2.3.2016, 2.4.0202, 2.4.1012,
# 2.5.0217, 2.5.1025, 2.5.2001, 2.5.2006, 2.5.2010,
# 2.5.2011, 2.5.2014, 2.5.2017, 2.5.2018, 2.5.2019
SHA1-Digest-Manifest : xmarT5s8kwnKRLxnCOoLUnxnveE=
# 2.2.0133, 2.2.0136, 2.2.0140
SHA1-Digest-Manifest : 2wXAWNws4uNdCioU1eoCOS4+J3o=
# 2.0.0343, 2.1.0148
SHA1-Digest-Manifest : OlNnvozFCxbJZbRfGiLckOE8uFQ=
Local Privilege Escalation Vulnerability
+---------------------------------------
Unprivileged users can elevate their privileges to those of the
LocalSystem account by enabling the Start Before Logon (SBL) feature
and interacting with the Cisco AnyConnect Secure Mobility Client
graphical user interface in the Windows logon screen.
To prevent this issue, fixed versions of the Cisco AnyConnect Secure
Mobility Client limit the amount of interaction that is possible in
the client's graphical user interface when it is displayed on the
Windows logon screen.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsy00904 & CSCsy05934 - Arbitrary Program Execution Vulnerability
CVSS Base Score - 7.6
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCta40556 -- AnyConnect: Security issue with SBL on versions
prior to 2.3
CVSS Base Score - 7.2
Access Vector - Local
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Arbitrary Program Execution Vulnerability
+----------------------------------------
Exploitation of this vulnerability may allow an attacker to execute
arbitrary programs on the computer of a Cisco AnyConnect Secure
Mobility Client user with the privileges of the user who is
establishing the VPN connection.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------------+
| Vulnerability | Platform | First Fixed |
| | | Release |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.185 |
| Arbitrary Program | Windows | |
|Execution Vulnerability |---------------+---------------|
| | Linux, Apple | 2.5.3041 and |
| | Mac OS X | 3.0.629 |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.254 |
| Local Privilege Escalation | Windows | |
|Vulnerability |---------------+---------------|
| | Linux, Apple | Not affected |
| | Mac OS X | |
+------------------------------------------------------------+
Recommended Releases
The following table lists all recommended releases. These recommended
releases contain the fixes for all vulnerabilities in this advisory.
Cisco recommends upgrading to a release that is equal to or later
than these recommended releases.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory. Cisco would like to
thank iDefense for reporting this vulnerability and for working with
us towards a coordinated disclosure of the vulnerability.
The Local Privilege Escalation Vulnerability was reported to Cisco by
a customer.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iF4EAREIAAYFAk3mbJUACgkQQXnnBKKRMNBBxAD+Oh7XQCOtCDOFCY8K1hWFAV/K
iwgK2hG+GNV39PPndfQA/0Sked3glEypuwev05ULO4ukTAPoDI5CJLnb4W4TKjL8
=pAlh
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco AnyConnect VPN Client Two Vulnerabilities
SECUNIA ADVISORY ID:
SA44812
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44812/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44812/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44812/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco AnyConnect VPN
Client, which can be exploited by malicious people with physical
access to bypass certain security restrictions and by malicious
people to compromise a user's system.
Successful exploitation of this vulnerability requires the Start
Before Logon (SBL) feature to be enabled.
2) An error in the helper application used for remote deployment of
the client (e.g.
SOLUTION:
Update to a fixed version (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
1) Reported to the vendor by a customer.
2) The vendor credits Elazar Broad via iDefense.
ORIGINAL ADVISORY:
Cisco (cisco-sa-20110601-ac):
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0025 | CVE-2011-1602 | Cisco Unified IP Phone 7900 of su Vulnerability gained by utility |
CVSS V2: 6.6 CVSS V3: - Severity: MEDIUM |
The su utility on Cisco Unified IP Phones 7900 devices (aka TNP phones) with software before 9.0.3 allows local users to gain privileges via unspecified vectors, aka Bug ID CSCtf07426. The problem is Bug ID CSCtf07426 It is a problem.Authority may be obtained by local users. The Cisco Unified IP Phone is Cisco's unified IP telephony solution. These three
vulnerabilities are classified as two privilege escalation
vulnerabilities and one signature bypass vulnerability.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds available to mitigate these
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml. The following sections provide the details of each
vulnerability addressed in this security advisory.
These vulnerabilities are documented in Cisco bug IDs CSCtf07426
and CSCtn65815 and have been assigned Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2011-1602 and CVE-2011-1603
respectively.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf07426 - Privilege Escalation with "su" utility
CVSS Base Score - 6.6
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 5.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn65815 - Privilege Escalation in IP Phones
CVSS Base Score - 6.6
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 5.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn65962 - Phones Permits the Installation of Unsigned Code
CVSS Base Score - 1.5
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 1.2
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the two privilege escalation
vulnerabilities could allow an authenticated attacker to change phone
configuration and obtain system information.
Successful exploitation of the signature verification bypass
vulnerability that could allow an authenticated attacker to load and
execute a software image without verification of its signature.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+---------------------------------------+
| | First |
| Vulnerability | Fixed |
| | Release |
|----------------------------+----------|
| CSCtf07426 - Privilege | |
| Escalation with "su" | 9.0.3 |
| utility | |
|----------------------------+----------|
| CSCtn65815 - Privilege | 9.2.1 |
| Escalation in IP Phones | |
|----------------------------+----------|
| CSCtn65962 - Phones | |
| Permits the Installation | 9.2.1 |
| of Unsigned Code | |
+---------------------------------------+
Workarounds
===========
There are no workarounds available to mitigate any of these
vulnerabilities. Note: All of these vulnerabilities require the
attacker to be authenticated.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Matt
Duggan of Qualcomm.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFN5k0FQXnnBKKRMNARCCF9AP0ar3AfiP9uA0nW3t6SFYx6XIdGytUG2S/K
1SMd+3y7wgEAhzzCUzc85QKeV/jicP5lXboEspr5eU7MftNMqM1oUNw=
=ZBzs
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco Unified IP Phone Privilege Escalation and Security Bypass
SECUNIA ADVISORY ID:
SA44814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44814
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some security issues have been reported in Cisco Unified IP Phone
models, which can be exploited by malicious, local users to bypass
certain security restrictions and perform certain actions with
escalated privileges.
3) An error in the device does not properly verify the signature of
the software image before loading the image and can be exploited to
upload an arbitrary software image.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0021 | CVE-2011-1637 | Cisco Unified IP Phones 7900 Vulnerabilities that can gain privileges on devices |
CVSS V2: 1.5 CVSS V3: - Severity: LOW |
Cisco Unified IP Phones 7900 devices (aka TNP phones) with software before 9.2.1 do not properly verify signatures for software images, which allows local users to gain privileges via a crafted image, aka Bug ID CSCtn65962. The Cisco Unified IP Phone is Cisco's unified IP telephony solution.
An attacker can exploit this issue to bypass the signature-verification mechanism.
This issue is tracked by Cisco Bug ID CSCtn65962. These three
vulnerabilities are classified as two privilege escalation
vulnerabilities and one signature bypass vulnerability.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds available to mitigate these
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml. The following sections provide the details of each
vulnerability addressed in this security advisory.
These vulnerabilities are documented in Cisco bug IDs CSCtf07426
and CSCtn65815 and have been assigned Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2011-1602 and CVE-2011-1603
respectively.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf07426 - Privilege Escalation with "su" utility
CVSS Base Score - 6.6
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 5.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn65815 - Privilege Escalation in IP Phones
CVSS Base Score - 6.6
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 5.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn65962 - Phones Permits the Installation of Unsigned Code
CVSS Base Score - 1.5
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 1.2
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the two privilege escalation
vulnerabilities could allow an authenticated attacker to change phone
configuration and obtain system information.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+---------------------------------------+
| | First |
| Vulnerability | Fixed |
| | Release |
|----------------------------+----------|
| CSCtf07426 - Privilege | |
| Escalation with "su" | 9.0.3 |
| utility | |
|----------------------------+----------|
| CSCtn65815 - Privilege | 9.2.1 |
| Escalation in IP Phones | |
|----------------------------+----------|
| CSCtn65962 - Phones | |
| Permits the Installation | 9.2.1 |
| of Unsigned Code | |
+---------------------------------------+
Workarounds
===========
There are no workarounds available to mitigate any of these
vulnerabilities. Note: All of these vulnerabilities require the
attacker to be authenticated.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Matt
Duggan of Qualcomm.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFN5k0FQXnnBKKRMNARCCF9AP0ar3AfiP9uA0nW3t6SFYx6XIdGytUG2S/K
1SMd+3y7wgEAhzzCUzc85QKeV/jicP5lXboEspr5eU7MftNMqM1oUNw=
=ZBzs
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco Unified IP Phone Privilege Escalation and Security Bypass
SECUNIA ADVISORY ID:
SA44814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44814
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some security issues have been reported in Cisco Unified IP Phone
models, which can be exploited by malicious, local users to bypass
certain security restrictions and perform certain actions with
escalated privileges.
1) An error within the "su" utility can be exploited to change the
phone configuration or gain potentially sensitive information.
2) An unspecified error can be exploited to change the phone
configuration or gain potentially sensitive information.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0110 | CVE-2011-2024 | Cisco Network Registrar Vulnerabilities to gain access to |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Network Registrar before 7.2 has a default administrative password, which makes it easier for remote attackers to obtain access via a TCP session, aka Bug ID CSCsm50627. The problem is Bug ID CSCsm50627 Problem.By a third party, TCP You may gain access through a session. Cisco CNS Network Registrar provides highly scalable and reliable DNS, DHCP and TFTP services.
An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device.
This issue is being tracked by Cisco bug ID CSCsm50627. During the initial
installation, users are not forced to change this password, allowing
it to persist after the installation.
The upgrade to Software Release 7.2 is not free; however, a
workaround is provided in this document that will prevent
exploitation of the vulnerability.
When performing an upgrade to Software Release 7.2, you must use the
workaround to change the password of the administrative account.
The workaround for this vulnerability is to change the password
associated with the administrative account using the method described
in the "Workarounds" section.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-cnr.shtml
Affected Products
=================
Vulnerable Products
+------------------
This vulnerability affects all releases of Cisco Network Registrar
prior to Software Release 7.2. The vulnerability is present in the
affected releases on all platforms. Alternatively, if using the
command-line interface, execute the following command:
nrcmd> session get version
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability. This vulnerability is
documented in Cisco bug ID CSCsm50627 ( registered customers only)
and has been assigned the Common Vulnerabilities and Exposures (CVE)
identifier CVE-2011-2024.
Additionally, it is a good practice to change passwords periodically.
The interval should comply with an organization's security policy
but, as a guideline, passwords should be changed two to three times a
year. This practice applies equally to all products regardless of
when they are installed and to all users, administrators and
non-administrators.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at the following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsm50627 - Initially supplied admin password not changed during the installation
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may allow an attacker to
make arbitrary changes to the configuration of Cisco Network
Registrar.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
This vulnerability is fixed in Software Release 7.2.
Workarounds
===========
The provided workaround changes the password that is associated with
the administrator's account. To change the password using the web
interface, select Advanced -> Administrators -> Admin from the menu.
Execute the following command to change the administrator's password
using the command-line interface:
admin <admin-name> enterPassword
Additionally, access to Cisco Network Registrar (TCP ports 8080,
8090, 8443, and 8453) and the host on which it is running should be
limited to legitimate IP addresses. Consult the documentation of the
host operating system for further details how to accomplish this
task.
The use of IP addresses as a form of authentication is a
well-established network security practice. For more guidance on the
use of access control lists (ACLs) or the explicit identification of
network management stations in devices and applications, reference
the white paper A Security-Oriented Approach to IP Addressing at the
following link:
http://www.cisco.com/web/about/security/intelligence/security-for-ip-addr.html
Obtaining Fixed Software
========================
Cisco will not make free upgrade software available for affected
customers to address this vulnerability. The workaround provided in
this document describes how to change the passwords in current
releases of the software.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for
additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered during an internal review.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110601-cnr.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2001-06-01 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFN5XmlQXnnBKKRMNARCJ/mAP0VFqUaxecmVxktLg4c8opYzEEj3VL8+PMl
KcRmg+hRDwD/bQYE8gud6mml4vjqdXuSPfS+p36+PLcQv159dlPxUv8=
=wSxT
-----END PGP SIGNATURE-----
| VAR-201106-0113 | CVE-2011-2041 | Cisco AnyConnect Secure Mobility Client Vulnerability gained in |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The Start Before Logon (SBL) functionality in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.254 on Windows, and on Windows Mobile, allows local users to gain privileges via unspecified user-interface interaction, aka Bug ID CSCta40556. The problem is Bug ID CSCta40556 It is a problem.Authority may be obtained by local users. Cisco AnyConnect Secure Mobility Client is a remote access solution from Cisco that is Cisco's next-generation VPN client. A local elevation of privilege vulnerability exists in the Cisco AnyConnect Secure Mobility Vulnerability. This vulnerability only affects the Windows platform because SBL does not support Linux and MacOS X clients.
Local attackers can exploit this issue to gain elevated privileges. Successful exploits will result in the complete compromise of affected computers.
Versions prior to AnyConnect Secure Mobility Client 2.3.254 are vulnerable. There are no workarounds for the vulnerabilities
described in this advisory. The affected versions are included
in the following table:
+------------------------------------------------------------+
| Vulnerability | Platform | Affected Versions |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| | Windows | 2.3.185 |
| |-----------+----------------------------|
| Arbitrary Program | | * All versions in major |
| Execution | | releases other than |
| Vulnerability | Linux, | 2.5.x and 3.0.x. |
| | Apple | * 2.5.x releases prior |
| | MacOS X | to 2.5.3041 |
| | | * 3.0.x releases prior |
| | | to 3.0.629 |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| Local Privilege | Windows | 2.3.254 |
|Escalation |-----------+----------------------------|
| Vulnerability | Linux, | |
| | Apple | Not affected |
| | MacOS X | |
+------------------------------------------------------------+
Note: Microsoft Windows Mobile versions are affected by the Arbitrary
Program Execution Vulnerability.
No other Cisco products are currently known to be affected by these
vulnerabilities. This action causes the browser to first download a "helper"
application that aids in downloading and executing the actual Cisco
AnyConnect Secure Mobility Client. The helper application is a Java
applet on the Linux and MacOS X platforms, and either a Java applet
on the Windows platform or an ActiveX control if the browser is
capable of utilizing ActiveX controls. The downloaded helper
application is executed in the context of the originating site in the
user's web browser. An attacker could
create a malicious web page that looks like the normal VPN web login
page and entice a user, through social engineering or exploitation of
other vulnerabilities, to visit it. This would allow the attacker to
supply an arbitrary executable that the helper application would
download and execute on the machine of the affected user. This
arbitrary executable would be executed with the same operating system
privileges under which the web browser was run. Common
Vulnerabilities and Exposures (CVE) IDs CVE-2011-2039 (for
CSCsy00904) and CVE-2011-2040 (for CSCsy05934) have been assigned for
these vulnerabilities.
Additional Considerations for the Arbitrary Program Execution
Vulnerability
+------------------------------------------------------------
Note that while new versions of the ActiveX control and Java applet
that are shipped with the Cisco AnyConnect Secure Mobility Client
make use of code signing to validate the authenticity of components
downloaded from the VPN headend, there is still the issue of old
versions that do not validate downloaded components. An attacker may
engineer a web page to supply an affected version of the ActiveX
control or Java applet and still accomplish arbitrary program
execution because of the lack of authenticity validation.
Mitigating the risk of old versions of the ActiveX control can be
accomplished in the following ways:
* Load fixed Cisco AnyConnect Secure Mobility Client versions on
the VPN headend and establish a VPN connection (via web browser
or standalone client). This action will cause the new version of
the Cisco AnyConnect Secure Mobility Client, including a new
version of the ActiveX control to install. When this occurs, an
old version of the ActiveX control will not be instantiated if
one is presented for download. This
action accomplishes the same result as the previous
recommendation -- it deploys new, fixed versions of the ActiveX
control so that old, vulnerable versions of the control are not
instantiated if one is presented for download. This action prevents the
ActiveX control from being instantiated under any scenario.
Instructions for setting the kill bit are beyond the scope of
this document; refer to the Microsoft Support article "How to
stop an ActiveX control from running in Internet Explorer" at
http://support.microsoft.com/kb/240797 and the Microsoft Security
Vulnerability Research & Defense's "Kill-Bit FAQ" blog posts
referenced in the Microsoft Support article for more information. Note that this CLSID
did not change with new versions of the ActiveX control that
implement code signing validation.
Mitigating the risk of old versions of the Java applet can be
accomplished by blacklisting old, vulnerable versions using the Jar
blacklist feature introduced with Java SE 6 Update 14.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsy00904 & CSCsy05934 - Arbitrary Program Execution Vulnerability
CVSS Base Score - 7.6
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCta40556 -- AnyConnect: Security issue with SBL on versions
prior to 2.3
CVSS Base Score - 7.2
Access Vector - Local
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Arbitrary Program Execution Vulnerability
+----------------------------------------
Exploitation of this vulnerability may allow an attacker to execute
arbitrary programs on the computer of a Cisco AnyConnect Secure
Mobility Client user with the privileges of the user who is
establishing the VPN connection.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------------+
| Vulnerability | Platform | First Fixed |
| | | Release |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.185 |
| Arbitrary Program | Windows | |
|Execution Vulnerability |---------------+---------------|
| | Linux, Apple | 2.5.3041 and |
| | Mac OS X | 3.0.629 |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.254 |
| Local Privilege Escalation | Windows | |
|Vulnerability |---------------+---------------|
| | Linux, Apple | Not affected |
| | Mac OS X | |
+------------------------------------------------------------+
Recommended Releases
The following table lists all recommended releases. These recommended
releases contain the fixes for all vulnerabilities in this advisory.
Cisco recommends upgrading to a release that is equal to or later
than these recommended releases.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
The Arbitrary Program Execution Vulnerability was discovered by
Elazar Broad and reported to Cisco by iDefense.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iF4EAREIAAYFAk3mbJUACgkQQXnnBKKRMNBBxAD+Oh7XQCOtCDOFCY8K1hWFAV/K
iwgK2hG+GNV39PPndfQA/0Sked3glEypuwev05ULO4ukTAPoDI5CJLnb4W4TKjL8
=pAlh
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco AnyConnect VPN Client Two Vulnerabilities
SECUNIA ADVISORY ID:
SA44812
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44812/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44812/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44812/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco AnyConnect VPN
Client, which can be exploited by malicious people with physical
access to bypass certain security restrictions and by malicious
people to compromise a user's system.
Successful exploitation of this vulnerability requires the Start
Before Logon (SBL) feature to be enabled.
2) An error in the helper application used for remote deployment of
the client (e.g.
SOLUTION:
Update to a fixed version (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
1) Reported to the vendor by a customer.
2) The vendor credits Elazar Broad via iDefense.
ORIGINAL ADVISORY:
Cisco (cisco-sa-20110601-ac):
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0111 | CVE-2011-2039 |
Cisco AnyConnect SSL VPN arbitrary code execution
Related entries in the VARIoT exploits database: VAR-E-201106-0065 |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.185 on Windows, and on Windows Mobile, downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a certain ActiveX control in vpnweb.ocx, aka Bug ID CSCsy00904. The Cisco AnyConnect SSL VPN ActiveX and Java clients contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Cisco AnyConnect Secure Mobility Client is a remote access solution from Cisco that is Cisco's next-generation VPN client. When the Cisco AnyConnect Secure Mobility Client is deployed from the VPN front end, a WEB browser is used to initialize an SSL connection to the VPN front end. After the user logs in, the browser displays the portal window. When the user clicks \"Start AnyConnect\", the process will start downloading the Cisco AnyConnect Secure Mobility Client. The helper application is a Java Applet on Linux and MacOS X platforms or a Java Applet on a Windows platform or an ActiveX plugin on a browser. The downloaded Helper program is in a web browser. The initial site context is executed. The helper program then downloads the program from the VPN front end and executes it.
An attacker can exploit this issue by using social engineering techniques to coerce unsuspecting users to download and execute arbitrary applications.
This issue is tracked by Cisco Bug IDs CSCsy00904 and CSCsy05934. The control itself is provided by the server upon connecting. For more information, visit the following URL.
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/release/notes/anyconnect23rn.html
II.
The vulnerability exists within the ActiveX control with the following
identifiers:
CLSID: 55963676-2F5E-4BAF-AC28-CF26AA587566
ProgId: Cisco.AnyConnect.VPNWeb.1
File: %WINDIR%\system32\vpnweb.ocx
This ActiveX control is not marked as safe for initialization or
scripting within the registry, but it does implement IObjectSafety. When
queried, this control's IObjectSafety interface reports that it is safe
for both scripting and initialization. Once it is
instantiated, it will attempt to download two files from the site
supported in the "url" property. As such, an attacker can craft a page
such that the control will download an executable of their choosing.
One of the files will be executed upon the successful completion of the
download.
III. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.
Additionally, in a default configuration, a targeted user must have this
control already installed or must accept several warning prompts at the
time that the attack is taking place. This control is not on the white
list included with Internet Explorer 7.0. More information can be found
at the following URL.
http://msdn.microsoft.com/en-us/library/bb250471.aspx
IV.
V. WORKAROUND
Setting the kill-bit for this control will prevent it from being loaded
within Internet Explorer. However, doing so will prevent legitimate use
of the control.
VI. For more information, consult their
advisory at the following URL.
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml
VII. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
02/24/2009 Initial Vendor Notification
02/25/2009 Initial Vendor Reply
06/01/2011 Coordinated Public Disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information. There are no workarounds for the vulnerabilities
described in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities described in this document apply to the Cisco
AnyConnect Secure Mobility Client. The affected versions are included
in the following table:
+------------------------------------------------------------+
| Vulnerability | Platform | Affected Versions |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| | Windows | 2.3.185 |
| |-----------+----------------------------|
| Arbitrary Program | | * All versions in major |
| Execution | | releases other than |
| Vulnerability | Linux, | 2.5.x and 3.0.x. |
| | Apple | * 2.5.x releases prior |
| | MacOS X | to 2.5.3041 |
| | | * 3.0.x releases prior |
| | | to 3.0.629 |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| Local Privilege | Windows | 2.3.254 |
|Escalation |-----------+----------------------------|
| Vulnerability | Linux, | |
| | Apple | Not affected |
| | MacOS X | |
+------------------------------------------------------------+
Note: Microsoft Windows Mobile versions are affected by the Arbitrary
Program Execution Vulnerability.
No other Cisco products are currently known to be affected by these
vulnerabilities. An attacker could
create a malicious web page that looks like the normal VPN web login
page and entice a user, through social engineering or exploitation of
other vulnerabilities, to visit it. This
arbitrary executable would be executed with the same operating system
privileges under which the web browser was run. Common
Vulnerabilities and Exposures (CVE) IDs CVE-2011-2039 (for
CSCsy00904) and CVE-2011-2040 (for CSCsy05934) have been assigned for
these vulnerabilities. An attacker may
engineer a web page to supply an affected version of the ActiveX
control or Java applet and still accomplish arbitrary program
execution because of the lack of authenticity validation. When this occurs, an
old version of the ActiveX control will not be instantiated if
one is presented for download. This
action accomplishes the same result as the previous
recommendation -- it deploys new, fixed versions of the ActiveX
control so that old, vulnerable versions of the control are not
instantiated if one is presented for download. This action prevents the
ActiveX control from being instantiated under any scenario.
Instructions for setting the kill bit are beyond the scope of
this document; refer to the Microsoft Support article "How to
stop an ActiveX control from running in Internet Explorer" at
http://support.microsoft.com/kb/240797 and the Microsoft Security
Vulnerability Research & Defense's "Kill-Bit FAQ" blog posts
referenced in the Microsoft Support article for more information. Note that this CLSID
did not change with new versions of the ActiveX control that
implement code signing validation.
Mitigating the risk of old versions of the Java applet can be
accomplished by blacklisting old, vulnerable versions using the Jar
blacklist feature introduced with Java SE 6 Update 14. For
information on the Jar blacklist feature refer to the Java SE 6
Update 14 release notes, available at:
http://www.oracle.com/technetwork/java/javase/6u14-137039.html
The jar files to be blacklisted are identified by the following SHA-1
message digests:
# 2.3.0254, 2.3.1003, 2.3.2016, 2.4.0202, 2.4.1012,
# 2.5.0217, 2.5.1025, 2.5.2001, 2.5.2006, 2.5.2010,
# 2.5.2011, 2.5.2014, 2.5.2017, 2.5.2018, 2.5.2019
SHA1-Digest-Manifest : xmarT5s8kwnKRLxnCOoLUnxnveE=
# 2.2.0133, 2.2.0136, 2.2.0140
SHA1-Digest-Manifest : 2wXAWNws4uNdCioU1eoCOS4+J3o=
# 2.0.0343, 2.1.0148
SHA1-Digest-Manifest : OlNnvozFCxbJZbRfGiLckOE8uFQ=
Local Privilege Escalation Vulnerability
+---------------------------------------
Unprivileged users can elevate their privileges to those of the
LocalSystem account by enabling the Start Before Logon (SBL) feature
and interacting with the Cisco AnyConnect Secure Mobility Client
graphical user interface in the Windows logon screen.
To prevent this issue, fixed versions of the Cisco AnyConnect Secure
Mobility Client limit the amount of interaction that is possible in
the client's graphical user interface when it is displayed on the
Windows logon screen.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsy00904 & CSCsy05934 - Arbitrary Program Execution Vulnerability
CVSS Base Score - 7.6
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCta40556 -- AnyConnect: Security issue with SBL on versions
prior to 2.3
CVSS Base Score - 7.2
Access Vector - Local
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Arbitrary Program Execution Vulnerability
+----------------------------------------
Exploitation of this vulnerability may allow an attacker to execute
arbitrary programs on the computer of a Cisco AnyConnect Secure
Mobility Client user with the privileges of the user who is
establishing the VPN connection.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------------+
| Vulnerability | Platform | First Fixed |
| | | Release |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.185 |
| Arbitrary Program | Windows | |
|Execution Vulnerability |---------------+---------------|
| | Linux, Apple | 2.5.3041 and |
| | Mac OS X | 3.0.629 |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.254 |
| Local Privilege Escalation | Windows | |
|Vulnerability |---------------+---------------|
| | Linux, Apple | Not affected |
| | Mac OS X | |
+------------------------------------------------------------+
Recommended Releases
The following table lists all recommended releases. These recommended
releases contain the fixes for all vulnerabilities in this advisory.
Cisco recommends upgrading to a release that is equal to or later
than these recommended releases.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory. Cisco would like to
thank iDefense for reporting this vulnerability and for working with
us towards a coordinated disclosure of the vulnerability.
The Local Privilege Escalation Vulnerability was reported to Cisco by
a customer.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iF4EAREIAAYFAk3mbJUACgkQQXnnBKKRMNBBxAD+Oh7XQCOtCDOFCY8K1hWFAV/K
iwgK2hG+GNV39PPndfQA/0Sked3glEypuwev05ULO4ukTAPoDI5CJLnb4W4TKjL8
=pAlh
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco AnyConnect VPN Client Two Vulnerabilities
SECUNIA ADVISORY ID:
SA44812
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44812/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44812/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44812/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco AnyConnect VPN
Client, which can be exploited by malicious people with physical
access to bypass certain security restrictions and by malicious
people to compromise a user's system.
Successful exploitation of this vulnerability requires the Start
Before Logon (SBL) feature to be enabled.
2) An error in the helper application used for remote deployment of
the client (e.g.
SOLUTION:
Update to a fixed version (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
1) Reported to the vendor by a customer.
2) The vendor credits Elazar Broad via iDefense.
ORIGINAL ADVISORY:
Cisco (cisco-sa-20110601-ac):
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-201106-0316 | No CVE | Belkin F5D7234-4V5 Wireless G Router 'login.stm'Manage Password Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The Belkin F5D7234-4V5 Wireless G Router is a wireless router device. There is a design error in the Belkin F5D7234-4V5 Wireless G Router. The attacker submits a specially crafted request for administrator password information.
Attackers can exploit this issue to gain access to the administrator's password. Successfully exploiting this issue may lead to other attacks