VARIoT IoT vulnerabilities database

Cisco Unity Connection before 7.1.3b(Su2) allows remote authenticated users to change the administrative password by leveraging the Help Desk Administrator role, aka Bug ID CSCtd45141. Cisco Unity Connection Contains a vulnerability where the administrator password can be changed. This issue is tracked by Cisco Bug ID CSCtd45141. An authenticated attacker can exploit this issue to gain administrative access to the affected application. This may lead to a full compromise of the affected computer or aid in further attacks. Exploitation of the Cisco Unity Connection Denial of Service Vulnerability may allow an unauthenticated, remote attacker to cause system services to terminate unexpectedly, which may result in a denial of service condition. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cuc Affected Products ================= Vulnerable Products +------------------ Cisco Unity Connection Privilege Escalation Vulnerability The following versions of Cisco Unity Connection are vulnerable: +---------------------------------------+ | Version | Affected | |----------------------+----------------| | Prior to 7.1 | Yes | |----------------------+----------------| | 7.1 | Yes | |----------------------+----------------| | 8.0 | No | |----------------------+----------------| | 8.5 | No | |----------------------+----------------| | 8.6 | No | +---------------------------------------+ Note: Cisco Unity Connection versions prior to 7.1 reached end of software maintenance. Customers running versions prior to 7.1 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Unity Connection. Customers running versions prior to 7.1 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Unity Connection. Information About Cisco Business Edition Cisco Business Edition, Cisco Business Edition 5000, and Cisco Business Edition 6000 are affected by these vulnerabilities if the Cisco Unity Connection version that is used is among the affected versions in the tables reported in the "Vulnerable Products" section of the security advisory. Cisco Business Edition 3000 is not affected by the vulnerabilities included in this security advisory. Determine the Software Version +----------------------------- To determine the Cisco Unity Connection software version that an appliance is running, administrators can access the Cisco Unity Connection web interface and click the "About" link at the top right. Optionally administrators can log in to the command-line interface, and access the main menu. The software version can be identified by using the show version active command. The following example shows Cisco Unity Connection running version 8.6.2: Welcome to the Platform Command Line Interface admin:show version active Active Master Version: 8.6.2.10000-30 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Cisco Unified Communication Manager and Cisco Business Edition 3000 are not vulnerable to these vulnerabilities. Details ======= Cisco Unity Connection is a feature-rich voice messaging platform that runs on the same Linux-based Cisco Unified Communications Operating System that is used by Cisco Unified Communications Manager. The vulnerability is due to improper handling of TCP segments. An attacker could exploit this vulnerability by sending a sequence of TCP segments to the affected system. Vulnerability Scoring Details +---------------------------- Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtd45141 - Cisco Unity Privilege Escalation Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtq67899 - Cisco Unity Denial Of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Cisco Unity Connection Privilege Escalation Vulnerability +-------------------------------------------------------- Successful exploitation of the privilege escalation vulnerability may allow an authenticated, remote attacker to elevate privileges and obtain full access to the affected system. Cisco Unity Connection Denial of Service Vulnerability +----------------------------------------------------- Successful exploitation of the DoS vulnerability may allow an unauthenticated, remote attacker to cause system services to terminate unexpectedly, which may result in a denial of service condition. Software Versions and Fixes =========================== Cisco has released free software updates that address these vulnerabilities. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Workarounds =========== There are no workarounds that mitigate these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. The vulnerabilities described in this advisory were found during internal testing or discovered during the resolution of customer support cases. Status of This Notice: Final +--------------------------- THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cuc Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2012-February-29 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFPTZscQXnnBKKRMNARCFZnAP9cYfs9Aj8NtYgM+dLJjq6HPE5CBT/DXrIA oajBxN2sqgD/SdLpRzBACGUh9MKqqtxv9uyIINNPD8wv7k17M39/2Uo= =KbMY -----END PGP SIGNATURE-----

Cisco TelePresence Video Communication Server with software before X7.0.1 allows remote attackers to cause a denial of service (device crash) via a malformed SIP message, aka Bug ID CSCtr20426. The issues are documented by Cisco Bug IDs CSCtr20426 and CSCtq73319. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. These vulnerabilities are triggered by a crafted Session Initiation Protocol (SIP) packet that is sent to an affected device on either TCP and UDP ports 5060 or 5061. These vulnerabilities are documented in Cisco bug ID CSCtr20426 ( registered customers only) and CSCtq73319 (registered customers only), and have been assigned Common Vulnerability and Exposure (CVE) IDs CVE-2012-0330 and CVE-2012-0331, respectively. Vulnerability Scoring Details +---------------------------- Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtr20426 - Error while processing malformed SIP message CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtq73319 - Tandberg SIP INVITE vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities could result in a system crash that may lead to a DoS condition. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. These vulnerabilities have been fixed in the X7.0.1 version of the software. Workarounds =========== There are no workarounds available that mitigate these vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-vcs In order to improve the security posture of their installations, users are recommended to consult the Cisco TelePresence Hardening Guide, which is available at: http://www.cisco.com/web/about/security/intelligence/TP_Harden_Guide_wp.html Obtaining Fixed Software ======================== Cisco has released free software updates that address vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were found during internal testing. Status of This Notice: Final +--------------------------- THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-vcs Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2012-February-29 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFPTli6QXnnBKKRMNARCFtaAP0UFJN+xj8Fh/q8wqP3YjlK06bYXdQyp+me 6EWUQbIjtAD/ci+VvBfObulEF0DjT040PuddY7/L6zfdeBVT2XYdMMw= =ibGU -----END PGP SIGNATURE-----

Cisco TelePresence Video Communication Server with software before X7.0.1 allows remote attackers to cause a denial of service (device crash) via a crafted SIP packet, as demonstrated by a SIP INVITE message from a Tandberg device, aka Bug ID CSCtq73319. An attacker can exploit these issues to cause the device to crash, denying service to legitimate users. The issues are documented by Cisco Bug IDs CSCtr20426 and CSCtq73319. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Software versions prior to X7.0.1 contain vulnerabilities that could cause a crash of the affected device and result in a DoS condition. These vulnerabilities are triggered by a crafted Session Initiation Protocol (SIP) packet that is sent to an affected device on either TCP and UDP ports 5060 or 5061. These vulnerabilities are documented in Cisco bug ID CSCtr20426 ( registered customers only) and CSCtq73319 (registered customers only), and have been assigned Common Vulnerability and Exposure (CVE) IDs CVE-2012-0330 and CVE-2012-0331, respectively. Vulnerability Scoring Details +---------------------------- Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtr20426 - Error while processing malformed SIP message CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtq73319 - Tandberg SIP INVITE vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities could result in a system crash that may lead to a DoS condition. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. These vulnerabilities have been fixed in the X7.0.1 version of the software. Workarounds =========== There are no workarounds available that mitigate these vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-vcs In order to improve the security posture of their installations, users are recommended to consult the Cisco TelePresence Hardening Guide, which is available at: http://www.cisco.com/web/about/security/intelligence/TP_Harden_Guide_wp.html Obtaining Fixed Software ======================== Cisco has released free software updates that address vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were found during internal testing. Status of This Notice: Final +--------------------------- THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-vcs Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2012-February-29 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFPTli6QXnnBKKRMNARCFtaAP0UFJN+xj8Fh/q8wqP3YjlK06bYXdQyp+me 6EWUQbIjtAD/ci+VvBfObulEF0DjT040PuddY7/L6zfdeBVT2XYdMMw= =ibGU -----END PGP SIGNATURE-----

The administrative management interface on Cisco Wireless LAN Controller (WLC) devices with software 4.x, 5.x, 6.0, and 7.0 before 7.0.220.0, 7.1 before 7.1.91.0, and 7.2 before 7.2.103.0 allows remote attackers to cause a denial of service (device crash) via a malformed URL in an HTTP request, aka Bug ID CSCts81997. Allows an unauthenticated attacker to send a specially crafted URL to the management interface to crash the device. An unauthenticated attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCts81997. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsq24002. Workarounds are available that mitigate some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc Affected Products ================= The Cisco WLC product family is affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. Each of the following products is affected by at least one of the vulnerabilities covered in this Security Advisory: * Cisco 2000 Series WLC * Cisco 2100 Series WLC * Cisco 2500 Series WLC * Cisco 4100 Series WLC * Cisco 4400 Series WLC * Cisco 5500 Series WLC * Cisco 500 Series Wireless Express Mobility Controllers * Cisco Wireless Services Modules (WiSM) * Cisco Wireless Services Modules version 2 (WiSM version 2) * Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs) * Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs) * Cisco Catalyst 3750G Integrated WLCs * Cisco Flex 7500 Series Cloud Controllers Note: The Cisco 2000 Series WLCs, Cisco 4100 Series WLCs, Cisco NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility Controllers, have reached end-of-software maintenance. The following table includes the end-of-life document URL for each model: +-------------------------------------------------------------------+ |Model |End of Life Document URL | |----------------------+--------------------------------------------| |Cisco 2000 Series WLC |http://www.cisco.com/en/US/prod/collateral/ | | |wireless/ps6302/ps8322/ps6308/ | | |prod_end-of-life_notice0900aecd805d22b0.html| |----------------------+--------------------------------------------| |Cisco 4100 Series WLC |http://www.cisco.com/en/US/prod/collateral/ | | |wireless/ps6302/ps8322/ps6307/ | | |prod_end-of-life_notice0900aecd803387a9.html| |----------------------+--------------------------------------------| |Cisco NM-AIR-WLC |http://www.cisco.com/en/US/prod/collateral/ | |Modules for ISR |modules/ps2797/ | | |prod_end-of-life_notice0900aecd806aeb34.html| |----------------------+--------------------------------------------| |Cisco 500 Series |http://www.cisco.com/en/US/prod/collateral/ | |Wireless Express |wireless/ps7306/ps7320/ps7339/ | |Mobility Controllers |end_of_life_c51-568040.html | +-------------------------------------------------------------------+ Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field. * In the command-line interface, issue the show sysinfo command as shown in the following example: (Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP) and the Control and Provisioning of Wireless Access Points (CAPWAP) protocol. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability. An attacker can exploit this vulnerability by connecting to the controller over TCP port 1023. Only the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G Integrated WLCs are affected by this vulnerability. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCts81997 - Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtt07949 - Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtt47435 - Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtu56709 - Cisco Wireless LAN Controllers Unauthorized Access Vulnerability CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the DoS vulnerabilities could allow an unauthenticated attacker to cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt Review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. +-------------------------------------------------------------------+ | Vulnerability/Bug ID | Affected | First Fixed Release | | | Release | | |------------------------------+------------+-----------------------| | | 4.0 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.1 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.1M | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.2 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.2M | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | HTTP DoS Vulnerability | 5.0 | Vulnerable; Migrate | | (CSCts81997) | | to 7.0 or later | | |------------+-----------------------| | | 5.1 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 5.2 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 6.0 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 7.0 | 7.0.220.0 | | |------------+-----------------------| | | 7.1 | 7.1.91.0 | | |------------+-----------------------| | | 7.2 | 7.2.103.0 | |------------------------------+------------+-----------------------| | | 4.0 | Not Vulnerable | | |------------+-----------------------| | | 4.1 | Not Vulnerable | | |------------+-----------------------| | | 4.1M | Not Vulnerable | | |------------+-----------------------| | | 4.2 | Not Vulnerable | | |------------+-----------------------| | | 4.2M | Not Vulnerable | | |------------+-----------------------| | | 5.0 | Not Vulnerable | | |------------+-----------------------| | IPv6DoS Vulnerability | 5.1 | Not Vulnerable | |(CSCtt07949) |------------+-----------------------| | | 5.2 | Not Vulnerable | | |------------+-----------------------| | | 6.0 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 7.0 | 7.0.220.0 | | |------------+-----------------------| | | 7.1 | 7.1.91.0 | | |------------+-----------------------| | | 7.2 | 7.2.103.0 | |------------------------------+------------+-----------------------| | | 4.0 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.1 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.1M | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.2 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.2M | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | WebAuth DoS Vulnerability | 5.0 | Vulnerable; Migrate | | (CSCtt47435) | | to 7.0 or later | | |------------+-----------------------| | | 5.1 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 5.2 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 6.0 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 7.0 | 7.0.220.0 | | |------------+-----------------------| | | 7.1 | 7.1.91.0 | | |------------+-----------------------| | | 7.2 | Not Vulnerable | |------------------------------+------------+-----------------------| | | 4.0 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.1 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.1M | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.2 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 4.2M | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | Unauthorized Access | 5.0 | Vulnerable; Migrate | | Vulnerability (CSCtu56709) | | to 7.0 or later | | |------------+-----------------------| | | 5.1 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 5.2 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 6.0 | Vulnerable; Migrate | | | | to 7.0 or later | | |------------+-----------------------| | | 7.0 | 7.0.220.4 | | |------------+-----------------------| | | 7.1 | Not Vulnerable | | |------------+-----------------------| | | 7.2 | Not Vulnerable | +-------------------------------------------------------------------+ Recommended Releases +------------------- The "Recommended Release" table lists the releases which have fixes for all the published vulnerabilities at the time of this Advisory. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" table. +-------------------------------------------------------------------+ | Affected Release | Recommended Release | |------------------------------+------------------------------------| | 7.0 | 7.0.230.0 | |------------------------------+------------------------------------| | 7.1 | 7.1.91.0 | |------------------------------+------------------------------------| | 7.2 | 7.2.103.0 | +-------------------------------------------------------------------+ Workarounds =========== This Cisco Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. Cisco Wireless LAN Controllers Unauthorized Access Vulnerability CPU based ACLs can be configured to block access to the affected WLC on TCP port 1023. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-wlc Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-February-29 | Initial public release. | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9NNsMACgkQQXnnBKKRMNAT9QD/eiMEVJB+F+vzCBMq6lCKbhxM fvIvDvBx2ZAMARO9pK8A/Rg0q1bR1eL4gblRgg8swazzbV/Pz0A3G4UtSx+gfXBz =lRis -----END PGP SIGNATURE-----

Cisco Unity Connection before 7.1.5b(Su5), 8.0 and 8.5 before 8.5.1(Su3), and 8.6 before 8.6.2 allows remote attackers to cause a denial of service (services crash) via a series of crafted TCP segments, aka Bug ID CSCtq67899. Cisco Unity Connection There is a service disruption ( Service crash ) There is a vulnerability that becomes a condition. An attacker can exploit this issue to cause an affected device to restart, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCtq67899. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. Customers running versions prior to 7.1 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Unity Connection. Customers running versions prior to 7.1 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Unity Connection. Information About Cisco Business Edition Cisco Business Edition, Cisco Business Edition 5000, and Cisco Business Edition 6000 are affected by these vulnerabilities if the Cisco Unity Connection version that is used is among the affected versions in the tables reported in the "Vulnerable Products" section of the security advisory. Cisco Business Edition 3000 is not affected by the vulnerabilities included in this security advisory. Determine the Software Version +----------------------------- To determine the Cisco Unity Connection software version that an appliance is running, administrators can access the Cisco Unity Connection web interface and click the "About" link at the top right. Optionally administrators can log in to the command-line interface, and access the main menu. The software version can be identified by using the show version active command. The following example shows Cisco Unity Connection running version 8.6.2: Welcome to the Platform Command Line Interface admin:show version active Active Master Version: 8.6.2.10000-30 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Cisco Unified Communication Manager and Cisco Business Edition 3000 are not vulnerable to these vulnerabilities. Details ======= Cisco Unity Connection is a feature-rich voice messaging platform that runs on the same Linux-based Cisco Unified Communications Operating System that is used by Cisco Unified Communications Manager. The vulnerability is due to improper privilege assignment and validation of the "Help Desk Administrator" role. An attacker could exploit this vulnerability by logging in to the system as the Help Desk Administrator user and changing the password for the administrative user. The vulnerability is due to improper handling of TCP segments. An attacker could exploit this vulnerability by sending a sequence of TCP segments to the affected system. Vulnerability Scoring Details +---------------------------- Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtd45141 - Cisco Unity Privilege Escalation Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtq67899 - Cisco Unity Denial Of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Cisco Unity Connection Privilege Escalation Vulnerability +-------------------------------------------------------- Successful exploitation of the privilege escalation vulnerability may allow an authenticated, remote attacker to elevate privileges and obtain full access to the affected system. Software Versions and Fixes =========================== Cisco has released free software updates that address these vulnerabilities. Cisco Unity Connection Privilege Escalation Vulnerability - CSCtd45141 +--------------------------------------------------------------------- The following table contains the first fixed releases of software for Cisco Unity Connection, Cisco Business Edition, Cisco Business Edition 5000, and Cisco Business Edition 6000 that address the Cisco Unity Connection Privilege Escalation Vulnerability: +---------------------------------------+ | Version | First Fix In | |------------+--------------------------| | 7.1 | 7.1.3b(Su2), 7.1.5 | |------------+--------------------------| | 8.0 | Not Affected | |------------+--------------------------| | 8.5 | Not Affected | |------------+--------------------------| | 8.6 | Not Affected | +---------------------------------------+ Cisco Unity Connection Denial of Service Vulnerability - CSCtq67899 +------------------------------------------------------------------ The following table contains the first fixed releases of software for Cisco Unity Connection, Cisco Business Edition, Cisco Business Edition 5000, and Cisco Business Edition 6000 that address the Cisco Unity Connection Denial of Service Vulnerability: +---------------------------------------+ | Version | Remediation | |---------+-----------------------------| | 7.1 | 7.1.5b(Su5) - Available in | | | March 2012 | |---------+-----------------------------| | 8.0 | Upgrade to 8.5.1(Su3) | |---------+-----------------------------| | 8.5 | 8.5.1(Su3) | |---------+-----------------------------| | 8.6 | 8.6.2 | +---------------------------------------+ Remediation table +---------------- The following table contains the recommended releases, which include the fixes for all the vulnerabilities described in this advisory: +---------------------------------------+ | Version | Remediation | |---------+-----------------------------| | 7.1 | 7.1.5b(Su5) - Available in | | | March 2012 | |---------+-----------------------------| | 8.0 | Upgrade to 8.5.1(Su3) | |---------+-----------------------------| | 8.5 | 8.5.1(Su3) | |---------+-----------------------------| | 8.6 | 8.6.2 | +---------------------------------------+ When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Workarounds =========== There are no workarounds that mitigate these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. The vulnerabilities described in this advisory were found during internal testing or discovered during the resolution of customer support cases. Status of This Notice: Final +--------------------------- THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cuc Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2012-February-29 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFPTZscQXnnBKKRMNARCFZnAP9cYfs9Aj8NtYgM+dLJjq6HPE5CBT/DXrIA oajBxN2sqgD/SdLpRzBACGUh9MKqqtxv9uyIINNPD8wv7k17M39/2Uo= =KbMY -----END PGP SIGNATURE-----

Multiple unspecified vulnerabilities in Hitachi JP1/Cm2/Network Node Manager i before 09-50-03 allow remote attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors. Hitachi JP1 / Cm2 / Hierarchical is a middleware platform software. A remote attacker can leverage this issue to execute arbitrary code within the context of the application. Successful exploits will compromise the application and possibly the underlying computer. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Hitachi JP1/Cm2/Network Node Manager Multiple Unspecified Vulnerabilities SECUNIA ADVISORY ID: SA48201 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48201/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48201 RELEASE DATE: 2012-02-29 DISCUSS ADVISORY: http://secunia.com/advisories/48201/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48201/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48201 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Hitachi JP1/Cm2/Network Node Manager, where some have an unknown impact and others can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to unspecified errors. No further information is currently available. Please see the vendor's advisory for a list of affected versions. SOLUTION: Apply updates (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi (English): http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/./vuls/HS12-009/index.html Hitachi (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS12-009/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

iproute2 before 3.3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file used by (1) configure or (2) examples/dhcp-client-script. Linux Kernel is prone to multiple insecure temporary file-creation vulnerabilities in the 'iproute' package. An attacker with local access could potentially exploit these issues to perform symbolic-link attacks. Successfully mounting a symbolic attack may allow the attacker to delete or modify sensitive files. Other attacks may also be possible. iproute2 is a series of toolkits for traffic control on TCP/IP networks in Linux systems maintained by American software developer Stephen Hemminger. The toolkit includes the following components, ifconfig, route, tc, ip. A security vulnerability exists in iproute2 3.2.0 and earlier versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04135307 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04135307 Version: 1 HPSBGN02970 rev.1 - HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-03-10 Last Updated: 2014-03-10 Potential Security Impact: Multiple remote vulnerabilities affecting confidentiality, integrity and availability Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential vulnerabilities have been identified with HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability. References: CVE-2010-4008 CVE-2010-4494 CVE-2011-2182 CVE-2011-2213 CVE-2011-2492 CVE-2011-2518 CVE-2011-2689 CVE-2011-2723 CVE-2011-3188 CVE-2011-4077 CVE-2011-4110 CVE-2012-0058 CVE-2012-0879 CVE-2012-1088 CVE-2012-1179 CVE-2012-2137 CVE-2012-2313 CVE-2012-2372 CVE-2012-2373 CVE-2012-2375 CVE-2012-2383 CVE-2012-2384 CVE-2013-6205 CVE-2013-6206 SSRT101443 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Rapid Deployment Pack (RDP) -- All versions HP Insight Control Server Deployment -- All versions BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-6205 (AV:L/AC:M/Au:S/C:P/I:P/A:P) 4.1 CVE-2013-6206 (AV:N/AC:L/Au:N/C:C/I:P/A:P) 9.0 CVE-2010-4008 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2010-4494 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-2182 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 7.2 CVE-2011-2213 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2011-2492 (AV:L/AC:M/Au:N/C:P/I:N/A:N) 1.9 CVE-2011-2518 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2011-2689 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2011-2723 (AV:A/AC:M/Au:N/C:N/I:N/A:C) 5.7 CVE-2011-3188 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2011-4077 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2011-4110 (AV:L/AC:L/Au:N/C:N/I:N/A:P) 2.1 CVE-2012-0058 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2012-0879 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2012-1088 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3 CVE-2012-1179 (AV:A/AC:M/Au:S/C:N/I:N/A:C) 5.2 CVE-2012-2137 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2012-2313 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1.2 CVE-2012-2372 (AV:L/AC:M/Au:S/C:N/I:N/A:C) 4.4 CVE-2012-2373 (AV:L/AC:H/Au:N/C:N/I:N/A:C) 4.0 CVE-2012-2375 (AV:A/AC:H/Au:N/C:N/I:N/A:C) 4.6 CVE-2012-2383 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2012-2384 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP recommends that HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment should only be run on private secure networks to prevent the risk of security compromise. HISTORY Version:1 (rev.1) - 10 March 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlMd70EACgkQ4B86/C0qfVnXowCgnnw+HySvDNjCV7VPwZHplLwc Gw4An38h3204bsbLQN/gJQVEqFTo5IfX =sWmR -----END PGP SIGNATURE-----

Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency.". Dropbear SSH Server is a small Secure Shell server for embedded environments. A remote code execution vulnerability exists in Dropbear SSH Server that was caused by a post-release error. An attacker could exploit the vulnerability to execute arbitrary code with root-level privileges, which could allow an attacker to fully manipulate the affected system. Note: To exploit the issue an attacker must be authenticated using a public key and a command restriction is enforced. Solution: Upgrade to version 2012.55 or higher. 2012-02-24 - Coordinated public release of advisory. Credit: This vulnerability was discovered by Danny Fullerton from Mantor Organization. Special thanks to Matt. This fixes a vulnerability, which can be exploited by malicious users to gain escalated privileges. For more information: SA48147 SOLUTION: Apply updated packages via the apt-get package manager. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2456-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff April 23, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dropbear Vulnerability : use after free Problem type : remote Debian-specific: no CVE ID : CVE-2012-0920 Danny Fullerton discovered a use-after-free in the Dropbear SSH daemon, resulting in potential execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 0.52-5+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 2012.55-1. For the unstable distribution (sid), this problem has been fixed in version 2012.55-1. We recommend that you upgrade your dropbear packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk+XCosACgkQXm3vHE4uylrKpQCfZpU4eKxztqi8zGzsAKdxzhLV kOcAoIshssbewzstn+sNTIJyNP7MJ10i =uWaI -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Dropbear SSH Server Use-After-Free Vulnerability SECUNIA ADVISORY ID: SA48147 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48147/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48147 RELEASE DATE: 2012-02-27 DISCUSS ADVISORY: http://secunia.com/advisories/48147/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48147/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48147 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Danny Fullerton has reported a vulnerability in Dropbear SSH Server, which can be exploited by malicious users to gain escalated privileges. The vulnerability is reported in version 0.52 through 2011.54. SOLUTION: Update to version 2012.55 PROVIDED AND/OR DISCOVERED BY: Danny Fullerton, Mantor Organization ORIGINAL ADVISORY: Dropbear: http://matt.ucc.asn.au/dropbear/CHANGES Danny Fullerton: http://archives.neohapsis.com/archives/fulldisclosure/2012-02/0404.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201309-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dropbear: Multiple vulnerabilities Date: September 26, 2013 Bugs: #328409, #405607 ID: 201309-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Dropbear, the worst of which could lead to arbitrary code execution. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/dropbear < 2012.55 >= 2012.55 Description =========== Multiple vulnerabilities have been discovered in Dropbear. Please review the CVE identifier and Gentoo bug referenced below for details. Impact ====== A remote attacker could send a specially crafted request to trigger a use-after-free condition, possibly resulting in arbitrary code execution or a Denial of Service condition. Additionally, the bundled version of libtommath has an error in its prime number generation, which could result in the generation of weak keys. Workaround ========== There is no known workaround at this time. Resolution ========== All Dropbear users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/dropbear-2012.55" References ========== [ 1 ] CVE-2012-0920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0920 [ 2 ] libtommath Gentoo bug https://bugs.gentoo.org/show_bug.cgi?id=328383 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201309-20.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

D-Link DCS is a camera device product. There is a vulnerability in D-Link DCS. Because the 'security.cgi' provided by the D-Link DCS product fails to properly filter the user-submitted input, it can trigger a cross-site request forgery attack. The attacker constructs a malicious URI, entice the user to access, and can perform malicious operations with administrator privileges. The D-Link DCS-900, DCS-2000, and DCS-5300 are prone to a cross-site request-forgery vulnerability. Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible. This issue affects D-Link DCS-900, DCS-2000, and DCS-5300

Directory traversal vulnerability in the Local TFTP file-upload application on Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allows remote authenticated users to upload software to arbitrary directories via unspecified vectors, aka Bug ID CSCtw56009. plural Cisco Product Local TFTP file-upload The application contains a directory traversal vulnerability. The problem is Bug ID CSCtw56009 It is a problem.Remotely authenticated users can upload software to any directory. Cisco Small Business SRP500 series appliances are prone to a directory-traversal vulnerability. Exploiting this issue will allow an attacker to access sensitive information, including password files and system logs, and and allow installation of malicious software on the Cisco SRP 500 series device. This could help the attacker launch further attacks. This issue is tracked by Cisco BugID CSCtw56009. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Small Business SRP 500 Series Multiple Vulnerabilities Advisory ID: cisco-sa-20120223-srp500 Revision 1.0 For Public Release 2012 February 23 16:00 UTC (GMT) Summary ======= Cisco Small Business (SRP 500) Series Services Ready Platforms contain the following three vulnerabilities: * Cisco SRP 500 Series Web Interface Command Injection Vulnerability * Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability * Cisco SRP 500 Series Directory Traversal Vulnerability These vulnerabilities can be exploited using sessions to the Services Ready Platform Configuration Utility web interface. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Affected Products ================= Vulnerable Products +------------------ The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26: * Cisco SRP 521W * Cisco SRP 526W * Cisco SRP 527W The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 521W-U * Cisco SRP 526W-U * Cisco SRP 527W-U The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 541W * Cisco SRP 546W * Cisco SRP 547W To view the firmware version on a device, log in to the Services Ready Platform Configuration Utility and navigate to the Status > Router page to view information about the Cisco SRP Series device and its firmware status. The Firmware Version field indicates the current running version of firmware on the Cisco SRP 500 Series device. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SRP 500 Series devices are a flexible, cost-effective, fixed-configuration customer premises equipment (CPE) with embedded intelligence to enable service providers to create, provision, and deploy premium revenue-generating services to small businesses on an as-needed basis. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco SRP 500 Series Web Interface Command Injection Vulnerability +----------------------------------------------------------------- Cisco SRP 500 Series devices contain a command injection vulnerability that could allow an authenticated session to inject commands to be executed by the operating system. An attacker could exploit this vulnerability by either enticing an administrator to access a crafted link or by performing a man-in-the-middle attack to intercept an authenticated session. An exploit could allow the attacker to execute operating system commands on the device that are run in the context of the root user. This vulnerability has been documented in Cisco bug ID CSCtt46871 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0363. An attacker could exploit this vulnerability by first creating a desired configuration file and then uploading it using the unauthenticated URL. This vulnerability has been documented in Cisco bug ID CSCtw55495 and has been assigned CVE ID CVE-2012-0364. An attacker could exploit this vulnerability by enticing an authenticated user to click on a crafted link or by installing malicious files on the FTP or HTTP server that the administrators of the device may use. This vulnerability has been documented in Cisco bug ID CSCtw56009 and has been assigned CVE ID CVE-2012-0365. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtt46871 - Cisco SRP 500 Series Web Interface Command Injection Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw55495 - Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Complete Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw56009 - Cisco SRP 500 Series Directory Traversal Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the execution of arbitrary commands on the device or the uploading of files that may be malicious, which may allow the attacker to alter the device configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt As well as any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------------------------------+ | Affected Product | First Fixed Release | |-----------------------------+---------------------------------| | Cisco SRP 521W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 526W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 527W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 521W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 526W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 527W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 541W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 546W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 547W | 1.2.4 | +---------------------------------------------------------------+ The latest Cisco SRP 500 Series Services Ready Platforms firmware can be downloaded at: http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm Workarounds =========== The Cisco SRP 500 Series devices are designed as CPE devices, and only disabling access from the outside network will prevent exploitation, from remote networks. The following mitigations help limit exposure to this vulnerability: * Disable Remote Management Caution: Do not disable remote management if administrators manage devices using the WAN connection. This action will result in a loss of management connectivity to the device. Remote Management is disabled by default. If it is enabled, administrators can disable this feature by choosing Administration > Web Access Management. Change the setting for the Remote Management field to Disabled. Disabling remote management limits exposure because the vulnerability can then be exploited from the inter-LAN network only. * Limit Remote Management Access to Specific IP Addresses If remote management is required, secure the device so that it can be accessed by certain IP addresses only, rather than the default setting of All IP Addresses. After choosing Administration > Web Access Management, an administrator can change the Allowed Remote IP Address setting to ensure that only devices with specified IP addresses can access the device. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at: http://www.cisco.com If the information is not clear, please contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. Small Business Support Center contacts are as follows. +1 866 606 1866 (toll free from within North America) +1 408 418 1866 (toll call from anywhere in the world) Customers should have their product serial number available. For additional support contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages refer to: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html Customers with Service Contracts +------------------------------- See the Obtaining Fixed Software section of this advisory. Customers Using Third-Party Support Organizations +------------------------------------------------ See the Obtaining Fixed Software section of this advisory. Customers Without Service Contracts +---------------------------------- See the Obtaining Fixed Software section of this advisory. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were reported to Cisco by Michal Sajdak of Securitum, Poland. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-02-23 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9FbNgACgkQQXnnBKKRMNAfIAD/WMs9GOrkuwOl4hChGWKdtysj zrvZf97YvaI0rShqp0gA/33sBJSMX3KcSYgYZS5RgYG5ZLFV0Cc2zXURzQRzxY85 =WMsW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allow remote attackers to replace the configuration file via an upload request to an unspecified URL, aka Bug ID CSCtw55495. plural Cisco The product contains a vulnerability that can replace configuration files. Cisco Small Business SRP500 series appliances are prone to a security-bypass vulnerability because they allow attackers to gain unauthorized access to the device. This issue is being tracked by Cisco Bug ID CSCtw55495. An unauthenticated attacker can exploit this issue to upload a specially crafted configuration file to the affected device, thereby aiding in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Small Business SRP 500 Series Multiple Vulnerabilities Advisory ID: cisco-sa-20120223-srp500 Revision 1.0 For Public Release 2012 February 23 16:00 UTC (GMT) Summary ======= Cisco Small Business (SRP 500) Series Services Ready Platforms contain the following three vulnerabilities: * Cisco SRP 500 Series Web Interface Command Injection Vulnerability * Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability * Cisco SRP 500 Series Directory Traversal Vulnerability These vulnerabilities can be exploited using sessions to the Services Ready Platform Configuration Utility web interface. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Affected Products ================= Vulnerable Products +------------------ The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26: * Cisco SRP 521W * Cisco SRP 526W * Cisco SRP 527W The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 521W-U * Cisco SRP 526W-U * Cisco SRP 527W-U The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 541W * Cisco SRP 546W * Cisco SRP 547W To view the firmware version on a device, log in to the Services Ready Platform Configuration Utility and navigate to the Status > Router page to view information about the Cisco SRP Series device and its firmware status. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SRP 500 Series devices are a flexible, cost-effective, fixed-configuration customer premises equipment (CPE) with embedded intelligence to enable service providers to create, provision, and deploy premium revenue-generating services to small businesses on an as-needed basis. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. An attacker could exploit this vulnerability by either enticing an administrator to access a crafted link or by performing a man-in-the-middle attack to intercept an authenticated session. An exploit could allow the attacker to execute operating system commands on the device that are run in the context of the root user. An attacker could exploit this vulnerability by enticing an authenticated user to click on a crafted link or by installing malicious files on the FTP or HTTP server that the administrators of the device may use. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtt46871 - Cisco SRP 500 Series Web Interface Command Injection Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw55495 - Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Complete Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw56009 - Cisco SRP 500 Series Directory Traversal Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the execution of arbitrary commands on the device or the uploading of files that may be malicious, which may allow the attacker to alter the device configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt As well as any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------------------------------+ | Affected Product | First Fixed Release | |-----------------------------+---------------------------------| | Cisco SRP 521W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 526W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 527W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 521W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 526W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 527W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 541W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 546W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 547W | 1.2.4 | +---------------------------------------------------------------+ The latest Cisco SRP 500 Series Services Ready Platforms firmware can be downloaded at: http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm Workarounds =========== The Cisco SRP 500 Series devices are designed as CPE devices, and only disabling access from the outside network will prevent exploitation, from remote networks. The following mitigations help limit exposure to this vulnerability: * Disable Remote Management Caution: Do not disable remote management if administrators manage devices using the WAN connection. This action will result in a loss of management connectivity to the device. Remote Management is disabled by default. If it is enabled, administrators can disable this feature by choosing Administration > Web Access Management. Change the setting for the Remote Management field to Disabled. Disabling remote management limits exposure because the vulnerability can then be exploited from the inter-LAN network only. * Limit Remote Management Access to Specific IP Addresses If remote management is required, secure the device so that it can be accessed by certain IP addresses only, rather than the default setting of All IP Addresses. After choosing Administration > Web Access Management, an administrator can change the Allowed Remote IP Address setting to ensure that only devices with specified IP addresses can access the device. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at: http://www.cisco.com If the information is not clear, please contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. Small Business Support Center contacts are as follows. +1 866 606 1866 (toll free from within North America) +1 408 418 1866 (toll call from anywhere in the world) Customers should have their product serial number available. For additional support contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages refer to: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html Customers with Service Contracts +------------------------------- See the Obtaining Fixed Software section of this advisory. Customers Using Third-Party Support Organizations +------------------------------------------------ See the Obtaining Fixed Software section of this advisory. Customers Without Service Contracts +---------------------------------- See the Obtaining Fixed Software section of this advisory. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were reported to Cisco by Michal Sajdak of Securitum, Poland. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-02-23 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9FbNgACgkQQXnnBKKRMNAfIAD/WMs9GOrkuwOl4hChGWKdtysj zrvZf97YvaI0rShqp0gA/33sBJSMX3KcSYgYZS5RgYG5ZLFV0Cc2zXURzQRzxY85 =WMsW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The web interface on Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allows remote authenticated users to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability," aka Bug ID CSCtt46871. plural Cisco Product Web The interface contains a vulnerability that allows arbitrary commands to be executed. The problem is Bug ID CSCtt46871 It is a problem.An arbitrary command may be executed by a remotely authenticated user. Cisco Small Business SRP500 series appliances are prone to a remote command-injection vulnerability. Successful exploits will result in the execution of operating system commands in the context of the root user. This may facilitate a complete compromise of an affected computer. This issue is being tracked by Cisco bug ID CSCtt46871. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Affected Products ================= Vulnerable Products +------------------ The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26: * Cisco SRP 521W * Cisco SRP 526W * Cisco SRP 527W The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 521W-U * Cisco SRP 526W-U * Cisco SRP 527W-U The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 541W * Cisco SRP 546W * Cisco SRP 547W To view the firmware version on a device, log in to the Services Ready Platform Configuration Utility and navigate to the Status > Router page to view information about the Cisco SRP Series device and its firmware status. The Firmware Version field indicates the current running version of firmware on the Cisco SRP 500 Series device. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SRP 500 Series devices are a flexible, cost-effective, fixed-configuration customer premises equipment (CPE) with embedded intelligence to enable service providers to create, provision, and deploy premium revenue-generating services to small businesses on an as-needed basis. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. An attacker could exploit this vulnerability by either enticing an administrator to access a crafted link or by performing a man-in-the-middle attack to intercept an authenticated session. An attacker could exploit this vulnerability by first creating a desired configuration file and then uploading it using the unauthenticated URL. An exploit could allow the attacker to alter the configuration of the Cisco SRP 500 Series device. An attacker could exploit this vulnerability by enticing an authenticated user to click on a crafted link or by installing malicious files on the FTP or HTTP server that the administrators of the device may use. An exploit could allow the attacker to install malicious software on the Cisco SRP 500 Series device to launch future attacks. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtt46871 - Cisco SRP 500 Series Web Interface Command Injection Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw55495 - Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Complete Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw56009 - Cisco SRP 500 Series Directory Traversal Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the execution of arbitrary commands on the device or the uploading of files that may be malicious, which may allow the attacker to alter the device configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt As well as any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------------------------------+ | Affected Product | First Fixed Release | |-----------------------------+---------------------------------| | Cisco SRP 521W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 526W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 527W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 521W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 526W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 527W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 541W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 546W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 547W | 1.2.4 | +---------------------------------------------------------------+ The latest Cisco SRP 500 Series Services Ready Platforms firmware can be downloaded at: http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm Workarounds =========== The Cisco SRP 500 Series devices are designed as CPE devices, and only disabling access from the outside network will prevent exploitation, from remote networks. The following mitigations help limit exposure to this vulnerability: * Disable Remote Management Caution: Do not disable remote management if administrators manage devices using the WAN connection. This action will result in a loss of management connectivity to the device. Remote Management is disabled by default. If it is enabled, administrators can disable this feature by choosing Administration > Web Access Management. Change the setting for the Remote Management field to Disabled. Disabling remote management limits exposure because the vulnerability can then be exploited from the inter-LAN network only. * Limit Remote Management Access to Specific IP Addresses If remote management is required, secure the device so that it can be accessed by certain IP addresses only, rather than the default setting of All IP Addresses. After choosing Administration > Web Access Management, an administrator can change the Allowed Remote IP Address setting to ensure that only devices with specified IP addresses can access the device. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at: http://www.cisco.com If the information is not clear, please contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. Small Business Support Center contacts are as follows. +1 866 606 1866 (toll free from within North America) +1 408 418 1866 (toll call from anywhere in the world) Customers should have their product serial number available. For additional support contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages refer to: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html Customers with Service Contracts +------------------------------- See the Obtaining Fixed Software section of this advisory. Customers Using Third-Party Support Organizations +------------------------------------------------ See the Obtaining Fixed Software section of this advisory. Customers Without Service Contracts +---------------------------------- See the Obtaining Fixed Software section of this advisory. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were reported to Cisco by Michal Sajdak of Securitum, Poland. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-02-23 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9FbNgACgkQQXnnBKKRMNAfIAD/WMs9GOrkuwOl4hChGWKdtysj zrvZf97YvaI0rShqp0gA/33sBJSMX3KcSYgYZS5RgYG5ZLFV0Cc2zXURzQRzxY85 =WMsW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cross-site request forgery (CSRF) vulnerability in webconfig/admin_passwd/passwd.html/admin_passwd in Xavi X7968 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysUserName, sysPassword, and sysCfmPwd parameters. The Xavi 7968 ADSL Router is an ADSL router device. There is a vulnerability in the Xavi 7968 ADSL Router. Because the program fails to properly validate user-submitted requests, an attacker can build a malicious URI, trick the user into parsing, and run privileged commands on the device, such as changing the configuration, performing a denial of service attack, or injecting arbitrary script code. Xavi 7968 ADSL Router is prone to cross-site scripting, HTML-injection and cross-site request forgery vulnerabilities. The attacker can exploit the issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, or perform certain administrative functions on victim's behalf. Other attacks are also possible. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: XAVi X7968 Cross-Site Scripting and Request Forgery Vulnerabilities SECUNIA ADVISORY ID: SA48050 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48050/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48050 RELEASE DATE: 2012-03-06 DISCUSS ADVISORY: http://secunia.com/advisories/48050/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48050/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48050 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in XAVi X7968, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks. 1) Input passed via the "pvcName" parameter to webconfig/wan/confirm.html/confirm is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected device. 2) The device's web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change an administrator's password or conduct script insertion attacks by tricking a logged in administrator into visiting a malicious web site. SOLUTION: Filter malicious characters and character sequences using a proxy. Do not browse untrusted sites or follow untrusted links while being logged-in to the device. PROVIDED AND/OR DISCOVERED BY: Busindre OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . (Admin privileges) ** XSS example: (Alert with Cookie) http://192.168.1.1/webconfig/wan/confirm.html/confirm?context=pageAction%3Dadd%26pvcName%3D%2522%253e%253c%252ftd%253e%253cscript%253ealert%28document.cookie%29%253c%252fscript%253e%26vpi%3D0%26vci%3D38%26scat%3DUBR%26accessmode%3Dpppoe%26encap%3Dvcmux%26encapmode%3Dbridged%26iptype%3Ddhcp%26nat_enable%3Dfalse%26def_route_enable%3Dfalse%26qos_enable%3Dfalse%26chkPPPOEAC%3Dfalse%26tBoxPPPOEAC%3DNot%2520Configured%26sessiontype%3Dalways_on%26username%3Da%26password%3Dss&confirm=+Apply+ ** Persistent XSS example: (Alert with Cookie) Add code: http://192.168.1.1/webconfig/lan/lan_config.html/local_lan_config?ip_add_txtbox=192.168.1.1&sub_mask_txtbox=255.255.255.0&host_name_txtbox=Hack<SCRIPT>alert(document.cookie)</script>&domain_name_txtbox=local.lan&mtu_txtbox=1500&next=Apply Exploit URL: http://192.168.1.1/webconfig/upgrade_image/image_upgrade.html ** Cross site request forgery example: (Change admin Password 1234 -> 12345): http://192.168.1.2/webconfig/admin_passwd/passwd.html/admin_passwd?sysUserName=1234&sysPassword=12345&sysCfmPwd=12345&cmdSubmit=Apply This is just an example, all forms in the router interface are vulnerable to CSRF and if they accept text input, to XSS. Author: Busindre busilezas[@]gmail.com

BroadWin SCADA WebAccess is a web browser-based HMI and SCADA software for industrial control systems and automation. A vulnerability exists in the implementation of Advantech/Broadwin HMI/SCADA WebAccess 6.x.x/7.x.x that could be exploited by a remote attacker to execute arbitrary code on the system

SQL injection vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to execute arbitrary SQL commands via a malformed URL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0234. BroadWin SCADA WebAccess is a web browser-based HMI and SCADA software for industrial control systems and automation

Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0235. Advantech/BroadWin WebAccess Contains a cross-site request forgery vulnerability. BroadWin SCADA WebAccess is a web browser-based HMI and SCADA software for industrial control systems and automation

Heap-based buffer overflow in process.c in smbd in Samba 3.0, as used in the file-sharing service on the BlackBerry PlayBook tablet before 2.0.0.7971 and other products, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a Batched (aka AndX) request that triggers infinite recursion. It highlights game, media publishing and collaboration features. The BlackBerry PlayBook Tablet is a tablet from BlackBerry. The Samba service is used for file sharing between the platform computer and the computer, and remote attackers can exploit the vulnerability to gain control over the Wi-Fi file sharing system through the Wi-Fi network. This vulnerability is also affected when the tablet is connected to the computer using USB and if the attacker can physically access the computer. Samba is prone to a heap-based buffer-overflow vulnerability. Failed exploit attempts will result in a denial-of-service condition. Samba versions prior to 3.4.0 are affected. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: Samba Any Batched Request Handling Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA48152 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48152/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48152 RELEASE DATE: 2012-02-24 DISCUSS ADVISORY: http://secunia.com/advisories/48152/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48152/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48152 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Samba, which can be exploited by malicious people to compromise a vulnerable system. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Originally reported in BlackBerry Tablet OS by Andy Davis, NGS Secure. ORIGINAL ADVISORY: http://www.samba.org/samba/security/CVE-2012-0870 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0870 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: f1c5c40a39960bf0be8b4f7b0eb07f1c mes5/i586/libnetapi0-3.3.12-0.8mdvmes5.2.i586.rpm c09851ea48666122ce67fb3bb5d863b7 mes5/i586/libnetapi-devel-3.3.12-0.8mdvmes5.2.i586.rpm 574874125ee63e520110e73158fa1c53 mes5/i586/libsmbclient0-3.3.12-0.8mdvmes5.2.i586.rpm ed39a5badbcb3dff984d099d995e4654 mes5/i586/libsmbclient0-devel-3.3.12-0.8mdvmes5.2.i586.rpm 37f6c8edc6af9e4439fe1cfa74162fd4 mes5/i586/libsmbclient0-static-devel-3.3.12-0.8mdvmes5.2.i586.rpm e06527be75deb64802f8bfa4c266f9bc mes5/i586/libsmbsharemodes0-3.3.12-0.8mdvmes5.2.i586.rpm 9926b5aa94649fe5e4563d7d30eea094 mes5/i586/libsmbsharemodes-devel-3.3.12-0.8mdvmes5.2.i586.rpm 13ed1d18924705829149f27c89cff483 mes5/i586/libtalloc1-3.3.12-0.8mdvmes5.2.i586.rpm 0dcc0cadaff5d3e9e9b26a4aa76320b9 mes5/i586/libtalloc-devel-3.3.12-0.8mdvmes5.2.i586.rpm f66dc353d8f7cc28d9e9922bc731bd06 mes5/i586/libtdb1-3.3.12-0.8mdvmes5.2.i586.rpm 87689dca4f04ccc56c8b7e2958f870a5 mes5/i586/libtdb-devel-3.3.12-0.8mdvmes5.2.i586.rpm eac4493389bdd505786b2a813800ec21 mes5/i586/libwbclient0-3.3.12-0.8mdvmes5.2.i586.rpm 0a4d9665399a405ec33352bac8b085d7 mes5/i586/libwbclient-devel-3.3.12-0.8mdvmes5.2.i586.rpm 31d01f8f5ac236bdeb5da6c0b1103c26 mes5/i586/mount-cifs-3.3.12-0.8mdvmes5.2.i586.rpm 4d65a41c7adf287f33146cb51976c12f mes5/i586/nss_wins-3.3.12-0.8mdvmes5.2.i586.rpm 95851e4895bebace6a800c21411c2c98 mes5/i586/samba-client-3.3.12-0.8mdvmes5.2.i586.rpm 615ae2342634aa724e233fe7c38e1021 mes5/i586/samba-common-3.3.12-0.8mdvmes5.2.i586.rpm 593f4559e2e7927c3d2be07c75f69fc2 mes5/i586/samba-doc-3.3.12-0.8mdvmes5.2.i586.rpm 082b8b10f48f87102f5f4e5734192274 mes5/i586/samba-server-3.3.12-0.8mdvmes5.2.i586.rpm 671a8293f5c9970eff7f41a382ce1de8 mes5/i586/samba-swat-3.3.12-0.8mdvmes5.2.i586.rpm d0826b2d50dd03a8a2def0ab8217a10b mes5/i586/samba-winbind-3.3.12-0.8mdvmes5.2.i586.rpm e63162eb725a3c786a9d6ce6e3ffa834 mes5/SRPMS/samba-3.3.12-0.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 08052ae7f504d3afebc2592c4563cb26 mes5/x86_64/lib64netapi0-3.3.12-0.8mdvmes5.2.x86_64.rpm 959b440b7a52de85774c7826c23e5a0d mes5/x86_64/lib64netapi-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 4fbf3c6550bbd781101b19a5f59db31f mes5/x86_64/lib64smbclient0-3.3.12-0.8mdvmes5.2.x86_64.rpm fa0e52cf4f492cb5d991ca5305f4eca7 mes5/x86_64/lib64smbclient0-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 3aab55b5470b2dd3fe21bc22aac57881 mes5/x86_64/lib64smbclient0-static-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 62faaa06906b9b03f73d130c30841e24 mes5/x86_64/lib64smbsharemodes0-3.3.12-0.8mdvmes5.2.x86_64.rpm 2989b58fbd3b45bc9f59c252c694970f mes5/x86_64/lib64smbsharemodes-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 7b02247f56fbae2c39148fbbdb2a9753 mes5/x86_64/lib64talloc1-3.3.12-0.8mdvmes5.2.x86_64.rpm c06c34fbdf4472157ce75f438c8975fe mes5/x86_64/lib64talloc-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 05412945bb2a1b2be22aab619395366e mes5/x86_64/lib64tdb1-3.3.12-0.8mdvmes5.2.x86_64.rpm a5d3e798398970a92129d182766049ab mes5/x86_64/lib64tdb-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm fa4659a2d3591b354ed48fe4780e318a mes5/x86_64/lib64wbclient0-3.3.12-0.8mdvmes5.2.x86_64.rpm a647ebd6ed3d00f8e0cf32db8deddd89 mes5/x86_64/lib64wbclient-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 5075846b37b482eee78d1390284d221f mes5/x86_64/mount-cifs-3.3.12-0.8mdvmes5.2.x86_64.rpm 08968a5c3682f2af4dab4433d3c4906c mes5/x86_64/nss_wins-3.3.12-0.8mdvmes5.2.x86_64.rpm 1f391d0c654c0efa93a4a9b90ff8abad mes5/x86_64/samba-client-3.3.12-0.8mdvmes5.2.x86_64.rpm 9d374a84dab147dd3a7e20f38032740f mes5/x86_64/samba-common-3.3.12-0.8mdvmes5.2.x86_64.rpm fbc801397a2f7b94b06397aed9e037a8 mes5/x86_64/samba-doc-3.3.12-0.8mdvmes5.2.x86_64.rpm 39fde58a25e8180b574cf6e5a8f7e432 mes5/x86_64/samba-server-3.3.12-0.8mdvmes5.2.x86_64.rpm d9f108c12ade5b0f8905cb453cdb99dc mes5/x86_64/samba-swat-3.3.12-0.8mdvmes5.2.x86_64.rpm 78f300cd217228b7e44d0845f2b29c53 mes5/x86_64/samba-winbind-3.3.12-0.8mdvmes5.2.x86_64.rpm e63162eb725a3c786a9d6ce6e3ffa834 mes5/SRPMS/samba-3.3.12-0.8mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPTQdAmqjQ0CJFipgRAjl5AKCHFXTjEFCIjESHT9QE+lzC/znTUQCeKcKO gBbgJhbdLqBQlAb9QBUHTIM= =j351 -----END PGP SIGNATURE----- . High Risk Vulnerability in Samba 25 February 2012 Andy Davis of NGS Secure has discovered a high risk vulnerability in the Samba service Impact: Remote Code Execution Versions affected: Samba versions up to 3.4.0 More details about this vulnerability and how to obtain software updates can be found here: http://www.samba.org/samba/security/CVE-2012-0870 NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure. NGS Secure Research http://www.ngssecure.com . This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. ============================================================================ Ubuntu Security Notice USN-1374-1 February 24, 2012 samba vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 8.04 LTS Summary: Samba could be made to crash or run programs if it received specially crafted network traffic. Software Description: - samba: SMB/CIFS file, print, and login server for Unix Details: Andy Davis discovered that Samba incorrectly handled certain AndX offsets. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 8.04 LTS: samba 3.0.28a-1ubuntu4.17 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: samba security update Advisory ID: RHSA-2012:0332-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0332.html Issue date: 2012-02-23 CVE Names: CVE-2012-0870 ===================================================================== 1. Summary: Updated samba packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 5.3 Long Life, and 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux EUS (v. 5.6 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Long Life (v. 5.3 server) - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Samba is a suite of programs used by machines to share files, printers, and other information. An input validation flaw was found in the way Samba handled Any Batched (AndX) requests. A remote, unauthenticated attacker could send a specially-crafted SMB packet to the Samba server, possibly resulting in arbitrary code execution with the privileges of the Samba server (root). (CVE-2012-0870) Red Hat would like to thank the Samba team for reporting this issue. Upstream acknowledges Andy Davis of NGS Secure as the original reporter. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 795509 - CVE-2012-0870 samba: Any Batched ("AndX") request processing infinite recursion and heap-based buffer overflow 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/samba-3.0.33-0.35.el4.src.rpm i386: samba-3.0.33-0.35.el4.i386.rpm samba-client-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-swat-3.0.33-0.35.el4.i386.rpm ia64: samba-3.0.33-0.35.el4.ia64.rpm samba-client-3.0.33-0.35.el4.ia64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.ia64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.ia64.rpm samba-swat-3.0.33-0.35.el4.ia64.rpm ppc: samba-3.0.33-0.35.el4.ppc.rpm samba-client-3.0.33-0.35.el4.ppc.rpm samba-common-3.0.33-0.35.el4.ppc.rpm samba-common-3.0.33-0.35.el4.ppc64.rpm samba-debuginfo-3.0.33-0.35.el4.ppc.rpm samba-debuginfo-3.0.33-0.35.el4.ppc64.rpm samba-swat-3.0.33-0.35.el4.ppc.rpm s390: samba-3.0.33-0.35.el4.s390.rpm samba-client-3.0.33-0.35.el4.s390.rpm samba-common-3.0.33-0.35.el4.s390.rpm samba-debuginfo-3.0.33-0.35.el4.s390.rpm samba-swat-3.0.33-0.35.el4.s390.rpm s390x: samba-3.0.33-0.35.el4.s390x.rpm samba-client-3.0.33-0.35.el4.s390x.rpm samba-common-3.0.33-0.35.el4.s390.rpm samba-common-3.0.33-0.35.el4.s390x.rpm samba-debuginfo-3.0.33-0.35.el4.s390.rpm samba-debuginfo-3.0.33-0.35.el4.s390x.rpm samba-swat-3.0.33-0.35.el4.s390x.rpm x86_64: samba-3.0.33-0.35.el4.x86_64.rpm samba-client-3.0.33-0.35.el4.x86_64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.x86_64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.x86_64.rpm samba-swat-3.0.33-0.35.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/samba-3.0.33-0.35.el4.src.rpm i386: samba-3.0.33-0.35.el4.i386.rpm samba-client-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-swat-3.0.33-0.35.el4.i386.rpm x86_64: samba-3.0.33-0.35.el4.x86_64.rpm samba-client-3.0.33-0.35.el4.x86_64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.x86_64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.x86_64.rpm samba-swat-3.0.33-0.35.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/samba-3.0.33-0.35.el4.src.rpm i386: samba-3.0.33-0.35.el4.i386.rpm samba-client-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-swat-3.0.33-0.35.el4.i386.rpm ia64: samba-3.0.33-0.35.el4.ia64.rpm samba-client-3.0.33-0.35.el4.ia64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.ia64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.ia64.rpm samba-swat-3.0.33-0.35.el4.ia64.rpm x86_64: samba-3.0.33-0.35.el4.x86_64.rpm samba-client-3.0.33-0.35.el4.x86_64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.x86_64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.x86_64.rpm samba-swat-3.0.33-0.35.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/samba-3.0.33-0.35.el4.src.rpm i386: samba-3.0.33-0.35.el4.i386.rpm samba-client-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-swat-3.0.33-0.35.el4.i386.rpm ia64: samba-3.0.33-0.35.el4.ia64.rpm samba-client-3.0.33-0.35.el4.ia64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.ia64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.ia64.rpm samba-swat-3.0.33-0.35.el4.ia64.rpm x86_64: samba-3.0.33-0.35.el4.x86_64.rpm samba-client-3.0.33-0.35.el4.x86_64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.x86_64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.x86_64.rpm samba-swat-3.0.33-0.35.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/samba-3.0.33-3.38.el5_8.src.rpm i386: libsmbclient-3.0.33-3.38.el5_8.i386.rpm samba-3.0.33-3.38.el5_8.i386.rpm samba-client-3.0.33-3.38.el5_8.i386.rpm samba-common-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-swat-3.0.33-3.38.el5_8.i386.rpm x86_64: libsmbclient-3.0.33-3.38.el5_8.i386.rpm libsmbclient-3.0.33-3.38.el5_8.x86_64.rpm samba-3.0.33-3.38.el5_8.x86_64.rpm samba-client-3.0.33-3.38.el5_8.x86_64.rpm samba-common-3.0.33-3.38.el5_8.i386.rpm samba-common-3.0.33-3.38.el5_8.x86_64.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.x86_64.rpm samba-swat-3.0.33-3.38.el5_8.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/samba-3.0.33-3.38.el5_8.src.rpm i386: libsmbclient-devel-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm x86_64: libsmbclient-devel-3.0.33-3.38.el5_8.i386.rpm libsmbclient-devel-3.0.33-3.38.el5_8.x86_64.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.x86_64.rpm Red Hat Enterprise Linux Long Life (v. 5.3 server): Source: samba-3.0.33-3.7.el5_3.4.src.rpm i386: samba-3.0.33-3.7.el5_3.4.i386.rpm samba-client-3.0.33-3.7.el5_3.4.i386.rpm samba-common-3.0.33-3.7.el5_3.4.i386.rpm samba-debuginfo-3.0.33-3.7.el5_3.4.i386.rpm samba-swat-3.0.33-3.7.el5_3.4.i386.rpm ia64: samba-3.0.33-3.7.el5_3.4.ia64.rpm samba-client-3.0.33-3.7.el5_3.4.ia64.rpm samba-common-3.0.33-3.7.el5_3.4.ia64.rpm samba-debuginfo-3.0.33-3.7.el5_3.4.ia64.rpm samba-swat-3.0.33-3.7.el5_3.4.ia64.rpm x86_64: samba-3.0.33-3.7.el5_3.4.x86_64.rpm samba-client-3.0.33-3.7.el5_3.4.x86_64.rpm samba-common-3.0.33-3.7.el5_3.4.i386.rpm samba-common-3.0.33-3.7.el5_3.4.x86_64.rpm samba-debuginfo-3.0.33-3.7.el5_3.4.i386.rpm samba-debuginfo-3.0.33-3.7.el5_3.4.x86_64.rpm samba-swat-3.0.33-3.7.el5_3.4.x86_64.rpm Red Hat Enterprise Linux EUS (v. 5.6 server): Source: samba-3.0.33-3.29.el5_6.4.src.rpm i386: libsmbclient-3.0.33-3.29.el5_6.4.i386.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.i386.rpm samba-3.0.33-3.29.el5_6.4.i386.rpm samba-client-3.0.33-3.29.el5_6.4.i386.rpm samba-common-3.0.33-3.29.el5_6.4.i386.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.i386.rpm samba-swat-3.0.33-3.29.el5_6.4.i386.rpm ia64: libsmbclient-3.0.33-3.29.el5_6.4.ia64.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.ia64.rpm samba-3.0.33-3.29.el5_6.4.ia64.rpm samba-client-3.0.33-3.29.el5_6.4.ia64.rpm samba-common-3.0.33-3.29.el5_6.4.ia64.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.ia64.rpm samba-swat-3.0.33-3.29.el5_6.4.ia64.rpm ppc: libsmbclient-3.0.33-3.29.el5_6.4.ppc.rpm libsmbclient-3.0.33-3.29.el5_6.4.ppc64.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.ppc.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.ppc64.rpm samba-3.0.33-3.29.el5_6.4.ppc.rpm samba-client-3.0.33-3.29.el5_6.4.ppc.rpm samba-common-3.0.33-3.29.el5_6.4.ppc.rpm samba-common-3.0.33-3.29.el5_6.4.ppc64.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.ppc.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.ppc64.rpm samba-swat-3.0.33-3.29.el5_6.4.ppc.rpm s390x: libsmbclient-3.0.33-3.29.el5_6.4.s390.rpm libsmbclient-3.0.33-3.29.el5_6.4.s390x.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.s390.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.s390x.rpm samba-3.0.33-3.29.el5_6.4.s390x.rpm samba-client-3.0.33-3.29.el5_6.4.s390x.rpm samba-common-3.0.33-3.29.el5_6.4.s390.rpm samba-common-3.0.33-3.29.el5_6.4.s390x.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.s390.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.s390x.rpm samba-swat-3.0.33-3.29.el5_6.4.s390x.rpm x86_64: libsmbclient-3.0.33-3.29.el5_6.4.i386.rpm libsmbclient-3.0.33-3.29.el5_6.4.x86_64.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.i386.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.x86_64.rpm samba-3.0.33-3.29.el5_6.4.x86_64.rpm samba-client-3.0.33-3.29.el5_6.4.x86_64.rpm samba-common-3.0.33-3.29.el5_6.4.i386.rpm samba-common-3.0.33-3.29.el5_6.4.x86_64.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.i386.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.x86_64.rpm samba-swat-3.0.33-3.29.el5_6.4.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/samba-3.0.33-3.38.el5_8.src.rpm i386: libsmbclient-3.0.33-3.38.el5_8.i386.rpm libsmbclient-devel-3.0.33-3.38.el5_8.i386.rpm samba-3.0.33-3.38.el5_8.i386.rpm samba-client-3.0.33-3.38.el5_8.i386.rpm samba-common-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-swat-3.0.33-3.38.el5_8.i386.rpm ia64: libsmbclient-3.0.33-3.38.el5_8.ia64.rpm libsmbclient-devel-3.0.33-3.38.el5_8.ia64.rpm samba-3.0.33-3.38.el5_8.ia64.rpm samba-client-3.0.33-3.38.el5_8.ia64.rpm samba-common-3.0.33-3.38.el5_8.ia64.rpm samba-debuginfo-3.0.33-3.38.el5_8.ia64.rpm samba-swat-3.0.33-3.38.el5_8.ia64.rpm ppc: libsmbclient-3.0.33-3.38.el5_8.ppc.rpm libsmbclient-3.0.33-3.38.el5_8.ppc64.rpm libsmbclient-devel-3.0.33-3.38.el5_8.ppc.rpm libsmbclient-devel-3.0.33-3.38.el5_8.ppc64.rpm samba-3.0.33-3.38.el5_8.ppc.rpm samba-client-3.0.33-3.38.el5_8.ppc.rpm samba-common-3.0.33-3.38.el5_8.ppc.rpm samba-common-3.0.33-3.38.el5_8.ppc64.rpm samba-debuginfo-3.0.33-3.38.el5_8.ppc.rpm samba-debuginfo-3.0.33-3.38.el5_8.ppc64.rpm samba-swat-3.0.33-3.38.el5_8.ppc.rpm s390x: libsmbclient-3.0.33-3.38.el5_8.s390.rpm libsmbclient-3.0.33-3.38.el5_8.s390x.rpm libsmbclient-devel-3.0.33-3.38.el5_8.s390.rpm libsmbclient-devel-3.0.33-3.38.el5_8.s390x.rpm samba-3.0.33-3.38.el5_8.s390x.rpm samba-client-3.0.33-3.38.el5_8.s390x.rpm samba-common-3.0.33-3.38.el5_8.s390.rpm samba-common-3.0.33-3.38.el5_8.s390x.rpm samba-debuginfo-3.0.33-3.38.el5_8.s390.rpm samba-debuginfo-3.0.33-3.38.el5_8.s390x.rpm samba-swat-3.0.33-3.38.el5_8.s390x.rpm x86_64: libsmbclient-3.0.33-3.38.el5_8.i386.rpm libsmbclient-3.0.33-3.38.el5_8.x86_64.rpm libsmbclient-devel-3.0.33-3.38.el5_8.i386.rpm libsmbclient-devel-3.0.33-3.38.el5_8.x86_64.rpm samba-3.0.33-3.38.el5_8.x86_64.rpm samba-client-3.0.33-3.38.el5_8.x86_64.rpm samba-common-3.0.33-3.38.el5_8.i386.rpm samba-common-3.0.33-3.38.el5_8.x86_64.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.x86_64.rpm samba-swat-3.0.33-3.38.el5_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0870.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPRq5BXlSAg2UNWIIRAi8UAKCeG0OK/toZruQMW71pNgX/9EFWJACfWhgR 2fYxfIbc/dSB94Bi22p/vW4= =Pybf -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201206-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Samba: Multiple vulnerabilities Date: June 24, 2012 Bugs: #290633, #310105, #323785, #332063, #337295, #356917, #382263, #386375, #405551, #411487, #414319 ID: 201206-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Samba, the worst of which may allow execution of arbitrary code with root privileges. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-fs/samba < 3.5.15 >= 3.5.15 Description =========== Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details. Furthermore, a local attacker may be able to cause a Denial of Service condition or obtain sensitive information in a Samba credentials file. Workaround ========== There is no known workaround at this time. Resolution ========== All Samba users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-fs/samba-3.5.15" References ========== [ 1 ] CVE-2009-2906 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2906 [ 2 ] CVE-2009-2948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2948 [ 3 ] CVE-2010-0728 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0728 [ 4 ] CVE-2010-1635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1635 [ 5 ] CVE-2010-1642 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1642 [ 6 ] CVE-2010-2063 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2063 [ 7 ] CVE-2010-3069 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3069 [ 8 ] CVE-2011-0719 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0719 [ 9 ] CVE-2011-1678 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1678 [ 10 ] CVE-2011-2724 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2724 [ 11 ] CVE-2012-0870 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0870 [ 12 ] CVE-2012-1182 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1182 [ 13 ] CVE-2012-2111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2111 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-22.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Mercury MR804 Router 8.0 3.8.1 Build 101220 Rel.53006nB allows remote attackers to cause a denial of service (service hang) via a crafted string in HTTP header fields such as (1) If-Modified-Since, (2) If-None-Match, or (3) If-Unmodified-Since. NOTE: some of these details are obtained from third party information. The Mercury MR804 Router is a router device. Mercury MR804 router is prone to multiple denial-of-service vulnerabilities. Remote attackers can exploit these issues to cause the device to crash, denying service to legitimate users. Mercury MR804 running version 3.8.1 Build 101220 is vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Mercury MR804 Denial of Service Vulnerability SECUNIA ADVISORY ID: SA48079 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48079/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48079 RELEASE DATE: 2012-03-07 DISCUSS ADVISORY: http://secunia.com/advisories/48079/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48079/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48079 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Mercury MR804, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is reported in version 8. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: demonalex@163.com. OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the MessagingSystem servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the MessagingSystem Performance Data via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a vulnerability in SAP NetWeaver. Because the input passed to the b2b/admin/log_view.jsp or b2b/admin/log.jsp script in the Internet Sales module via the \"logfilename\" parameter is missing validation before being used to display the file, it can result in arbitrary files being obtained through the directory traversal sequence. information. SAP NetWeaver is prone to multiple input-validation vulnerabilities, including: 1. A cross-site scripting vulnerability 2. Multiple directory traversal vulnerabilities 3. Multiple information-disclosure vulnerabilities Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, and disclose sensitive information. Other attacks are also possible. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: SAP NetWeaver Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47861 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47861/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 RELEASE DATE: 2012-02-21 DISCUSS ADVISORY: http://secunia.com/advisories/47861/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47861/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Digital Security Research Group has reported some vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users and malicious people to disclose sensitive information. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. Successful exploitation of vulnerabilities #1 and #2 may require permission to view logs. The vulnerabilities are reported in version 7.0. Other versions may also be affected. SOLUTION: Apply SAP Security Notes 1585527 and 1583300. PROVIDED AND/OR DISCOVERED BY: Dmitriy Chastukhin, Digital Security Research Group. ORIGINAL ADVISORY: Digital Security Research Group: http://dsecrg.com/pages/vul/show.php?id=412 http://dsecrg.com/pages/vul/show.php?id=413 http://dsecrg.com/pages/vul/show.php?id=414 http://dsecrg.com/pages/vul/show.php?id=415 http://dsecrg.com/pages/vul/show.php?id=416 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the com.sap.aii.mdt.amt.web.AMTPageProcessor servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the Adapter Monitor via unspecified vectors, possibly related to the EnableInvokerServletGlobally property in the servlet_jsp service. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a vulnerability in SAP NetWeaver. Because the input passed to the b2b/admin/log_view.jsp or b2b/admin/log.jsp script in the Internet Sales module via the \"logfilename\" parameter is missing validation before being used to display the file, it can result in arbitrary files being obtained through the directory traversal sequence. information. SAP NetWeaver is prone to multiple input-validation vulnerabilities, including: 1. A cross-site scripting vulnerability 2. Multiple directory traversal vulnerabilities 3. Multiple information-disclosure vulnerabilities Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, and disclose sensitive information. Other attacks are also possible. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: SAP NetWeaver Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47861 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47861/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 RELEASE DATE: 2012-02-21 DISCUSS ADVISORY: http://secunia.com/advisories/47861/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47861/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Digital Security Research Group has reported some vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users and malicious people to disclose sensitive information. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. Successful exploitation of vulnerabilities #1 and #2 may require permission to view logs. The vulnerabilities are reported in version 7.0. Other versions may also be affected. SOLUTION: Apply SAP Security Notes 1585527 and 1583300. PROVIDED AND/OR DISCOVERED BY: Dmitriy Chastukhin, Digital Security Research Group. ORIGINAL ADVISORY: Digital Security Research Group: http://dsecrg.com/pages/vul/show.php?id=412 http://dsecrg.com/pages/vul/show.php?id=413 http://dsecrg.com/pages/vul/show.php?id=414 http://dsecrg.com/pages/vul/show.php?id=415 http://dsecrg.com/pages/vul/show.php?id=416 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------