VARIoT IoT vulnerabilities database

fwb_install in fwbuilder 2.1.19 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/ssh-agent.##### temporary file. Fwbuilder is prone to a local security vulnerability. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Firewall Builder: Privilege escalation Date: January 23, 2012 Bugs: #235809, #285861 ID: 201201-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Insecure temporary file usage in Firewall Builder could allow attackers to overwrite arbitrary files. Background ========== Firewall Builder is a GUI for easy management of multiple firewall platforms. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-firewall/fwbuilder < 3.0.7 >= 3.0.7 Description =========== Two vulnerabilities in Firewall Builder allow the iptables and fwb_install scripts to use temporary files insecurely. Workaround ========== There is no known workaround at this time. Resolution ========== All Firewall Builder users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-firewall/fwbuilder-3.0.7" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since March 09, 2010. It is likely that your system is already no longer affected by this issue. References ========== [ 1 ] CVE-2008-4956 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4956 [ 2 ] CVE-2009-4664 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4664 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-11.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. net-snmp of netsnmp_create_subtree_cache Functions include SNMP GETBULK An integer overflow vulnerability exists due to a flaw in processing requests.Crafted by a third party SNMP GETBULK Service interruption due to request (DoS) There is a possibility of being put into a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200901-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Net-SNMP: Denial of Service Date: January 21, 2009 Bugs: #245306 ID: 200901-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in Net-SNMP could lead to a Denial of Service. Background ========== Net-SNMP is a collection of tools for generating and retrieving SNMP data. NOTE: The attacker needs to know the community string to exploit this vulnerability. Workaround ========== Restrict access to trusted entities only. Resolution ========== All Net-SNMP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.2.1" References ========== [ 1 ] CVE-2008-4309 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4309 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200901-15.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Affected packages: Pardus 2008: net-snmp, all before 5.4.1-7-3 net-snmptrap, all before 5.4.1-7-3 Resolution ========== There are update(s) for net-snmp, net-snmptrap. You can update them via Package Manager or with a single command from console: pisi up net-snmp net-snmptrap References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=8577 * http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4309 ------------------------------------------------------------------------ -- Pardus Security Team http://security.pardus.org.tr _______________________________________________ Full-Disclosure - We believe in it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2010-12-16-1 Time Capsule and AirPort Base Station (802.11n) Firmware 7.5.2 Time Capsule and AirPort Base Station (802.11n) Firmware 7.5.2 is now available and addresses the following: CVE-ID: CVE-2008-4309 Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule Impact: A remote attacker may terminate the operation of the SNMP service Description: An integer overflow exists in the netsnmp_create_subtree_cache function. By sending a maliciously crafted SNMPv3 packet, an attacker may cause the SNMP server to terminate, denying service to legitimate clients. By default, the 'WAN SNMP' configuration option is disabled, and the SNMP service is accessible only to other devices on the local network. This issue is addressed by applying the Net-SNMP patches. CVE-ID: CVE-2009-2189 Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule Impact: Receiving a large number of IPv6 Router Advertisement (RA) and Neighbor Discovery (ND) packets from a system on the local network may cause the base station to restart Description: A resource consumption issue exists in the base station's handling of Router Advertisement (RA) and Neighbor Discovery (ND) packets. A system on the local network may send a large number of RA and ND packets that could exhaust the base station's resources, causing it to restart unexpectedly. This issue is addressed by rate limiting incoming ICMPv6 packets. Credit to Shoichi Sakane of the KAME project, Kanai Akira of Internet Multifeed Co., Shirahata Shin and Rodney Van Meter of Keio University, and Tatuya Jinmei of Internet Systems Consortium, Inc. for reporting this issue. CVE-ID: CVE-2010-0039 Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule Impact: An attacker may be able to query services behind an AirPort Base Station or Time Capsule's NAT from the source IP of the router, if any system behind the NAT has a portmapped FTP server Description: The AirPort Extreme Base Station and Time Capsule's Application-Level Gateway (ALG) rewrites incoming FTP traffic, including PORT commands, to appear as if it is the source. An attacker with write access to an FTP server inside the NAT may issue a malicious PORT command, causing the ALG to send attacker-supplied data to an IP and port behind the NAT. As the data is resent from the Base Station, it could potentially bypass any IP-based restrictions for the service. This issue is addressed by not rewriting inbound PORT commands via the ALG. Credit to Sabahattin Gucukoglu for reporting this issue. CVE-ID: CVE-2009-1574 Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule Impact: A remote attacker may be able to cause a denial of service Description: A null pointer dereference in racoon's handling of fragmented ISAKMP packets may allow a remote attacker to cause an unexpected termination of the racoon daemon. This issue is addressed through improved validation of fragmented ISAKMP packets. CVE-ID: CVE-2010-1804 Available for: AirPort Extreme Base Station with 802.11n, AirPort Express Base Station with 802.11n, Time Capsule Impact: A remote attacker may cause the device to stop processing network traffic Description: An implementation issue exists in the network bridge. Sending a maliciously crafted DHCP reply to the device may cause it to stop responding to network traffic. This issue affects devices that have been configured to act as a bridge, or are configured in Network Address Translation (NAT) mode with a default host enabled. By default, the device operates in NAT mode, and no default host is configured. This update addresses the issue through improved handling of DHCP packets on the network bridge. Credit to Stefan R. Filipek for reporting this issue. Installation note for Firmware version 7.5.2 Firmware version 7.5.2 is installed into Time Capsule or AirPort Base Station with 802.11n via AirPort Utility, provided with the device. It is recommended that AirPort Utility 5.5.2 be installed before upgrading to Firmware version 7.5.2. AirPort Utility 5.5.2 may be obtained through Apple's Software Download site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJNCWXyAAoJEGnF2JsdZQeevTQH/0856gTUzzmL371/nSkhn3qq MCPQVaEMe8O/jy96nlskwzp3X0X0QmXePok1enp6QhDhHm0YL3a4q7YHd4zjm6mM JUoVR4JJRSKOb1bVdEXqo+qG/PH7/5ywfrGas+MjOshMa3gnhYVee39N7Xtz0pHD 3ZllZRwGwad1sQLL7DhJKZ92z6t2GfHoJyK4LZNemkQAL1HyUu7Hj9SlljcVB+Ub xNnpmBXJcCZzp4nRQM+fbLf6bdZ1ua5DTc1pXC8vETtxyHc53G/vLCu8SKBnTBlK JmkpGwG5fXNuYLL8ArFUuEu3zhE7kfdeftUrEez3YeL2DgU9iB8m8RkuuSrVJEY= =WPH8 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2009-0001 Synopsis: ESX patches address an issue loading corrupt virtual disks and update Service Console packages Issue date: 2009-01-30 Updated on: 2009-01-30 (initial release of advisory) CVE numbers: CVE-2008-4914 CVE-2008-4309 CVE-2008-4226 CVE-2008-4225 - ------------------------------------------------------------------------ 1. Summary Updated ESX patches address an issue loading corrupt virtual disks and update Service Console packages for net-snmp and libxml2. 2. Relevant releases VMware ESXi 3.5 without patch ESXe350-200901401-I-SG VMware ESX 3.5 without patches ESX350-200901401-SG, ESX350-200901409-SG, ESX350-200901410-SG VMware ESX 3.0.3 without patches ESX303-200901405-SG, ESX303-200901406-SG VMware ESX 3.0.2 without patches ESX-1007673, ESX-1007674 NOTE: Extended support for ESX 3.5 Update 1 ends on 7/25/2009, users should plan to upgrade to at least ESX 3.5 Update 2 by that time. Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available. 3. Problem Description a. Loading a corrupt delta disk may cause ESX to crash If the VMDK delta disk of a snapshot is corrupt, an ESX host might crash when the corrupted disk is loaded. VMDK delta files exist for virtual machines with one or more snapshots. This change ensures that a corrupt VMDK delta file cannot be used to crash ESX hosts. A corrupt VMDK delta disk, or virtual machine would have to be loaded by an administrator. VMware would like to thank Craig Marshall for reporting this issue. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4914 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi ESXe350-200901401-I-SG ESX 3.5 ESX ESX350-200901401-SG ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 2.5.5 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. Updated Service Console package net-snmp Net-SNMP is an implementation of the Simple Network Management Protocol (SNMP). SNMP is used by network management systems to monitor hosts. A denial-of-service flaw was found in the way Net-SNMP processes SNMP GETBULK requests. A remote attacker who issued a specially- crafted request could cause the snmpd server to crash. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4309 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX ESX350-200901409-SG ESX 3.0.3 ESX ESX303-200901405-SG ESX 3.0.2 ESX ESX-1007673 ESX 2.5.5 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Updated Service Console package libxml2 An integer overflow flaw causing a heap-based buffer overflow was found in the libxml2 XML parser. If an application linked against libxml2 processed untrusted, malformed XML content, it could cause the application to crash or, possibly, execute arbitrary code. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4226 to this issue. A denial of service flaw was discovered in the libxml2 XML parser. If an application linked against libxml2 processed untrusted, malformed XML content, it could cause the application to enter an infinite loop. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4225 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX ESX350-200901410-SG ESX 3.0.3 ESX ESX303-200901406-SG ESX 3.0.2 ESX ESX-1007674 ESX 2.5.5 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESXi ---- ESXi 3.5 patch ESXe350-200901401-I-SG http://download3.vmware.com/software/vi/ESXe350-200901401-O-SG.zip md5sum: 588dc7bfdee4e4c5ac626906c37fc784 http://kb.vmware.com/kb/1006661 NOTE: The three ESXi patches for Firmware "I", VMware Tools "T," and the VI Client "C" are contained in a single offline "O" download file. ESX --- ESX 3.5 patch ESX350-200901401-SG (VMDK) http://download3.vmware.com/software/vi/ESX350-200901401-SG.zip md5sum: 2769ac30078656b01ca1e2fdfa3230e9 http://kb.vmware.com/kb/1006651 ESX 3.5 patch ESX350-200901409-SG (net-snmp) http://download3.vmware.com/software/vi/ESX350-200901409-SG.zip md5sum: 2c75cd848d9f3c51619b9a7bd60d20a3 http://kb.vmware.com/kb/1006659 ESX 3.5 patch ESX350-200901410-SG (libxml2) http://download3.vmware.com/software/vi/ESX350-200901410-SG.zip md5sum: 061f96373244e7eab3f0d5fe2415ce91 http://kb.vmware.com/kb/1006660 ESX 3.0.3 patch ESX303-200901405-SG (net-snmp) http://download3.vmware.com/software/vi/ESX303-200901405-SG.zip md5sum: 9983b63a1e2dc7fb3d80f0021c1c347c http://kb.vmware.com/kb/1007681 ESX 3.0.3 patch ESX303-200901406-SG (libxml2) http://download3.vmware.com/software/vi/ESX303-200901406-SG.zip md5sum: 2d5a827ccaf406a54dd3a5affee39db0 http://kb.vmware.com/kb/1007682 ESX 3.0.2 patch ESX-1007673 (net-snmp) http://download3.vmware.com/software/vi/ESX-1007673.tgz md5sum: af4a36d2b4d731177210c789df844974 http://kb.vmware.com/kb/1007673 ESX 3.0.2 patch ESX-1007674 (libxml2) http://download3.vmware.com/software/vi/ESX-1007674.tgz md5sum: fb4b5e9a03dea5b9e24cc0766ddd2581 http://kb.vmware.com/kb/1007674 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4914 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4309 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225 - ------------------------------------------------------------------------ 6. Change log 2009-01-30 VMSA-2009-0001 Initial security advisory after release of patches for ESXi, ESX 3.5, ESX 3.0.3, ESX 3.0.2 on 2009-01-30. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2009 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFJhAYnS2KysvBH1xkRAiqwAJ47A5mvajtIwB6kZCcNcvUGoraANACbBTsD cgkdo5JKkJLgol+Y2VXW1co= =PvKt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01820968 Version: 1 HPSBMA02447 SSRT090062 rev.1 - Insight Control Suite For Linux (ICE-LX) Cross Site Request Forgery (CSRF) , Remote Execution of Arbitrary Code, Denial of Service (DoS), and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-08-12 Last Updated: 2009-08-12 Potential Security Impact: Cross Site Request Forgery (CSRF) , Remote Execution of Arbitrary Code, Denial of Service (DoS), and Other Vulnerabilities. Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with Insight Control Suite For Linux (ICE-LX). The vulnerabilities could be remotely exploited to allow Cross Site Request Forgery (CSRF) , Remote Execution of Arbitrary Code, Denial of Service (DoS) and other vulnerabilities. References: CVE-2009-2677, CVE-2009-0590, CVE-2009-1272, CVE-2008-5161, CVE-2008-4309, CVE-2008-1720 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Insight Control Suite For Linux (ICE-LX) v2.10 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2009-2677 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.4 CVE-2009-0590 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2009-1272 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2008-5161 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 CVE-2008-4309 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2008-1720 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following updated product kit available to resolve the vulnerabilities. The HP ICE-LX v2.11 kit is available as described below. The update file is HP_ICE_LX_V2.11_511708_004.iso which can be downloaded from here: https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPICELX The kit can also be obtained by going to http://www.hp.com/go/ice-lx Open Source packages updated in this version (v2.11) of ICE-LX net-snmp-5.4.2.1 php 5.2.9 rsync 3.0.5 openssh 5.2 p1 openssl-0.9.8k PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) 12 August 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0960 Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length, which allows spoofing of authenticated SNMPv3 packets. CVE-2008-2292 John Kortink reported a buffer overflow in the __snprint_value function in snmp_get causing a denial of service and potentially allowing the execution of arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). For the stable distribution (etch), these problems has been fixed in version 5.2.3-7etch4. For the testing distribution (lenny) and unstable distribution (sid) these problems have been fixed in version 5.4.1~dfsg-11. We recommend that you upgrade your net-snmp package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.diff.gz Size/MD5 checksum: 94030 2ccd6191c3212980956c30de392825ec http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.dsc Size/MD5 checksum: 1046 8018cc23033178515298d5583a74f9ff http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3.orig.tar.gz Size/MD5 checksum: 4006389 ba4bc583413f90618228d0f196da8181 Architecture independent packages: http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-base_5.2.3-7etch4_all.deb Size/MD5 checksum: 1214368 d579d8f28f3d704b6c09b2b480425086 http://security.debian.org/pool/updates/main/n/net-snmp/tkmib_5.2.3-7etch4_all.deb Size/MD5 checksum: 855594 b5ccd827adbcefcca3557fa9ae28cc08 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 2169470 265835564ef2b0e2e86a08000461c53b http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 944098 5b903886ee4740842715797e3231602c http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 1901802 5486eb1f2a5b076e5342b1dd9cbb12e2 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 933202 e3210ba1641079e0c3aaf4a50e89aedd http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 835584 b14db8c5e5b5e2d34799952975f903fb amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 932008 fc79672bf64eaabd41ed1c2f4a42c7da http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 1890766 ae3832515a97a79b31e0e7f0316356ee http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 835088 62867e9ba9dfca3c7e8ae575d5a478f5 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 918844 d2d1bc5f555bc9dba153e2a9a964ffbf http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 1557924 5c2a33a015dd44708a9cc7602ca2525c arm architecture (ARM) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_arm.deb Size/MD5 checksum: 909974 4c1cef835efc0b7ff3fea54a618eabee http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_arm.deb Size/MD5 checksum: 835284 3ac835d926481c9e0f589b578455ddee http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_arm.deb Size/MD5 checksum: 928252 b98e98b58c61be02e477185293427d5c http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_arm.deb Size/MD5 checksum: 1778292 b903adf3d1fa6e7a26f7cafb7bffdd6b http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_arm.deb Size/MD5 checksum: 1344158 78b6cf6b2974983e8e3670468da73cd1 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 835940 9eeaf116e386dd7733ab2106c662dfa9 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 1809132 78bb5f1c12b004d32fa265e6bd99ffa1 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 1926116 71c7f3095ffe1bb22e84ade21f32b3a4 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 935434 85deac8531b02a0fdf3c9baa21d8e4bd http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 935640 958cb158264f75772864cd5d5c0bf251 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_i386.deb Size/MD5 checksum: 1423294 f05c7491a8100684c5085588738f05b5 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_i386.deb Size/MD5 checksum: 833970 cb705c9fe9418cc9348ac935ea7b0ba2 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_i386.deb Size/MD5 checksum: 920070 3df41a0c99c41d1bccf6801011cf8ed5 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_i386.deb Size/MD5 checksum: 925914 159b4244ef701edbe0fb8c9685b5b477 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_i386.deb Size/MD5 checksum: 1838900 3b7ac7b8fe0da1a3909ee56aba46d464 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 2205680 6868a56b1db04627e6921bf7237939a2 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 970440 783f0cccabfbcc63590730b3803d164d http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 2281114 fd04b505755a3aed0fe4c9baaac84500 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 842690 9f9ca89c3d3ba7c46481e9cd39c242a6 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 962854 c8a32f808d719357a5b6350e2b60794e mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mips.deb Size/MD5 checksum: 895414 5dd919d188291cb3727d39b5e06c9e26 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mips.deb Size/MD5 checksum: 927342 28c245db4d8ea82ba4075b27d674d72a http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mips.deb Size/MD5 checksum: 833182 0e0b21e13d77de82bed7a38d30f65e4b http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mips.deb Size/MD5 checksum: 1769524 24bdc73a3d20c4046c7741957442c713 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mips.deb Size/MD5 checksum: 1717562 977ae5c34a127d32d8f2bf222de9a431 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 1755032 cab5c112911465a9ce23a0d2ea44ded9 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 926616 2bf14a3fe74d9f2a523aacc8b04f5282 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 895194 b7c9ed37bf83ad92371f5472ac5d917b http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 833098 08b63ba6c3becf25ba2f941a532a7b71 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 1720642 1ff7568eb478edee923edb76cf42e9ac powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 941434 bbac9384bd7f88339e2b86fa665208c1 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 835212 4790d79f8de7f1bee7aabf0473f25268 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 1657890 b91fcf52e80c7196cea0c13df9ac79ef http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 1803262 4d298c9509941390c7b2eb68320ad211 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 928170 b17966a6a61313344ac827b58f32eeef s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_s390.deb Size/MD5 checksum: 1409718 2a128cbdce2522ef49604255cff41af2 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_s390.deb Size/MD5 checksum: 931452 d3bb7c3a849cd2b35fa6e4acb19c318d http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_s390.deb Size/MD5 checksum: 1834914 67e5b946df18b06b41b3e108d5ddc4e3 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_s390.deb Size/MD5 checksum: 836102 7a4b85e8ea0e50d7213997b5f7d6309f http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_s390.deb Size/MD5 checksum: 903864 3f80e78e4e2672aacf3da0690ff24b79 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 925336 5824ea607689f3f1bd62a9e6e28f95ae http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 1548630 1378d1cf730d3026bc1f01a4ab2ccedb http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 918592 28a086f6aa2ee8d510b38c1a177843fc http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 834186 068cbf2b4774ecf9504b820db26e6f1d http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 1782014 d39fae5fe0d1397a2a1bd7397d6e850a These files will probably be moved into the stable distribution on its next update. =========================================================== Ubuntu Security Notice USN-685-1 December 03, 2008 net-snmp vulnerabilities CVE-2008-0960, CVE-2008-2292, CVE-2008-4309 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libsnmp-perl 5.2.1.2-4ubuntu2.3 libsnmp9 5.2.1.2-4ubuntu2.3 Ubuntu 7.10: libsnmp-perl 5.3.1-6ubuntu2.2 libsnmp10 5.3.1-6ubuntu2.2 Ubuntu 8.04 LTS: libsnmp-perl 5.4.1~dfsg-4ubuntu4.2 libsnmp15 5.4.1~dfsg-4ubuntu4.2 Ubuntu 8.10: libsnmp15 5.4.1~dfsg-7.1ubuntu6.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Wes Hardaker discovered that the SNMP service did not correctly validate HMAC authentication requests. (CVE-2008-0960) John Kortink discovered that the Net-SNMP Perl module did not correctly check the size of returned values. If a user or automated system were tricked into querying a malicious SNMP server, the application using the Perl module could be made to crash, leading to a denial of service. This did not affect Ubuntu 8.10. (CVE-2008-2292) It was discovered that the SNMP service did not correctly handle large GETBULK requests. (CVE-2008-4309) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.2.1.2-4ubuntu2.3.diff.gz Size/MD5: 75402 9655d984a47cec8e27efa4db0b227870 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.2.1.2-4ubuntu2.3.dsc Size/MD5: 838 17a17230a005c1acfd0569757e728fad http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.2.1.2.orig.tar.gz Size/MD5: 3869893 34159770a7fe418d99fdd416a75358b1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-base_5.2.1.2-4ubuntu2.3_all.deb Size/MD5: 1152306 f7647cee4df8db87ab48c0d05635a973 http://security.ubuntu.com/ubuntu/pool/universe/n/net-snmp/tkmib_5.2.1.2-4ubuntu2.3_all.deb Size/MD5: 822946 b9b852c188937d1fffc06d4da01325d5 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.2.1.2-4ubuntu2.3_amd64.deb Size/MD5: 896620 a78012b3f0f13667081f97dc1a4d62e8 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9-dev_5.2.1.2-4ubuntu2.3_amd64.deb Size/MD5: 1497194 7d55b8d1e4ae0c45753bedcf536a1a5a http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9_5.2.1.2-4ubuntu2.3_amd64.deb Size/MD5: 1826252 0550c1401f9bbe5f345fd96484ed369c http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.2.1.2-4ubuntu2.3_amd64.deb Size/MD5: 889330 5ad0ddb2c610973166e4dd07769ba3d3 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.2.1.2-4ubuntu2.3_amd64.deb Size/MD5: 797086 18cf4210342b683d3ee24fe995329b55 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.2.1.2-4ubuntu2.3_i386.deb Size/MD5: 896880 298d27ea1ece6e80bb8931b9a5e61961 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9-dev_5.2.1.2-4ubuntu2.3_i386.deb Size/MD5: 1268472 acbca43ab7ea747fa3e4636d15ef997c http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9_5.2.1.2-4ubuntu2.3_i386.deb Size/MD5: 1710342 bd27290685bcf1d6a23eb8705d3367e7 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.2.1.2-4ubuntu2.3_i386.deb Size/MD5: 881838 58121bd9e4c845da7df4e540645e0e13 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.2.1.2-4ubuntu2.3_i386.deb Size/MD5: 794672 221d1c554bd89f50dc3ac9108a6cef6b powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.2.1.2-4ubuntu2.3_powerpc.deb Size/MD5: 913064 45a033b01c4b31ef90a92988bb5fb229 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9-dev_5.2.1.2-4ubuntu2.3_powerpc.deb Size/MD5: 1590124 b62aa5477d9307d311c811298b7ec3d9 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9_5.2.1.2-4ubuntu2.3_powerpc.deb Size/MD5: 1728094 5214ce9aebe3a8d7a28a1746a81ce8ea http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.2.1.2-4ubuntu2.3_powerpc.deb Size/MD5: 898580 86e6c1b5dfb5bf91f63d7c6786b7abae http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.2.1.2-4ubuntu2.3_powerpc.deb Size/MD5: 796092 1bab28407224f782b2c3ae04b4647333 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.2.1.2-4ubuntu2.3_sparc.deb Size/MD5: 896832 3d233db9682d5654fdad6bc6b5a649ba http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9-dev_5.2.1.2-4ubuntu2.3_sparc.deb Size/MD5: 1485268 064304ead0ca4653136376e8e9039e74 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp9_5.2.1.2-4ubuntu2.3_sparc.deb Size/MD5: 1706490 cb76027eb8167e0866a81b93a4da28ed http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.2.1.2-4ubuntu2.3_sparc.deb Size/MD5: 883182 d1ffc12427d92be51efdba3349e74f9a http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.2.1.2-4ubuntu2.3_sparc.deb Size/MD5: 796374 0f3f749ebe4af6111fe49316639004e4 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.3.1-6ubuntu2.2.diff.gz Size/MD5: 94646 8b6f9380d9f8c5514a1d4db729c6df04 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.3.1-6ubuntu2.2.dsc Size/MD5: 1287 f53866efd3ae4f3c939a77b1005e1f11 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.3.1.orig.tar.gz Size/MD5: 4210843 360a9783dbc853bab6bda90d961daee5 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-base_5.3.1-6ubuntu2.2_all.deb Size/MD5: 484306 f2d03276d1cdcef7e8b276ad8ca9595d http://security.ubuntu.com/ubuntu/pool/universe/n/net-snmp/tkmib_5.3.1-6ubuntu2.2_all.deb Size/MD5: 901284 6889b371d4de92eb61bf83b89d8a8c37 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-dev_5.3.1-6ubuntu2.2_amd64.deb Size/MD5: 2541692 1e6de4bd3c3baa444a2e1980a593a40e http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.3.1-6ubuntu2.2_amd64.deb Size/MD5: 968940 7efe4bdcb99f311f1c4bb2c3b9d24a4e http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp10_5.3.1-6ubuntu2.2_amd64.deb Size/MD5: 1200930 821861c24499cfdfa2a82c329c610c16 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.3.1-6ubuntu2.2_amd64.deb Size/MD5: 996572 00cc1a4c8c7924124984e666563e73d0 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.3.1-6ubuntu2.2_amd64.deb Size/MD5: 908792 a40763280a3bdbe60eca5e07c5d6c30c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-dev_5.3.1-6ubuntu2.2_i386.deb Size/MD5: 2321524 59d44616802197e1227cf88abddefe36 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.3.1-6ubuntu2.2_i386.deb Size/MD5: 967106 a6e5b308d889bdf6f5abe454e35ba474 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp10_5.3.1-6ubuntu2.2_i386.deb Size/MD5: 1124462 ec99daa26d0fafba6e9f0b874a23bf3d http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.3.1-6ubuntu2.2_i386.deb Size/MD5: 991956 cb20b6a4d68a858ffa0846431169d411 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.3.1-6ubuntu2.2_i386.deb Size/MD5: 907546 1ab5119e23a16e99203c113d49fc2723 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-dev_5.3.1-6ubuntu2.2_lpia.deb Size/MD5: 2305548 da57690a3327196e0c3684735be23f2e http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-perl_5.3.1-6ubuntu2.2_lpia.deb Size/MD5: 968984 8da336a5fd871be10e6b8d66d3b9c9d3 http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp10_5.3.1-6ubuntu2.2_lpia.deb Size/MD5: 1074500 e4d6690a6a6a543fc0244a29cd350c9b http://ports.ubuntu.com/pool/main/n/net-snmp/snmp_5.3.1-6ubuntu2.2_lpia.deb Size/MD5: 989566 2d2f4b1662e6a2dffafe8e98f00a15e7 http://ports.ubuntu.com/pool/main/n/net-snmp/snmpd_5.3.1-6ubuntu2.2_lpia.deb Size/MD5: 907596 4274e006754ebc836132166e0f0429a0 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-dev_5.3.1-6ubuntu2.2_powerpc.deb Size/MD5: 2641202 9b2ec56463ee715752b780aa332d8cd0 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.3.1-6ubuntu2.2_powerpc.deb Size/MD5: 985722 a2fca8426b7b51e98c39b91a468bf71f http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp10_5.3.1-6ubuntu2.2_powerpc.deb Size/MD5: 1154496 6073239f7ffead2a5b9c3357ada1602c http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.3.1-6ubuntu2.2_powerpc.deb Size/MD5: 1018596 af12cc55597a0d2d3a92b4b5d683bb14 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.3.1-6ubuntu2.2_powerpc.deb Size/MD5: 911866 57e2246930e712bdc1b039840d43af48 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-dev_5.3.1-6ubuntu2.2_sparc.deb Size/MD5: 2527568 19b1a0971259a9b99f9c0386f5935bfc http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.3.1-6ubuntu2.2_sparc.deb Size/MD5: 970264 d8ae7f0bb10375ad487b14ba031cd013 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp10_5.3.1-6ubuntu2.2_sparc.deb Size/MD5: 1078842 2401fc4c40352b8c8013e8c5de3b0ecd http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.3.1-6ubuntu2.2_sparc.deb Size/MD5: 995228 16b230d3c718d8eb4a023126bd09d7f5 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.3.1-6ubuntu2.2_sparc.deb Size/MD5: 908708 1e410a8ddac41ad9faec901c5a638f29 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-4ubuntu4.2.diff.gz Size/MD5: 78642 b4acf50e47be498e579b934f32081d25 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-4ubuntu4.2.dsc Size/MD5: 1447 0abcea5df87851df2aae7ebd1fc00e7a http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.4.1~dfsg.orig.tar.gz Size/MD5: 4618308 0ef987c41d3414f2048c94d187a2baeb Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-base_5.4.1~dfsg-4ubuntu4.2_all.deb Size/MD5: 526864 f3a131bf5a4f5c547573430cb66d410c http://security.ubuntu.com/ubuntu/pool/universe/n/net-snmp/tkmib_5.4.1~dfsg-4ubuntu4.2_all.deb Size/MD5: 102072 2f276f50efdb7e34f7e61f132f7f7cd7 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-4ubuntu4.2_amd64.deb Size/MD5: 1796950 283c5a95206ab74062e0e30eba4e0890 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-4ubuntu4.2_amd64.deb Size/MD5: 142522 9fff294368a7eac39e37fa478ac6609d http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-4ubuntu4.2_amd64.deb Size/MD5: 1296694 d0646a1543c51f14a93b40f972bc1569 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.4.1~dfsg-4ubuntu4.2_amd64.deb Size/MD5: 163178 0378a25e3b2a0bc80ddb8ec720b5557d http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-4ubuntu4.2_amd64.deb Size/MD5: 75960 fcba461f2e2376cad515329791e04a17 http://security.ubuntu.com/ubuntu/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-4ubuntu4.2_amd64.deb Size/MD5: 38512 21d9ecbc86a8e5965047d027e94fd324 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-4ubuntu4.2_i386.deb Size/MD5: 1556806 39e4f63b841c4b36c022017d66c12f58 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-4ubuntu4.2_i386.deb Size/MD5: 179478 5f08596ae997792920e238ff8cd2a7ba http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-4ubuntu4.2_i386.deb Size/MD5: 1098794 38bc61a5b403fb4f626a641a5f13e681 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.4.1~dfsg-4ubuntu4.2_i386.deb Size/MD5: 157954 66e38c37639f3c68e7e4a933fa953ff3 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-4ubuntu4.2_i386.deb Size/MD5: 74116 50b3a4d0cfd38585d2711d30cf725e9d http://security.ubuntu.com/ubuntu/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-4ubuntu4.2_i386.deb Size/MD5: 75038 98cdeec4b1014568b00107a82fc74418 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-4ubuntu4.2_lpia.deb Size/MD5: 1552018 d9dcab084f3b9bf3e8c36cb5db8f141e http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-4ubuntu4.2_lpia.deb Size/MD5: 141508 96061180809cccc975e0d7079e07ed3e http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-4ubuntu4.2_lpia.deb Size/MD5: 1171530 2d91048fe0a2ac9e3a4fddb84c67513e http://ports.ubuntu.com/pool/main/n/net-snmp/snmp_5.4.1~dfsg-4ubuntu4.2_lpia.deb Size/MD5: 155564 c67ba3aeb2535ee3e7fc4c89e90ba36a http://ports.ubuntu.com/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-4ubuntu4.2_lpia.deb Size/MD5: 74274 db05202893f516398bbe4e2153ef2d6e http://ports.ubuntu.com/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-4ubuntu4.2_lpia.deb Size/MD5: 35552 a75caf212ffb5a0eafe4ba2656c9aae1 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-4ubuntu4.2_powerpc.deb Size/MD5: 1874428 0ed8b5f4e6bad74d506d73447de00bd2 http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-4ubuntu4.2_powerpc.deb Size/MD5: 158374 dfcd7c4455b4bbd3f746368058d09a59 http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-4ubuntu4.2_powerpc.deb Size/MD5: 1238226 b5b3a81e956cdb14674d571694d1b6d0 http://ports.ubuntu.com/pool/main/n/net-snmp/snmp_5.4.1~dfsg-4ubuntu4.2_powerpc.deb Size/MD5: 185314 5e9d8bd56493f75ae8a8691c530aa420 http://ports.ubuntu.com/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-4ubuntu4.2_powerpc.deb Size/MD5: 83106 75dea32ec7152b7868fabf09d9d5a198 http://ports.ubuntu.com/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-4ubuntu4.2_powerpc.deb Size/MD5: 42928 214fe703fced2e387b48b51dcbb1d6b7 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-4ubuntu4.2_sparc.deb Size/MD5: 1760062 ade4c08289d947d092a5b2ab06517cc7 http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-4ubuntu4.2_sparc.deb Size/MD5: 143860 62b7260d618531b0ed5e7871ab7b99a9 http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-4ubuntu4.2_sparc.deb Size/MD5: 1159702 28ea81660bbdd9d7982be58d225e8814 http://ports.ubuntu.com/pool/main/n/net-snmp/snmp_5.4.1~dfsg-4ubuntu4.2_sparc.deb Size/MD5: 160236 196e493ce73905446a3764e73b99f332 http://ports.ubuntu.com/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-4ubuntu4.2_sparc.deb Size/MD5: 75518 f24e4b0e3e4a7d97c28da99cdc0a47a5 http://ports.ubuntu.com/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-4ubuntu4.2_sparc.deb Size/MD5: 38240 873f5e820e381ec2254ed520bcd09af0 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-7.1ubuntu6.1.diff.gz Size/MD5: 82260 85fb58aa81933f142bd937bca2e18341 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.4.1~dfsg-7.1ubuntu6.1.dsc Size/MD5: 1956 1ee06f6b731eae435af6a2d438ef909b http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/net-snmp_5.4.1~dfsg.orig.tar.gz Size/MD5: 4618308 0ef987c41d3414f2048c94d187a2baeb Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-base_5.4.1~dfsg-7.1ubuntu6.1_all.deb Size/MD5: 527650 9c56f3d70018b714895a61c0daba9498 http://security.ubuntu.com/ubuntu/pool/universe/n/net-snmp/tkmib_5.4.1~dfsg-7.1ubuntu6.1_all.deb Size/MD5: 103060 108eb50387ca46b4ee38ebb8722ced88 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-7.1ubuntu6.1_amd64.deb Size/MD5: 1815638 82385081fe2d4eeb1a6c94f9dae672ad http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-7.1ubuntu6.1_amd64.deb Size/MD5: 146154 1b6249e02e89213f2f4d2aa9c9123420 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-7.1ubuntu6.1_amd64.deb Size/MD5: 1315628 8443e091f2c63485a422236ad23e55cd http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.4.1~dfsg-7.1ubuntu6.1_amd64.deb Size/MD5: 165522 154a05824b98e041ceac60ac83709ef4 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-7.1ubuntu6.1_amd64.deb Size/MD5: 77914 8d6e328f309e78bf1fcf21c2633d82ec http://security.ubuntu.com/ubuntu/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-7.1ubuntu6.1_amd64.deb Size/MD5: 39930 6b7a1a67ca63b5c843ce66f3547b3c89 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-7.1ubuntu6.1_i386.deb Size/MD5: 1569568 dd0599b150eccee9889325d17a7b0769 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-7.1ubuntu6.1_i386.deb Size/MD5: 184264 52a54aebef81648164a5bc90f27b0cc5 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-7.1ubuntu6.1_i386.deb Size/MD5: 1119072 10c81fe283b25e7ad31fcfd88a2325f0 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmp_5.4.1~dfsg-7.1ubuntu6.1_i386.deb Size/MD5: 156112 6296f0836bc9797ff48810c79965c3a5 http://security.ubuntu.com/ubuntu/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-7.1ubuntu6.1_i386.deb Size/MD5: 74476 bd96a6915eb97fed083aac4daa5f07cf http://security.ubuntu.com/ubuntu/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-7.1ubuntu6.1_i386.deb Size/MD5: 77652 3e30e51c362dfa982a3b3197be081328 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-7.1ubuntu6.1_lpia.deb Size/MD5: 1557614 065f4575c7a2d257fa6b5b9d0cee454f http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-7.1ubuntu6.1_lpia.deb Size/MD5: 144292 b55f2c4aff8a86499d7f38fd6e773f44 http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-7.1ubuntu6.1_lpia.deb Size/MD5: 1184272 84116fefdce279ce338ffc9614384c06 http://ports.ubuntu.com/pool/main/n/net-snmp/snmp_5.4.1~dfsg-7.1ubuntu6.1_lpia.deb Size/MD5: 154444 ffe9e765a01695355bdb58008a2910f5 http://ports.ubuntu.com/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-7.1ubuntu6.1_lpia.deb Size/MD5: 73746 762e75672fbd395d2d159513f5d572b0 http://ports.ubuntu.com/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-7.1ubuntu6.1_lpia.deb Size/MD5: 36530 0a98b51b94a5f75d4131d657aa766579 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-7.1ubuntu6.1_powerpc.deb Size/MD5: 1884632 a3ad023841ee605efa1e055712b44d9a http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-7.1ubuntu6.1_powerpc.deb Size/MD5: 161074 5586adea8200d2d5bf81f288b5bf7be2 http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-7.1ubuntu6.1_powerpc.deb Size/MD5: 1249636 48ec688499fea1dc0ccb3091c0158fb8 http://ports.ubuntu.com/pool/main/n/net-snmp/snmp_5.4.1~dfsg-7.1ubuntu6.1_powerpc.deb Size/MD5: 181952 8ef5f6b9b6c6b8e4fcd5cb37147304a2 http://ports.ubuntu.com/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-7.1ubuntu6.1_powerpc.deb Size/MD5: 81802 965218126fb5a49cfcd9e20afeb49782 http://ports.ubuntu.com/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-7.1ubuntu6.1_powerpc.deb Size/MD5: 43048 09f2f9ed9f519ca5723411802e46d48b sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-dev_5.4.1~dfsg-7.1ubuntu6.1_sparc.deb Size/MD5: 1759316 46455cc355c1b808243eada0f134d00b http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp-perl_5.4.1~dfsg-7.1ubuntu6.1_sparc.deb Size/MD5: 145164 2cdb5b35db853c7c184a44022fc23cd8 http://ports.ubuntu.com/pool/main/n/net-snmp/libsnmp15_5.4.1~dfsg-7.1ubuntu6.1_sparc.deb Size/MD5: 1159834 cfff424e5bff38bb3ef9419f03465388 http://ports.ubuntu.com/pool/main/n/net-snmp/snmp_5.4.1~dfsg-7.1ubuntu6.1_sparc.deb Size/MD5: 163042 354f7a5423a34c411c5f8620c66d3e58 http://ports.ubuntu.com/pool/main/n/net-snmp/snmpd_5.4.1~dfsg-7.1ubuntu6.1_sparc.deb Size/MD5: 76994 ca11bcf9a411f618e35e1d6b6ab8c8f9 http://ports.ubuntu.com/pool/universe/n/net-snmp/libsnmp-python_5.4.1~dfsg-7.1ubuntu6.1_sparc.deb Size/MD5: 38526 172493ec5df1866e2633e074c7f38775

Cross-site scripting (XSS) vulnerability in SonicWALL SonicOS Enhanced before 4.0.1.1, as used in SonicWALL Pro 2040 and TZ 180 and 190, allows remote attackers to inject arbitrary web script or HTML into arbitrary web sites via a URL to a site that is blocked based on content filtering, which is not properly handled in the CFS block page, aka "universal website hijacking.". This vulnerability allows remote attackers to execute a script injection attack on arbitrary sites through vulnerable installations of SonicWALL. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page or open a malicious web link.The specific flaw exists in the default error page displayed when a user requests access to a web site that is blocked based on the devices content-filtering rules. Insufficient sanity checks allow an attacker to craft a URL that will trigger an error and simultaneously inject a malicious script. As the browser is unable to differentiate between content delivered from the original top level site requested and the inline device, the script injection occurs under the context of the target domain. This can result in various further compromise. SonicWALL Content Filtering is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input when displaying URI address data in a blocked-site error page. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of an arbitrary site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Versions prior to SonicWALL Content Filtering on SonicOS Enhanced 4.0.1.1 are vulnerable. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: SonicWALL Products Content Filtering Service Cross-Site Scripting SECUNIA ADVISORY ID: SA32498 VERIFY ADVISORY: http://secunia.com/advisories/32498/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: SonicWALL TZ Series http://secunia.com/advisories/product/4882/ SonicWALL Pro Series http://secunia.com/advisories/product/232/ DESCRIPTION: A vulnerability has been reported in various SonicWALL products, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via a URL is not properly sanitised before being returned in a Content Filtering Service message that a site is blocked. SOLUTION: Update to SonicOS version 4.0.1.1 or later. PROVIDED AND/OR DISCOVERED BY: Adrian Pastor, reported via ZDI ORIGINAL ADVISORY: ZDI: http://www.zerodayinitiative.com/advisories/ZDI-08-070/ SonicWALL: http://www.sonicwall.com/downloads/SonicOS_Enhanced_4.0.1.1_Release_Notes.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-08-070: SonicWALL Content-Filtering Universal Script Injection Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-070 October 30, 2008 -- Affected Vendors: SonicWALL -- Affected Products: SonicWALL Pro 2040 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 2023, 3886. -- Vendor Response: SonicWALL has issued an update to correct this vulnerability. More details can be found at: http://www.sonicwall.com/downloads/SonicOS_Enhanced_4.0.1.1_Release_Notes.pdf -- Disclosure Timeline: 2008-06-25 - Vulnerability reported to vendor 2008-10-30 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Adrian 'pagvac' Pastor | GNUCITIZEN | www.gnucitizen.org -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com

Unspecified vulnerability in Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.0 before 7.0(8)3, 7.1 before 7.1(2)78, 7.2 before 7.2(4)16, 8.0 before 8.0(4)6, and 8.1 before 8.1(1)13, when configured as a VPN using Microsoft Windows NT Domain authentication, allows remote attackers to bypass VPN authentication via unknown vectors. Cisco PIX and ASA is prone to an authentication-bypass vulnerability. Remote attackers can exploit this issue to gain unauthorized access to the affected devices. Successfully exploiting this issue will lead to other attacks. This issue is being monitored by Cisco Bug ID CSCsj25896. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. SOLUTION: Update to fixed versions (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. This security advisory outlines details of these vulnerabilities: * Windows NT Domain Authentication Bypass Vulnerability * IPv6 Denial of Service Vulnerability * Crypto Accelerator Memory Leak Vulnerability Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following are the details about each vulnerability described within this advisory. Devices that are using any other type of external authentication (that is, LDAP, RADIUS, TACACS+, SDI, or local database) are not affected by this vulnerability. The following example demonstrates how Windows NT domain authentication is configured using the command line interface (CLI) on the Cisco ASA: aaa-server NTAuth protocol nt aaa-server NTAuth (inside) host 10.1.1.4 nt-auth-domain-controller primary1 Alternatively, to see if a device is configured for Windows NT Domain authentication use the "show running-config | include nt-auth-domain-controller" command. This vulnerability does not affect devices configured only for IPv4. Note: IPv6 functionality is turned off by default. IPv6 is enabled on the Cisco ASA and Cisco PIX security appliance using the "ipv6 address" interface command. To verify if a device is configured for IPv6 use the "show running-config | include ipv6" command. Alternatively, you can display the status of interfaces configured for IPv6 using the show ipv6 interface command in privileged EXEC mode, as shown in the following example: hostname# show ipv6 interface brief outside [up/up] unassigned inside [up/up] fe80::20d:29ff:fe1d:69f0 fec0::a:0:0:a0a:a70 dmz [up/up] unassigned In this example, the "outside" and "dmz" interfaces are not configured for IPv6. Crypto Accelerator Memory Leak Vulnerability +------------------------------------------- Cisco ASA security appliances may experience a memory leak that can be triggered by a series of crafted packets. This memory leak occurs in the initialization code for the hardware crypto accelerator. Devices that are running software versions in the 8.0.x release are vulnerable. Note: Cisco ASA appliances that are running software versions in the 7.0, 7.1, and 7.2 releases are not vulnerable. Determination of Software Versions +--------------------------------- The "show version" command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Security Appliance that runs software release 8.0(4): ASA# show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is not affected by any of these vulnerabilities. Cisco PIX security appliances running versions 6.x are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. NT Domain authentication is supported only for remote access VPNs. Devices that are running software version 7.2(4)9 or 7.2(4)10 and configured for IPv6 may be vulnerable. This vulnerability does not affect devices that are configured only for IPv4. Note: Devices that are running software versions in the 7.0, 7.1, 8.0, and 8.1 releases are not vulnerable. To configure IPv6 on a Cisco ASA or Cisco PIX security appliance, at a minimum, each interface needs to be configured with an IPv6 link-local address. Additionally, you can add a global address to the interface. Note: Only packets that are destined to the device (not transiting the device) may trigger the effects of this vulnerability. These packets must be destined to an interface configured for IPv6. Crypto Accelerator Memory Leak Vulnerability +------------------------------------------- The Cisco ASA security appliances may experience a memory leak triggered by a series of packets. This memory leak occurs in the initialization code for the hardware crypto accelerator. Note: Only packets destined to the device (not transiting the device) may trigger this vulnerability. The following Cisco ASA features use the services the crypto accelerator provides, and therefore may be affected by this vulnerability: * Clientless WebVPN, SSL VPN Client, and AnyConnect Connections * ASDM (HTTPS) Management Sessions * Cut-Through Proxy for Network Access * TLS Proxy for Encrypted Voice Inspection * IP Security (IPsec) Remote Access and Site-to-site VPNs * Secure Shell (SSH) Access This vulnerability is documented in Cisco Bug ID CSCsj25896 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3817. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * Windows NT Domain Authentication Bypass Vulnerability (CSCsu65735) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may reload after receiving certain IPv6 packets (CSCsu11575) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crypto Accelerator Memory Leak (CSCsj25896) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass Vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. The Denial of Service (DoS) vulnerabilities may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release of each vulnerability: +----------------------------------------+ | | Affected | First | | Vulnerability | Release | Fixed | | | | Version | |----------------+----------+------------| | | 7.0 | 7.0(8)3 | | |----------+------------| | Windows NT | 7.1 | 7.1(2)78 | |Domain |----------+------------| | Authentication | 7.2 | 7.2(4)16 | |Bypass |----------+------------| | Vulnerability | 8.0 | 8.0(4)6 | | |----------+------------| | | 8.1 | 8.1(1)13 | |----------------+----------+------------| | | 7.0 | Not | | | | Vulnerable | | |----------+------------| | | 7.1 | Not | | | | Vulnerable | |IPv6 Denial of |----------+------------| | Service | 7.2 | 7.2(4)11 | |Vulnerability |----------+------------| | | 8.0 | Not | | | | Vulnerable | | |----------+------------| | | 8.1 | Not | | | | Vulnerable | |----------------+----------+------------| | | 7.0 | Not | | | | Vulnerable | | |----------+------------| | | 7.1 | Not | | Crypto | | Vulnerable | |Accelerator |----------+------------| | Memory Leak | 7.2 | Not | | Vulnerability | | Vulnerable | | |----------+------------| | | 8.0 | 8.0(4) | | |----------+------------| | | 8.1 | 8.1(2) | +----------------------------------------+ The following maintenance software releases are the first software releases that contain the fixes for the vulnerabilities mentioned in this Security Advisory: Fixed PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 Fix ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 For the "Windows NT Domain Authentication Bypass Vulnerability", only interim fixed software is currently available. Customers wishing to upgrade to a fixed version instead of applying a workaround may download PIX and ASA interim versions from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT?psrtdcat20e2 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. Windows NT Domain Authentication Bypass Vulnerability +---------------------------------------------------- LDAP authentication is not affected by this vulnerability. Note: For more information about support for a specific AAA server type, refer to the following link: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1069492 IPv6 Denial of Service Vulnerability +----------------------------------- Customers that do not require IPv6 functionality on their devices can use the "no ipv6 address" interface sub-command to disable processing of IPv6 packets and eliminate their exposure Crypto Accelerator Memory Leak Vulnerability +------------------------------------------- There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of a technical support service request. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-October-22 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Oct 22, 2008 Document ID: 108009 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkj/S+kACgkQ86n/Gc8U/uAw4gCePvCNEXPlmyKTJaXsjCs6lJHp tGIAnR507Su0d3whQe31Igigg3xQjC1z =4yFl -----END PGP SIGNATURE-----

Unspecified vulnerability in Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.2(4)9 and 7.2(4)10 allows remote attackers to cause a denial of service (device reload) via a crafted IPv6 packet. An attacker can exploit this issue to cause the affected devices to reload, denying service to legitimate users. This issue is documented in Cisco Bug ID CSCsu11575. NOTE: IPv6 is not configured by default on the devices listed above. Devices that do not support the TTL decrement feature are not vulnerable. The vulnerability is reported in version 7.2(4)9 and 7.2(4)10. NOTE: 7.0, 7.1, 8.0, and 8.1 releases are reportedly not affected. SOLUTION: Update to version 7.2(4)11. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. This security advisory outlines details of these vulnerabilities: * Windows NT Domain Authentication Bypass Vulnerability * IPv6 Denial of Service Vulnerability * Crypto Accelerator Memory Leak Vulnerability Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following are the details about each vulnerability described within this advisory. Windows NT Domain Authentication Bypass Vulnerability +---------------------------------------------------- Because of a Microsoft Windows NT Domain authentication issue the Cisco ASA and Cisco PIX devices may be susceptible to a VPN authentication bypass vulnerability. Devices that are using any other type of external authentication (that is, LDAP, RADIUS, TACACS+, SDI, or local database) are not affected by this vulnerability. The following example demonstrates how Windows NT domain authentication is configured using the command line interface (CLI) on the Cisco ASA: aaa-server NTAuth protocol nt aaa-server NTAuth (inside) host 10.1.1.4 nt-auth-domain-controller primary1 Alternatively, to see if a device is configured for Windows NT Domain authentication use the "show running-config | include nt-auth-domain-controller" command. Alternatively, you can display the status of interfaces configured for IPv6 using the show ipv6 interface command in privileged EXEC mode, as shown in the following example: hostname# show ipv6 interface brief outside [up/up] unassigned inside [up/up] fe80::20d:29ff:fe1d:69f0 fec0::a:0:0:a0a:a70 dmz [up/up] unassigned In this example, the "outside" and "dmz" interfaces are not configured for IPv6. This memory leak occurs in the initialization code for the hardware crypto accelerator. Devices that are running software versions in the 8.0.x release are vulnerable. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. Windows NT Domain Authentication Bypass Vulnerability +---------------------------------------------------- Because of a Microsoft Windows NT Domain authentication issue the Cisco ASA and Cisco PIX devices may be susceptible to a VPN authentication bypass vulnerability. The Cisco ASA security appliance supports Microsoft Windows server operating systems that support NTLM version 1, collectively referred to as "NT servers". NT Domain authentication is supported only for remote access VPNs. Note: Devices that are running software versions in the 7.0, 7.1, 8.0, and 8.1 releases are not vulnerable. Additionally, you can add a global address to the interface. Note: Only packets that are destined to the device (not transiting the device) may trigger the effects of this vulnerability. This memory leak occurs in the initialization code for the hardware crypto accelerator. Note: Only packets destined to the device (not transiting the device) may trigger this vulnerability. The following Cisco ASA features use the services the crypto accelerator provides, and therefore may be affected by this vulnerability: * Clientless WebVPN, SSL VPN Client, and AnyConnect Connections * ASDM (HTTPS) Management Sessions * Cut-Through Proxy for Network Access * TLS Proxy for Encrypted Voice Inspection * IP Security (IPsec) Remote Access and Site-to-site VPNs * Secure Shell (SSH) Access This vulnerability is documented in Cisco Bug ID CSCsj25896 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3817. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * Windows NT Domain Authentication Bypass Vulnerability (CSCsu65735) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may reload after receiving certain IPv6 packets (CSCsu11575) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crypto Accelerator Memory Leak (CSCsj25896) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass Vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release of each vulnerability: +----------------------------------------+ | | Affected | First | | Vulnerability | Release | Fixed | | | | Version | |----------------+----------+------------| | | 7.0 | 7.0(8)3 | | |----------+------------| | Windows NT | 7.1 | 7.1(2)78 | |Domain |----------+------------| | Authentication | 7.2 | 7.2(4)16 | |Bypass |----------+------------| | Vulnerability | 8.0 | 8.0(4)6 | | |----------+------------| | | 8.1 | 8.1(1)13 | |----------------+----------+------------| | | 7.0 | Not | | | | Vulnerable | | |----------+------------| | | 7.1 | Not | | | | Vulnerable | |IPv6 Denial of |----------+------------| | Service | 7.2 | 7.2(4)11 | |Vulnerability |----------+------------| | | 8.0 | Not | | | | Vulnerable | | |----------+------------| | | 8.1 | Not | | | | Vulnerable | |----------------+----------+------------| | | 7.0 | Not | | | | Vulnerable | | |----------+------------| | | 7.1 | Not | | Crypto | | Vulnerable | |Accelerator |----------+------------| | Memory Leak | 7.2 | Not | | Vulnerability | | Vulnerable | | |----------+------------| | | 8.0 | 8.0(4) | | |----------+------------| | | 8.1 | 8.1(2) | +----------------------------------------+ The following maintenance software releases are the first software releases that contain the fixes for the vulnerabilities mentioned in this Security Advisory: Fixed PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 Fix ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 For the "Windows NT Domain Authentication Bypass Vulnerability", only interim fixed software is currently available. Customers wishing to upgrade to a fixed version instead of applying a workaround may download PIX and ASA interim versions from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT?psrtdcat20e2 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. Windows NT Domain Authentication Bypass Vulnerability +---------------------------------------------------- LDAP authentication is not affected by this vulnerability. As a workaround, you can enable a different type of external authentication for Remote Access VPN instead of Windows NT Domain authentication. Note: For more information about support for a specific AAA server type, refer to the following link: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1069492 IPv6 Denial of Service Vulnerability +----------------------------------- Customers that do not require IPv6 functionality on their devices can use the "no ipv6 address" interface sub-command to disable processing of IPv6 packets and eliminate their exposure Crypto Accelerator Memory Leak Vulnerability +------------------------------------------- There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of a technical support service request. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-October-22 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Oct 22, 2008 Document ID: 108009 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkj/S+kACgkQ86n/Gc8U/uAw4gCePvCNEXPlmyKTJaXsjCs6lJHp tGIAnR507Su0d3whQe31Igigg3xQjC1z =4yFl -----END PGP SIGNATURE-----

Memory leak in Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 8.0 before 8.0(4) and 8.1 before 8.1(2) allows remote attackers to cause a denial of service (memory consumption) via an unspecified sequence of packets, related to the "initialization code for the hardware crypto accelerator.". The hardware Crypto Accelerator included with these appliances is prone to a denial-of-service vulnerability. An attacker can exploit this issue by sending specially crafted packets to cause the affected devices to reload, denying service to legitimate users. Repeat attacks will result in a prolonged denial-of-service condition. This issue is documented in Cisco Bug ID CSCsj25896. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco ASA Crypto Accelerator Memory Leak SECUNIA ADVISORY ID: SA32392 VERIFY ADVISORY: http://secunia.com/advisories/32392/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco Adaptive Security Appliance (ASA) 8.x http://secunia.com/advisories/product/16163/ DESCRIPTION: A vulnerability has been reported in Cisco ASA appliances, which can be exploited by malicious people to cause a DoS (Denial of Service). SOLUTION: Cisco ASA 8.0: Update to version 8.0(4). Cisco ASA 8.1: Update to version 8.1(2). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and Cisco ASA Advisory ID: cisco-sa-20081022-asa http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml Revision 1.0 For Public Release 2008 October 22 1600 UTC (GMT) Summary ======= Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities: * Windows NT Domain Authentication Bypass Vulnerability * IPv6 Denial of Service Vulnerability * Crypto Accelerator Memory Leak Vulnerability Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following are the details about each vulnerability described within this advisory. Windows NT Domain Authentication Bypass Vulnerability +---------------------------------------------------- Because of a Microsoft Windows NT Domain authentication issue the Cisco ASA and Cisco PIX devices may be susceptible to a VPN authentication bypass vulnerability. Devices that are using any other type of external authentication (that is, LDAP, RADIUS, TACACS+, SDI, or local database) are not affected by this vulnerability. The following example demonstrates how Windows NT domain authentication is configured using the command line interface (CLI) on the Cisco ASA: aaa-server NTAuth protocol nt aaa-server NTAuth (inside) host 10.1.1.4 nt-auth-domain-controller primary1 Alternatively, to see if a device is configured for Windows NT Domain authentication use the "show running-config | include nt-auth-domain-controller" command. This vulnerability does not affect devices configured only for IPv4. Note: IPv6 functionality is turned off by default. IPv6 is enabled on the Cisco ASA and Cisco PIX security appliance using the "ipv6 address" interface command. To verify if a device is configured for IPv6 use the "show running-config | include ipv6" command. Alternatively, you can display the status of interfaces configured for IPv6 using the show ipv6 interface command in privileged EXEC mode, as shown in the following example: hostname# show ipv6 interface brief outside [up/up] unassigned inside [up/up] fe80::20d:29ff:fe1d:69f0 fec0::a:0:0:a0a:a70 dmz [up/up] unassigned In this example, the "outside" and "dmz" interfaces are not configured for IPv6. Devices that are running software versions in the 8.0.x release are vulnerable. Determination of Software Versions +--------------------------------- The "show version" command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Security Appliance that runs software release 8.0(4): ASA# show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. Windows NT Domain Authentication Bypass Vulnerability +---------------------------------------------------- Because of a Microsoft Windows NT Domain authentication issue the Cisco ASA and Cisco PIX devices may be susceptible to a VPN authentication bypass vulnerability. Note: Cisco ASA or Cisco PIX security appliances that are configured for IPSec or SSL-based remote access VPN using any other type of external authentication (that is, LDAP, RADIUS, TACACS+, SDI, or local database) are not affected by this vulnerability. The Cisco ASA security appliance supports Microsoft Windows server operating systems that support NTLM version 1, collectively referred to as "NT servers". NT Domain authentication is supported only for remote access VPNs. Devices that are running software version 7.2(4)9 or 7.2(4)10 and configured for IPv6 may be vulnerable. This vulnerability does not affect devices that are configured only for IPv4. Note: Devices that are running software versions in the 7.0, 7.1, 8.0, and 8.1 releases are not vulnerable. To configure IPv6 on a Cisco ASA or Cisco PIX security appliance, at a minimum, each interface needs to be configured with an IPv6 link-local address. Additionally, you can add a global address to the interface. Note: Only packets that are destined to the device (not transiting the device) may trigger the effects of this vulnerability. These packets must be destined to an interface configured for IPv6. Note: Only packets destined to the device (not transiting the device) may trigger this vulnerability. The following Cisco ASA features use the services the crypto accelerator provides, and therefore may be affected by this vulnerability: * Clientless WebVPN, SSL VPN Client, and AnyConnect Connections * ASDM (HTTPS) Management Sessions * Cut-Through Proxy for Network Access * TLS Proxy for Encrypted Voice Inspection * IP Security (IPsec) Remote Access and Site-to-site VPNs * Secure Shell (SSH) Access This vulnerability is documented in Cisco Bug ID CSCsj25896 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3817. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * Windows NT Domain Authentication Bypass Vulnerability (CSCsu65735) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may reload after receiving certain IPv6 packets (CSCsu11575) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crypto Accelerator Memory Leak (CSCsj25896) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass Vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release of each vulnerability: +----------------------------------------+ | | Affected | First | | Vulnerability | Release | Fixed | | | | Version | |----------------+----------+------------| | | 7.0 | 7.0(8)3 | | |----------+------------| | Windows NT | 7.1 | 7.1(2)78 | |Domain |----------+------------| | Authentication | 7.2 | 7.2(4)16 | |Bypass |----------+------------| | Vulnerability | 8.0 | 8.0(4)6 | | |----------+------------| | | 8.1 | 8.1(1)13 | |----------------+----------+------------| | | 7.0 | Not | | | | Vulnerable | | |----------+------------| | | 7.1 | Not | | | | Vulnerable | |IPv6 Denial of |----------+------------| | Service | 7.2 | 7.2(4)11 | |Vulnerability |----------+------------| | | 8.0 | Not | | | | Vulnerable | | |----------+------------| | | 8.1 | Not | | | | Vulnerable | |----------------+----------+------------| | | 7.0 | Not | | | | Vulnerable | | |----------+------------| | | 7.1 | Not | | Crypto | | Vulnerable | |Accelerator |----------+------------| | Memory Leak | 7.2 | Not | | Vulnerability | | Vulnerable | | |----------+------------| | | 8.0 | 8.0(4) | | |----------+------------| | | 8.1 | 8.1(2) | +----------------------------------------+ The following maintenance software releases are the first software releases that contain the fixes for the vulnerabilities mentioned in this Security Advisory: Fixed PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 Fix ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 For the "Windows NT Domain Authentication Bypass Vulnerability", only interim fixed software is currently available. Customers wishing to upgrade to a fixed version instead of applying a workaround may download PIX and ASA interim versions from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT?psrtdcat20e2 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. Windows NT Domain Authentication Bypass Vulnerability +---------------------------------------------------- LDAP authentication is not affected by this vulnerability. As a workaround, you can enable a different type of external authentication for Remote Access VPN instead of Windows NT Domain authentication. Note: For more information about support for a specific AAA server type, refer to the following link: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1069492 IPv6 Denial of Service Vulnerability +----------------------------------- Customers that do not require IPv6 functionality on their devices can use the "no ipv6 address" interface sub-command to disable processing of IPv6 packets and eliminate their exposure Crypto Accelerator Memory Leak Vulnerability +------------------------------------------- There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of a technical support service request. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-October-22 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Oct 22, 2008 Document ID: 108009 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkj/S+kACgkQ86n/Gc8U/uAw4gCePvCNEXPlmyKTJaXsjCs6lJHp tGIAnR507Su0d3whQe31Igigg3xQjC1z =4yFl -----END PGP SIGNATURE-----

Integer overflow in multiple F-Secure anti-virus products, including Internet Security 2006 through 2008, Anti-Virus 2006 through 2008, and others, when configured to scan inside compressed archives, allows remote attackers to execute arbitrary code via a crafted RPM compressed archive file, which triggers a buffer overflow. Multiple F-Secure products are prone to an integer-overflow vulnerability because the applications fail to properly handle malformed RPM files. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the vulnerable applications. Failed exploit attempts will likely cause denial-of-service conditions. Both F-Secure Internet Gatekeeper and F-Secure Anti-Virus are anti-virus products released by an anti-virus software manufacturer in Finland. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: F-Secure Products RPM Parsing Integer Overflow Vulnerability SECUNIA ADVISORY ID: SA32352 VERIFY ADVISORY: http://secunia.com/advisories/32352/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: F-Secure Messaging Security Gateway X-Series http://secunia.com/advisories/product/8997/ F-Secure Messaging Security Gateway P-Series http://secunia.com/advisories/product/8998/ SOFTWARE: F-Secure Internet Security 2008 http://secunia.com/advisories/product/17555/ F-Secure Internet Security 2007 http://secunia.com/advisories/product/14375/ F-Secure Internet Security 2006 http://secunia.com/advisories/product/6883/ F-Secure Internet Gatekeeper for Linux 2.x http://secunia.com/advisories/product/4635/ F-Secure Internet Gatekeeper 6.x http://secunia.com/advisories/product/3339/ F-Secure Client Security 7.x http://secunia.com/advisories/product/14381/ F-Secure Anti-Virus Linux Server Security 5.x http://secunia.com/advisories/product/14376/ F-Secure Anti-Virus Linux Client Security 5.x http://secunia.com/advisories/product/14377/ F-Secure Anti-Virus for Workstations 7.x http://secunia.com/advisories/product/14226/ F-Secure Anti-Virus for Workstations 5.x http://secunia.com/advisories/product/457/ F-Secure Anti-Virus for Windows Servers 8.x http://secunia.com/advisories/product/18966/ F-Secure Anti-Virus for Windows Servers 7.x http://secunia.com/advisories/product/14382/ F-Secure Anti-Virus for MIMEsweeper 5.x http://secunia.com/advisories/product/455/ F-Secure Anti-Virus for Microsoft Exchange 7.x http://secunia.com/advisories/product/14551/ F-Secure Anti-Virus for Microsoft Exchange 6.x http://secunia.com/advisories/product/454/ F-Secure Anti-Virus for Linux Gateways 4.x http://secunia.com/advisories/product/14550/ F-Secure Anti-Virus for Linux 4.x http://secunia.com/advisories/product/3165/ F-Secure Anti-Virus for Citrix Servers 5.x http://secunia.com/advisories/product/5198/ F-Secure Anti-Virus 2008 http://secunia.com/advisories/product/17554/ F-Secure Anti-Virus 2007 http://secunia.com/advisories/product/14374/ F-Secure Anti-Virus 2006 http://secunia.com/advisories/product/6882/ F-Secure Linux Security 7.x http://secunia.com/advisories/product/20199/ F-Secure Home Server Security 2009 http://secunia.com/advisories/product/20200/ F-Secure Anti-Virus for Citrix Servers 7.x http://secunia.com/advisories/product/20201/ DESCRIPTION: A vulnerability has been reported in various F-Secure products, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an integer overflow error when parsing RPM files. This can be exploited to cause a buffer overflow via a specially crafted RPM file. The vulnerability is reported in the following products: * F-Secure Internet Security 2008 * F-Secure Internet Security 2007 Second Edition * F-Secure Internet Security 2007 * F-Secure Internet Security 2006 * F-Secure Anti-Virus 2008 * F-Secure Anti-Virus 2007 Second Edition * F-Secure Anti-Virus 2007 * F-Secure Anti-Virus 2006 * F-Secure Client Security 7.12 and earlier * F-Secure Anti-Virus for Workstations 7.11 and earlier * F-Secure Linux Security 7.01 and earlier * F-Secure Anti-Virus Linux Client Security 5.54 and earlier * Solutions based on F-Secure Protection Service for Consumers version 8.00 and earlier * Solutions based on F-Secure Protection Service for Business version 3.10 and earlier * F-Secure Home Server Security 2009 * F-Secure Anti-Virus for Windows Servers 8.00 and earlier * F-Secure Anti-Virus for Citrix Servers 7.00 and earlier * F-Secure Linux Security 7.01 and earlier * F-Secure Anti-Virus Linux Server Security 5.54 and earlier * F-Secure Anti-Virus for Linux Servers 4.65 * F-Secure Anti-Virus for Microsoft Exchange 7.10 and earlier * F-Secure Internet Gatekeeper for Windows 6.61 and earlier * F-Secure Internet Gatekeeper for Linux 2.16 and earlier * F-Secure Anti-Virus for Linux Gateways 4.65 * F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier * F-Secure Messaging Security Gateway 5.0.4 and earlier SOLUTION: Apply patches (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Tamas Feher. ORIGINAL ADVISORY: FSC-2008-3: http://www.f-secure.com/security/fsc-2008-3.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Hitachi JP1/File Transmission Server/FTP is prone to an unspecified denial-of-service vulnerability because it fails to properly handle unexpected data. Attackers can exploit this issue to cause the connection to be reset or to stop FTP services.

Hitachi JP1/NETM/DM SubManager and JP1/NETM/DM Client are prone to a denial-of-service vulnerability. Attackers can exploit this issue to prevent job execution requests from being processed by higher-level systems, denying service to legitimate users.

Hitachi JP1/File Transmission Server/FTP is prone to a vulnerability that may allow attackers to modify file permissions. An attacker can exploit this issue to gain unauthorized access to files located on the FTP server. This may lead to other attacks.

JP1/File Transmission Server/FTP is an FTP-based file transfer server designed by Hitachi. There is a loophole in the implementation of JP1/File Transmission Server/FTP. If a remote attacker sends an FTP command with a special parameter to it, it will cause the connection to be reset or unauthorized to modify the file permissions on the server.

Apple iPhone 2.1 with firmware 5F136, when Require Passcode is enabled and Show SMS Preview is disabled, allows physically proximate attackers to obtain sensitive information by performing an Emergency Call tap and then reading SMS messages on the device screen, aka Apple bug number 6267416. Iphone is prone to a information disclosure vulnerability. The vulnerability is also known as Apple bug number 6267416

Unspecified vulnerability in the SNMPv3 component in Linksys WAP4400N firmware 1.2.14 on the Marvell Semiconductor 88W8361P-BEM1 chipset has unknown impact and attack vectors, probably remote. The Linksys WAP4400N device is a high-speed wireless access point. No detailed vulnerability details are available. The impact of this issue is currently unknown. We will update this BID when more information emerges. NOTE: Since the flaw is in the Marvell 88W8361P-BEM1 chipset driver, other devices and firmware versions using the same code may also be affected. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Linksys WAP4400N Denial of Service and SNMPv3 Vulnerability SECUNIA ADVISORY ID: SA32259 VERIFY ADVISORY: http://secunia.com/advisories/32259/ CRITICAL: Moderately critical IMPACT: Unknown, DoS WHERE: >From remote OPERATING SYSTEM: Linksys WAP4400N http://secunia.com/advisories/product/20144/ DESCRIPTION: Some vulnerabilities have been reported in Linksys WAP4400N, where one has unknown impacts and the other can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error within the processing of association requests can be exploited to reboot or hang-up the device by sending a specially crafted association request. Successful exploitation requires that the access point runs in WEP mode. No more information is currently available. http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109974&packedargs=sku%3D1152745215776&pagename=Linksys%2FCommon%2FVisitorWrapper PROVIDED AND/OR DISCOVERED BY: 1) Laurent Butti and Julien Tinnes, France Telecom / Orange 2) Reported by the vendor. ORIGINAL ADVISORY: http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109974&packedargs=sku%3D1152745215776&pagename=Linksys%2FCommon%2FVisitorWrapper ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Telecom Italia is Italy's most important ISP, offering ADSL services called Alice. If the intranet user sends the following IP packet to the Alice router: 1) IP protocol number 2552) 8 bytes load size 3) The load is the first 8 bytes of the MD5 data after the br0 device MAC address is deformed 4) These modems The br0 has the same eth0 mac to activate the router's management interface and telnet/ftp/tftp service for unauthorized access. Multiple Telecom Italia routers are prone to an authentication bypass vulnerability that may allow attackers to gain access to a router's administration interface and unauthorized access to certain services. Successfully exploiting this issue will allow attackers to gain unauthorized administrative access to the affected device and activate services such as telnet, ftp, and tftp. The following routers are affected. AGA (Alice Gate2 plus Wi-Fi]) AGB (Alice Gate2 plus) AG2P-AG3 (AG2P-AG3[Alice Gate W2+) AGPV-AGPF (Alice Gate VoIP 2 Plus Wi-Fi). ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Telecom Italia Alice Routers Magic Packet Security Bypass SECUNIA ADVISORY ID: SA32258 VERIFY ADVISORY: http://secunia.com/advisories/32258/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Alice Gate2 Plus Wi-Fi http://secunia.com/advisories/product/17350/ Alice Gate VoIP 2 Plus Wi-Fi http://secunia.com/advisories/product/20162/ Alice Gate 2 Plus http://secunia.com/advisories/product/20160/ Alice Gate W2+ http://secunia.com/advisories/product/20161/ DESCRIPTION: saxdax and drpepperONE have reported a vulnerability in various Telecom Italia Alice routers, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Restrict network access to the vulnerable device. PROVIDED AND/OR DISCOVERED BY: saxdax and drpepperONE ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2008-October/065050.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in the Internet Printing Protocol (IPP) ISAPI extension in Microsoft Internet Information Services (IIS) 5.0 through 7.0 on Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 allows remote authenticated users to execute arbitrary code via an HTTP POST request that triggers an outbound IPP connection from a web server to a machine operated by the attacker, aka "Integer Overflow in IPP Service Vulnerability.". Microsoft Internet Printing Service is prone to an integer-overflow vulnerability. Exploiting this vulnerability allows attackers to execute arbitrary code with system-level privileges. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Microsoft Windows IIS IPP Service Integer Overflow Vulnerability SECUNIA ADVISORY ID: SA32248 VERIFY ADVISORY: http://secunia.com/advisories/32248/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Microsoft Windows XP Professional http://secunia.com/advisories/product/22/ Microsoft Windows XP Home Edition http://secunia.com/advisories/product/16/ Microsoft Windows Server 2008 http://secunia.com/advisories/product/18255/ Microsoft Windows Server 2003 Web Edition http://secunia.com/advisories/product/1176/ Microsoft Windows Server 2003 Standard Edition http://secunia.com/advisories/product/1173/ Microsoft Windows Server 2003 Enterprise Edition http://secunia.com/advisories/product/1174/ Microsoft Windows Server 2003 Datacenter Edition http://secunia.com/advisories/product/1175/ Microsoft Windows 2000 Server http://secunia.com/advisories/product/20/ Microsoft Windows 2000 Professional http://secunia.com/advisories/product/1/ Microsoft Windows 2000 Datacenter Server http://secunia.com/advisories/product/1177/ Microsoft Windows 2000 Advanced Server http://secunia.com/advisories/product/21/ DESCRIPTION: A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious users to compromise a vulnerable system. Successful exploitation requires that IPP is enabled in IIS. Microsoft Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?familyid=8163d1f6-feb5-4f39-8134-3ed42326b822 Windows XP SP2/SP3: http://www.microsoft.com/downloads/details.aspx?familyid=e7ef571f-c9e8-4e14-95a3-3eeaec55b784 Windows XP Professional x64 Edition (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?familyid=3ae4b913-bff0-4974-b198-828ca10d2a87 Windows Server 2003 SP1/SP2: http://www.microsoft.com/downloads/details.aspx?familyid=437a9b68-6a0c-48c8-9348-0d6fda48aa21 Windows Server 2003 x64 Edition (optionally with SP2): http://www.microsoft.com/downloads/details.aspx?familyid=d3df6508-a568-449d-ac97-fbf3f97b98ef Windows Server 2003 with SP1/SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=748f54f1-40b9-407c-9819-909061b53743 Windows Vista and Windows Vista SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=9B5995DF-A3B8-4E81-B118-9BB057E19884 Windows Vista x64 Edition and Windows Vista x64 Edition SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=4A0FCF4B-EB8E-456A-B934-400AE18248EE Windows Server 2008 for 32-bit Systems: http://www.microsoft.com/downloads/details.aspx?familyid=3d6290d8-1745-4bc0-9ca9-eeb1ad0be4a5 Windows Server 2008 for x64-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=a33c833c-d5c5-4e37-8f89-7b9079f92e59 Windows Server 2008 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=31783e88-76e2-4bc6-b4ae-308443c6d223 PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: MS08-062 (KB953155): http://www.microsoft.com/technet/security/Bulletin/MS08-062.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-288A Microsoft Updates for Multiple Vulnerabilities Original release date: October 14, 2008 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Office Overview Microsoft has released updates that address vulnerabilities in Microsoft Windows, Internet Explorer, and Microsoft Office. I. For more information, see the US-CERT Vulnerability Notes Database. II. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the October 2008 Security Bulletin Summary. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References _________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-288A.html> _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-288A Feedback " in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History October 14, 2008: Initial release. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01579861 Version: 1 HPSBST02379 SSRT080143 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-056 to MS08-066 NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-10-20 Last Updated: 2008-10-20 Potential Security Impact: Please check the table below Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Various potential security vulnerabilities have been identified in Microsoft software that is running on the Storage Management Appliance (SMA). Some of these vulnerabilities may be pertinent to the SMA, please check the table in the Resolution section of this Security Bulletin. References: MS08-056 (CVE-2008-4020), MS08-057 (CVE-2008-3471, CVE-2008-3477, CVE-2008-4019), MS08-058 (CVE-2008-2947, CVE-2008-3472, CVE-2008-3473, CVE-2008-3474, CVE-2008-3475, CVE-2008-3476), MS08-059 (CVE-2008-3466), MS08-060 (CVE-2008-4023), MS08-061 (CVE-2008-2250, CVE-2008-2251, CVE-2008-2252), MS08-062 (CVE-2008-1446), MS08-063 (CVE-2008-4038), MS08-064 (CVE-2008-4036), MS08-065 (CVE-2008-3479), MS08-066 (CVE-2008-3464) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Storage Management Appliance v2.1 Software running on: Storage Management Appliance I Storage Management Appliance II Storage Management Appliance III BACKGROUND CVSS 2.0 Base Metrics =============================================== Reference Base Vector Base Score -- Not Applicable -- =============================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. Patches released by Microsoft after MS06-051 are covered by monthly Security Bulletins. For the full archived list of Microsoft security updates applicable for Storage Management Appliance software v2.1, please refer to the following Security Bulletins available on the IT Resource Center (ITRC) Web site: http://www.itrc.hp.com/service/cki/secBullArchive.do For patches released by Microsoft in 2003, MS03-001 to MS03-051 refer to Security Bulletin HPSBST02146 For patches released by Microsoft in 2004, MS04-001 to MS04-045 refer to Security Bulletin HPSBST02147 For patches released by Microsoft in 2005, MS05-001 to MS05-055 refer to Security Bulletin HPSBST02148 For patches released by Microsoft in 2006, MS06-001 to MS06-051 refer to Security Bulletin HPSBST02140 The Microsoft patch index archive and further details about all Microsoft patches can be found on the following Web site: http://www.microsoft.com/technet/security/bulletin/summary.mspx Note: The SMA must have all pertinent SMA Service Packs applied Windows 2000 Update Rollup 1 Customers are advised to download and install the Windows 2000 Update Rollup 1 for Service Pack 4 on SMA v2.1. For more information please refer to the Windows 2000 Update Rollup 1 for Service Pack 4 and Storage Management Appliance v2.1 advisory at the following website: http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManual&lang=en&cc=us&docIndexId=179111&taskId=101&prodTypeId=12169&prodSeriesId=315667 Windows 2000 Update Rollup 1 for SP4 does not include security updates released after April 30, 2005 starting from MS05-026. It also does not include patches MS04-003 and MS04-028. Please install these patches in addition to Windows 2000 Update Rollup 1 for SP4, if they have not been installed already RESOLUTION HP strongly recommends the immediate installation of all security patches that apply to third party software which is integrated with SMA software products supplied by HP, and that patches are applied in accordance with an appropriate patch management policy. Note: Patch installation instructions are shown at the end of this table. ------------------------------------------------- MS Patch - MS08-056 Vulnerability in Microsoft Office Could Allow Information Disclosure (957699) Analysis - SMA does not have this component. Patch will not run successfully. Action - Customers should not be concerned with this issue ------------------------------------------------- MS Patch - MS08-057 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416) Analysis - SMA does not have this component. Patch will not run successfully. Action - Customers should not be concerned with this issue ------------------------------------------------- MS Patch - MS08-058 Cumulative Security Update for Internet Explorer (956390) Analysis - Possible security issue exists. Patch will run successfully. Action - For SMA v2.1, customers should download patch from Microsoft and install. Internet Explorer 6 SP1 or Internet Explorer 5.01 SP4 To determine your IE version check the IE help page. ------------------------------------------------- MS Patch - MS08-059 Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695) Analysis - SMA does not have this component. Patch will not run successfully. Action - Customers should not be concerned with this issue ------------------------------------------------- MS Patch - MS08-060 Vulnerability in Active Directory Could Allow Remote Code Execution (957280) Analysis - SMA does not have this component. Patch will not run successfully. Action - Customers should not be concerned with this issue ------------------------------------------------- MS Patch - MS08-061 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211) Analysis - Possible security issue exists. Patch will run successfully. Action - For SMA v2.1, customers should download patch from Microsoft and install. Patch will run successfully. Action - For SMA v2.1, customers should download patch from Microsoft and install. ------------------------------------------------- MS Patch - MS08-063 Vulnerability in SMB Could Allow Remote Code Execution (957095) Analysis - Possible security issue exists. Patch will run successfully. Action - For SMA v2.1, customers should download patch from Microsoft and install. ------------------------------------------------- MS Patch - MS08-064 Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841) Analysis - SMA does not have this component. Patch will not run successfully. Action - Customers should not be concerned with this issue. ------------------------------------------------- MS Patch - MS08-065 Vulnerability in Message Queuing Could Allow Remote Code Execution (951071) Analysis - Possible security issue exists. Patch will run successfully. Action - For SMA v2.1, customers should download patch from Microsoft and install. ------------------------------------------------- MS Patch - MS08-066 Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803) Analysis - SMA does not have this component. Patch will not run successfully. Action - Customers should not be concerned with this issue. ------------------------------------------------- Installation Instructions: (if applicable) Download patches to a system other than the SMA Copy the patch to a floppy diskette or to a CD Execute the patch by using Terminal Services to the SMA or by attaching a keyboard, monitor and mouse to the SMA. Note: The Microsoft Windows Installer 3.1 is supported on SMA v2.1. For more information please refer at the following website: http://www.microsoft.com/downloads/details.aspx?FamilyID=889482fc-5f56-4a38-b838-de776fd4138c&hash=SYSSXDF&displaylang=en PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 20 October 2008 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2008 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSPzQ5OAfOvwtKn1ZEQLzBQCgrhoHt9WIKv8u40FyWfWU4UZxc1sAoKfD mbZOYIzGZTHNeI20OO/P3VPP =MQqo -----END PGP SIGNATURE-----

The Marvell driver for the Linksys WAP4400N Wi-Fi access point with firmware 1.2.14 on the Marvell 88W8361P-BEM1 chipset, when WEP mode is enabled, does not properly parse malformed 802.11 frames, which allows remote attackers to cause a denial of service (reboot or hang-up) via a malformed association request containing the WEP flag, as demonstrated by a request that is too short, a different vulnerability than CVE-2008-1144 and CVE-2008-1197. Linksys WAP4400N wireless access point devices are prone to a denial-of-service vulnerability because they fail to adequately verify user-supplied input. Remote attackers can exploit this issue to hang or reboot a vulnerable device, denying service to legitimate users. Attackers may also be able to run arbitrary code, but this has not been confirmed. Linksys WAP4400N devices running firmware 1.2.14 are vulnerable. NOTE: Since the flaw is in the Marvell 88W8361P-BEM1 chipset driver, other devices and firmware versions using the same code may also be affected. Linksys WAP4400N is a small wireless router. Assigned CVE: ------------- * CVE-2008-4441 Details: -------- * The bug can be triggered thanks to a malformed association request which is typically too short (truncated). Any association request sent in the air by the attacker will be parsed by the access point wireless driver and thus may trigger some implementation bugs. Attack Impact: -------------- * Denial-of-service (reboot or hang-up) and possibly remote arbitrary code execution Attack Vector: -------------- * Unauthenticated wireless device Timeline: --------- * 2008-05-26 - Vulnerability reported to Linksys * 2008-05-26 - Full details sent to Linksys * 2008-10-13 - Public disclosure Affected Products: ------------------ * Linksys WAP4400N (firmware v1.2.14) with MARVELL 88W8361P-BEM1 chipset Vulnerable Devices: ------------------- * As it is a wireless driver specific issue, the wireless vendor should use the latest chipset wireless driver for their access point firmwares. This security vulnerability was reported to Linksys, updated firmwares (such as the 1.2.17 firmware) should be available on their web site. Any other wireless device relying on this vulnerable wireless driver is likely to be vulnerable. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Linksys WAP4400N Denial of Service and SNMPv3 Vulnerability SECUNIA ADVISORY ID: SA32259 VERIFY ADVISORY: http://secunia.com/advisories/32259/ CRITICAL: Moderately critical IMPACT: Unknown, DoS WHERE: >From remote OPERATING SYSTEM: Linksys WAP4400N http://secunia.com/advisories/product/20144/ DESCRIPTION: Some vulnerabilities have been reported in Linksys WAP4400N, where one has unknown impacts and the other can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error within the processing of association requests can be exploited to reboot or hang-up the device by sending a specially crafted association request. Successful exploitation requires that the access point runs in WEP mode. 2) An unspecified vulnerability exists within SNMPv3. No more information is currently available. SOLUTION: Update to firmware version 1.2.17. http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109974&packedargs=sku%3D1152745215776&pagename=Linksys%2FCommon%2FVisitorWrapper PROVIDED AND/OR DISCOVERED BY: 1) Laurent Butti and Julien Tinnes, France Telecom / Orange 2) Reported by the vendor. ORIGINAL ADVISORY: http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109974&packedargs=sku%3D1152745215776&pagename=Linksys%2FCommon%2FVisitorWrapper ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in the tvtumin.sys kernel driver in Lenovo Rescue and Recovery 4.20, including 4.20.0511 and 4.20.0512, allows local users to execute arbitrary code via a long file name. Lenovo Rescue and Recovery is prone to a heap-based overflow vulnerability. A successful exploit of this vulnerability can allow a local attacker to completely compromise the affected computer. Lenovo Rescue and Recover 4.20 is vulnerable. Lenovo Rescue and Recovery is a one-click disaster recovery solution developed by Lenovo in China. The tvtumon.sys driver used by Lenovo Rescue and Recovery monitors file creation and changes. The latest queries are cached in the kernel lookaside list. If an overlong file name is sent to the file system, the buffer in the lookaside list will overflow, resulting in kernel memory corruption. A low-privilege user can trigger this destruction from userland, elevating privileges to perform kernel operations. It is also possible to trigger this overflow through web pages in the special case of web browser plugins that allow opening extremely long filenames. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Lenovo Rescue and Recovery "tvtumon.sys" Privilege Escalation SECUNIA ADVISORY ID: SA32252 VERIFY ADVISORY: http://secunia.com/advisories/32252/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Lenovo Rescue and Recovery 4.x http://secunia.com/advisories/product/20143/ DESCRIPTION: A vulnerability has been reported in Lenovo Rescue and Recovery, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a boundary error within the "tvtumin.sys" kernel driver when processing overly long file names. The vulnerability is reported in version 4.20.0512 for Windows Vista and 4.20.0511 for Windows XP and 2000. SOLUTION: Update to version 4.21. http://www-307.ibm.com/pc/support/site.wss/MIGR-4Q2QAK.html PROVIDED AND/OR DISCOVERED BY: Chris Clark and Rachel Engel, iSEC Partners ORIGINAL ADVISORY: iSEC Partners: https://www.isecpartners.com/advisories/2008-02-lenovornr.txt Lenovo: http://www-307.ibm.com/pc/support/site.wss/MIGR-70699.html http://www-307.ibm.com/pc/support/site.wss/MIGR-4Q2QAK.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Cisco Unity 4.x before 4.2(1)ES162, 5.x before 5.0(1)ES56, and 7.x before 7.0(2)ES8 allows remote authenticated administrators to inject arbitrary web script or HTML by entering it in the database (aka data store). Unity is prone to a cross-site scripting vulnerability. Cisco Unity is a voice and unified messaging platform. Multiple security vulnerabilities exist in Cisco Unity that could allow a malicious user to disclose sensitive information, cause a denial of service, or inject malicious scripts. A remote attacker could provide malicious data to the database. The next time an administrator logs in and visits a page that relies on the stored information, cross-site scripting can be executed. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco Unity Script Insertion Vulnerability SECUNIA ADVISORY ID: SA32207 VERIFY ADVISORY: http://secunia.com/advisories/32207/ CRITICAL: Not critical IMPACT: Cross Site Scripting WHERE: >From local network SOFTWARE: Cisco Unity 4.x http://secunia.com/advisories/product/4386/ Cisco Unity 5.x http://secunia.com/advisories/product/20082/ Cisco Unity 7.x http://secunia.com/advisories/product/20083/ DESCRIPTION: A vulnerability has been reported in Cisco Unity, which can be exploited by malicious users to conduct script insertion attacks. Unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is viewed. Successful exploitation requires valid administrator access. SOLUTION: The vulnerability will be fixed in versions 4.2(1)ES162 5.0(1)ES56, and 7.0(2)ES8. PROVIDED AND/OR DISCOVERED BY: VoIPshield Systems ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20081008-unity.shtml VoIPshield: http://www.voipshield.com/research-details.php?id=127&s=1&threats_details=&threats_category=0&threats_vendor=0&limit=20&sort=discovered&sortby=DESC ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in album.php in Camera Life 2.6.2b4 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3355. Camera Life is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Camera Life 2.6.2b4 is affected; other versions may also be vulnerable. Camera Life is an open source PHP-based photo management and organization plugin

WinFTP FTP Server 2.3.0, when passive (aka PASV) mode is used, allows remote authenticated users to cause a denial of service via a sequence of FTP sessions that include an invalid "NLST -1" command. Win FTP Server is a professional Windows FTP server. If a remote attacker sends multiple login requests ending with a PASV command to Win FTP Server, it may cause the server to crash. Exploiting this issue allows remote attackers to crash the application, denying service to legitimate users. This issue affects Win FTP 2.0.2; other versions may also be vulnerable. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: WinFTP "PASV" Denial of Service Vulnerability SECUNIA ADVISORY ID: SA32209 VERIFY ADVISORY: http://secunia.com/advisories/32209/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote SOFTWARE: WinFTP Server 2.x http://secunia.com/advisories/product/12923/ DESCRIPTION: A vulnerability has been discovered in WinFTP, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling the PASV command. The vulnerability is confirmed in version 2.3.0. Other versions may also be affected. SOLUTION: Grant access to trusted users only. PROVIDED AND/OR DISCOVERED BY: dmnt ORIGINAL ADVISORY: http://milw0rm.com/exploits/6717 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------