VARIoT IoT vulnerabilities database
| VAR-201103-0074 | CVE-2011-0963 | Cisco Network Access Control (NAC) Guest Server RADIUS Authentication Bypass Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The default configuration of the RADIUS authentication feature on the Cisco Network Admission Control (NAC) Guest Server with software before 2.0.3 allows remote attackers to bypass intended access restrictions and obtain network connectivity via unspecified vectors, aka Bug ID CSCtj66922. The problem is Bug ID CSCtj66922 It is a problem.A third party may bypass access restrictions and establish a network connection. This misconfiguration allows unauthenticated users to access the protected network. This vulnerability could cause authentication to be bypassed without a legitimate username and password. Successfully exploiting this issue will lead to other attacks.
This issue is being monitored by Cisco Bug ID CSCtj66922.
Cisco has released free software updates that address this
vulnerability. The software version is displayed on
the login page of the web server.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtj66922 - Authentication Bypass Vulnerability
CVSS Base Score - 5.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 4.1
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may allow unauthorized
users to access the protected network.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Software versions prior to 2.0.3 are affected by this vulnerability. The following commands modify the RADIUS configuration line
file and restart the RADIUS daemon to read the new configuration
file.
The configuration file may be modified by running the following
command from the command-line interface (CLI) of the device:
# cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.orig
# sed -i 's/php -f/php/g' /etc/raddb/radiusd.conf
# service radiusd restart
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
The latest version of Cisco NAC Guest Access Server system software
may be obtained at:
http://www.cisco.com/cisco/software/release.html?mdfid=282450822&flowid=4363&softwareid=282562545
Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110330-nac.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-March-30 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk2SP6oACgkQQXnnBKKRMNDXIQD+PY3O6psutgOEuGgoQiwnxyL0
xBLnUBixiJutn9gqI/YA/3M8U1LY5JSG++amGdDJEpa89hM32kpBdjqQaSQWVH6K
=OUeQ
-----END PGP SIGNATURE-----
| VAR-201104-0239 | CVE-2011-1691 | WebKit of counterToCSSValue Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The counterToCSSValue function in CSSComputedStyleDeclaration.cpp in the Cascading Style Sheets (CSS) implementation in WebCore in WebKit before r82222, as used in Google Chrome before 11.0.696.43 and other products, does not properly handle access to the (1) counterIncrement and (2) counterReset attributes of CSSStyleDeclaration data provided by a getComputedStyle method call, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted JavaScript code. WebKit of WebCore Is in CSSComputedStyleDeclaration.cpp of counterToCSSValue the function is, getComputedStyle Granted by method call CSSStyleDeclaration Data (1) counterIncrement ,and (2) counterReset Service operation is interrupted because the processing related to property access is not performed properly. (Null Pointer dereference and application crash ) There is a vulnerability that becomes a condition.Skillfully crafted by a third party JavaScript Service disruption through code (Null Pointer dereference and application crash ) There is a possibility of being put into a state. WebKit is prone to a denial-of-service vulnerability because of a NULL-pointer dereference exception.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome
| VAR-201103-0172 | CVE-2011-0728 | Loggerhead of templatefunctions.py Vulnerable to cross-site scripting |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Cross-site scripting (XSS) vulnerability in templatefunctions.py in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view. Loggerhead is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
Loggerhead versions prior to 1.18.1 are vulnerable.
The following print servers are affected:
Encore ENPS-2012
TP-Link TL-PS110U
TP Link TL-PS110P
Planex Mini-300PU
Planex Mini100s
ZO Tech PA101 Fast Parallel Port Print Server
ZO Tech PU201 Fast USB Print Server
ZO Tech PA301 Parallel Port Print Server
ZO Tech PS531 USB and Parallel Print Server
Longshine Multiple Print Server ZOT-PS-47/9.8.0015
Longshine Multiple Print Server ZOT-PS-35/6.2.0001
Longshine Multiple Print Server ZOT-PS-39/6.3.000. This fixes a
vulnerability, which can be exploited by malicious users to conduct
script insertion attacks.
For more information:
SA43822
SOLUTION:
Apply updated packages via the yum utility ("yum update loggerhead"). ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Loggerhead Filename Script Insertion Vulnerability
SECUNIA ADVISORY ID:
SA43822
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43822/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43822
RELEASE DATE:
2011-03-25
DISCUSS ADVISORY:
http://secunia.com/advisories/43822/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43822/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43822
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
daveb has reported a vulnerability in loggerhead, which can be
exploited by malicious users to conduct script insertion attacks.
Input related to the filename is not properly sanitised in
loggerhead/templatefunctions.py before being used to display a
filename in a revision view.
The vulnerability has been reported in version 1.18.
SOLUTION:
Update to version 1.18.1.
PROVIDED AND/OR DISCOVERED BY:
Reported by daveb in a bug report.
ORIGINAL ADVISORY:
https://launchpad.net/loggerhead/1.18/1.18.1
https://bugs.launchpad.net/loggerhead/+bug/740142
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0349 | CVE-2011-1472 | Nokia E75 Firmware Lock Code Authentication Bypass Vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The Nokia E75 phone with firmware before 211.12.01 allows physically proximate attackers to bypass the Device Lock code by entering an unspecified button sequence at boot time. Nokia E72 is prone to an authentication-bypass vulnerability. Nokia E75 is a smartphone launched by Nokia Corporation. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Nokia E75 Lock Code Bypass Vulnerability
SECUNIA ADVISORY ID:
SA43827
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43827/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43827
RELEASE DATE:
2011-03-24
DISCUSS ADVISORY:
http://secunia.com/advisories/43827/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43827/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43827
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Nokia E75, which can be
exploited by malicious people with physical access to bypass certain
security restrictions.
The vulnerability is reported in firmware prior to 211.12.01.
SOLUTION:
Update to firmware 211.12.01 or later.
PROVIDED AND/OR DISCOVERED BY:
Markus Heikkil\xe4, Nixu Oy via CERT-FI.
ORIGINAL ADVISORY:
http://www.cert.fi/en/reports/2011/vulnerability410355.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0300 | CVE-2011-1296 | Google Chrome Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Google Chrome before 10.0.648.204 does not properly handle SVG text, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer.". Google Chrome Is SVG Insufficient operation of text due to improper handling of text (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Versions prior to Chrome 10.0.648.204 are vulnerable. Google Chrome is a web browser developed by Google (Google). ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45325
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45325/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
RELEASE DATE:
2011-07-22
DISCUSS ADVISORY:
http://secunia.com/advisories/45325/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45325/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
Safari, which can be exploited by malicious people to disclose
sensitive information, manipulate certain data, conduct cross-site
scripting and spoofing attacks, bypass certain security restrictions,
and compromise a user's system.
2) An error within CFNetwork when using the NTLM authentication
protocol can be exploited to execute arbitrary code by tricking a
user into visiting a specially crafted web page.
3) An error exists within CFNetwork when handling SSL certificates,
which does not properly verify disabled root certificates. This can
lead to certificates signed by the disabled root certificates being
validated.
4) An integer overflow error exists within the ColorSync component.
For more information see vulnerability #5 in:
SA45054
5) An off-by-one error exists within the CoreFoundation framework.
For more information see vulnerability #6 in:
SA45054
6) An integer overflow error exists in CoreGraphics.
For more information see vulnerability #7 in:
SA45054
7) An error exists within ICU (International Components for
Unicode).
For more information see vulnerability #11 in:
SA45054
8) An error exists in ImageIO within the handling of TIFF files when
handling certain uppercase strings.
For more information see vulnerability #9 in:
SA45054
9) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
10) A use-after-free error within WebKit when handling TIFF images
can result in an invalid pointer being dereferenced when a user views
a specially crafted web page.
11) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
12) An off-by-one error within libxml when handling certain XML data
can be exploited to cause a heap-based buffer overflow.
13) An error in the "AutoFill web forms" feature can be exploited to
disclose certain information from the user's Address Book by tricking
a user into visiting a specially crafted web page.
14) A cross-origin error when handling certain fonts in Java Applets
can lead to certain text being displayed on other sites.
15) Multiple unspecified errors in the WebKit component can be
exploited to corrupt memory.
16) An error within WebKit when handling libxslt configurations can
be exploited to create arbitrary files.
17) A cross-origin error when handling Web Workers can lead to
certain information being disclosed.
20) An error within the handling of DOM history objects can be
exploited to display arbitrary content while showing the URL of a
trusted web site in the address bar.
21) An error within the handling of RSS feeds may lead to arbitrary
files from a user's system being sent to a remote server.
22) A weakness in WebKit can lead to remote DNS prefetching
For more information see vulnerability #6 in:
SA42312
23) A use-after-free error within WebKit when processing MathML
markup tags can result in an invalid pointer being dereferenced when
a user views a specially crafted web page.
24) An error within WebKit when parsing a frameset element can be
exploited to cause a heap-based buffer overflow.
25) A use-after-free error within WebKit when handling XHTML tags can
result in an invalid tag pointer being dereferenced when a user views
a specially crafted web page.
26) A use-after-free error within WebKit when handling SVG tags can
result in an invalid pointer being dereferenced when a user views a
specially crafted web page.
SOLUTION:
Update to version 5.1 or 5.0.6.
PROVIDED AND/OR DISCOVERED BY:
10) Juan Pablo Lopez Yacubian via iDefense
4) binaryproof via ZDI
8) Dominic Chell, NGS Secure
23, 25, 26) wushi, team509 via iDefense
24) Jose A. Vazquez via iDefense
The vendor credits:
1) Hidetake Jo via Microsoft Vulnerability Research (MSVR) and Neal
Poole, Matasano Security
2) Takehiro Takahashi, IBM X-Force Research
3) An anonymous reporter
5) Harry Sintonen
6) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
7) David Bienvenu, Mozilla
9) Cyril CATTIAUX, Tessi Technologies
11) Chris Evans, Google Chrome Security Team
12) Billy Rios, Google Security Team
13) Florian Rienhardt of BSI, Alex Lambert, and Jeremiah Grossman
14) Joshua Smith, Kaon Interactive
16) Nicolas Gregoire, Agarri
17) Daniel Divricean, divricean.ro
18) Jobert Abma, Online24
19) Sergey Glazunov
20) Jordi Chancel
21) Jason Hullinger
22) Mike Cardwell, Cardwell IT
The vendor provides a bundled list of credits for vulnerabilities in
#15:
* David Weston, Microsoft and Microsoft Vulnerability Research
(MSVR)
* Yong Li, Research In Motion
* SkyLined, Google Chrome Security Team
* Abhishek Arya (Inferno), Google Chrome Security Team
* Nikita Tarakanov and Alex Bazhanyuk, CISS Research Team
* J23 via ZDI
* Rob King via ZDI
* wushi, team509 via ZDI
* wushi of team509
* Adam Barth, Google Chrome Security Team
* Richard Keen
* An anonymous researcher via ZDI
* Rik Cabanier, Adobe Systems
* Martin Barbella
* Sergey Glazunov
* miaubiz
* Andreas Kling, Nokia
* Marek Majkowski via iDefense
* John Knottenbelt, Google
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4808
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-228/
NGS Secure:
http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Alex Turpin.
2) Slawomir Blazek.
3-6) Sergey Glazunov.
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2011/03/stable-channel-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities
| VAR-201103-0299 | CVE-2011-1295 | Google Chrome and Apple Safari Used in WebKit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
WebKit, as used in Google Chrome before 10.0.648.204 and Apple Safari before 5.0.6, does not properly handle node parentage, which allows remote attackers to cause a denial of service (DOM tree corruption), conduct cross-site scripting (XSS) attacks, or possibly have unspecified other impact via unknown vectors. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Versions prior to Chrome 10.0.648.204 are vulnerable. Google Chrome is a web browser developed by Google (Google). ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45325
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45325/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
RELEASE DATE:
2011-07-22
DISCUSS ADVISORY:
http://secunia.com/advisories/45325/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45325/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
Safari, which can be exploited by malicious people to disclose
sensitive information, manipulate certain data, conduct cross-site
scripting and spoofing attacks, bypass certain security restrictions,
and compromise a user's system.
2) An error within CFNetwork when using the NTLM authentication
protocol can be exploited to execute arbitrary code by tricking a
user into visiting a specially crafted web page.
3) An error exists within CFNetwork when handling SSL certificates,
which does not properly verify disabled root certificates. This can
lead to certificates signed by the disabled root certificates being
validated.
4) An integer overflow error exists within the ColorSync component.
For more information see vulnerability #5 in:
SA45054
5) An off-by-one error exists within the CoreFoundation framework.
For more information see vulnerability #6 in:
SA45054
6) An integer overflow error exists in CoreGraphics.
For more information see vulnerability #7 in:
SA45054
7) An error exists within ICU (International Components for
Unicode).
For more information see vulnerability #11 in:
SA45054
8) An error exists in ImageIO within the handling of TIFF files when
handling certain uppercase strings.
For more information see vulnerability #9 in:
SA45054
9) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
10) A use-after-free error within WebKit when handling TIFF images
can result in an invalid pointer being dereferenced when a user views
a specially crafted web page.
11) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
12) An off-by-one error within libxml when handling certain XML data
can be exploited to cause a heap-based buffer overflow.
13) An error in the "AutoFill web forms" feature can be exploited to
disclose certain information from the user's Address Book by tricking
a user into visiting a specially crafted web page.
14) A cross-origin error when handling certain fonts in Java Applets
can lead to certain text being displayed on other sites.
15) Multiple unspecified errors in the WebKit component can be
exploited to corrupt memory.
16) An error within WebKit when handling libxslt configurations can
be exploited to create arbitrary files.
17) A cross-origin error when handling Web Workers can lead to
certain information being disclosed.
20) An error within the handling of DOM history objects can be
exploited to display arbitrary content while showing the URL of a
trusted web site in the address bar.
21) An error within the handling of RSS feeds may lead to arbitrary
files from a user's system being sent to a remote server.
22) A weakness in WebKit can lead to remote DNS prefetching
For more information see vulnerability #6 in:
SA42312
23) A use-after-free error within WebKit when processing MathML
markup tags can result in an invalid pointer being dereferenced when
a user views a specially crafted web page.
24) An error within WebKit when parsing a frameset element can be
exploited to cause a heap-based buffer overflow.
25) A use-after-free error within WebKit when handling XHTML tags can
result in an invalid tag pointer being dereferenced when a user views
a specially crafted web page.
26) A use-after-free error within WebKit when handling SVG tags can
result in an invalid pointer being dereferenced when a user views a
specially crafted web page.
SOLUTION:
Update to version 5.1 or 5.0.6.
PROVIDED AND/OR DISCOVERED BY:
10) Juan Pablo Lopez Yacubian via iDefense
4) binaryproof via ZDI
8) Dominic Chell, NGS Secure
23, 25, 26) wushi, team509 via iDefense
24) Jose A. Vazquez via iDefense
The vendor credits:
1) Hidetake Jo via Microsoft Vulnerability Research (MSVR) and Neal
Poole, Matasano Security
2) Takehiro Takahashi, IBM X-Force Research
3) An anonymous reporter
5) Harry Sintonen
6) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
7) David Bienvenu, Mozilla
9) Cyril CATTIAUX, Tessi Technologies
11) Chris Evans, Google Chrome Security Team
12) Billy Rios, Google Security Team
13) Florian Rienhardt of BSI, Alex Lambert, and Jeremiah Grossman
14) Joshua Smith, Kaon Interactive
16) Nicolas Gregoire, Agarri
17) Daniel Divricean, divricean.ro
18) Jobert Abma, Online24
19) Sergey Glazunov
20) Jordi Chancel
21) Jason Hullinger
22) Mike Cardwell, Cardwell IT
The vendor provides a bundled list of credits for vulnerabilities in
#15:
* David Weston, Microsoft and Microsoft Vulnerability Research
(MSVR)
* Yong Li, Research In Motion
* SkyLined, Google Chrome Security Team
* Abhishek Arya (Inferno), Google Chrome Security Team
* Nikita Tarakanov and Alex Bazhanyuk, CISS Research Team
* J23 via ZDI
* Rob King via ZDI
* wushi, team509 via ZDI
* wushi of team509
* Adam Barth, Google Chrome Security Team
* Richard Keen
* An anonymous researcher via ZDI
* Rik Cabanier, Adobe Systems
* Martin Barbella
* Sergey Glazunov
* miaubiz
* Andreas Kling, Nokia
* Marek Majkowski via iDefense
* John Knottenbelt, Google
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4808
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-228/
NGS Secure:
http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Alex Turpin.
2) Slawomir Blazek.
3-6) Sergey Glazunov.
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2011/03/stable-channel-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities
| VAR-201103-0297 | CVE-2011-1293 | Google Chrome of HTMLCollection Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in the HTMLCollection implementation in Google Chrome before 10.0.648.204 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Versions prior to Chrome 10.0.648.204 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2245-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
May 29, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium-browser
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1292 CVE-2011-1293 CVE-2011-1440 CVE-2011-1444
CVE-2011-1797 CVE-2011-1799
Several vulnerabilities were discovered in the Chromium browser.
For the stable distribution (squeeze), these problems have been fixed in
version 6.0.472.63~r59945-5+squeeze5.
For the testing distribution (wheezy), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in
version 11.0.696.68~r84545-1.
We recommend that you upgrade your chromium-browser packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3iJO4ACgkQNxpp46476apuDACfQjllLVOT84OjL86pa8+JhD5j
GWgAmwc7Ei0TYhYaWQZbDmzalYq81pn4
=0RTf
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45325
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45325/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
RELEASE DATE:
2011-07-22
DISCUSS ADVISORY:
http://secunia.com/advisories/45325/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45325/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
Safari, which can be exploited by malicious people to disclose
sensitive information, manipulate certain data, conduct cross-site
scripting and spoofing attacks, bypass certain security restrictions,
and compromise a user's system.
2) An error within CFNetwork when using the NTLM authentication
protocol can be exploited to execute arbitrary code by tricking a
user into visiting a specially crafted web page.
3) An error exists within CFNetwork when handling SSL certificates,
which does not properly verify disabled root certificates. This can
lead to certificates signed by the disabled root certificates being
validated.
4) An integer overflow error exists within the ColorSync component.
For more information see vulnerability #5 in:
SA45054
5) An off-by-one error exists within the CoreFoundation framework.
For more information see vulnerability #6 in:
SA45054
6) An integer overflow error exists in CoreGraphics.
For more information see vulnerability #7 in:
SA45054
7) An error exists within ICU (International Components for
Unicode).
For more information see vulnerability #11 in:
SA45054
8) An error exists in ImageIO within the handling of TIFF files when
handling certain uppercase strings.
For more information see vulnerability #9 in:
SA45054
9) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
10) A use-after-free error within WebKit when handling TIFF images
can result in an invalid pointer being dereferenced when a user views
a specially crafted web page.
11) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
12) An off-by-one error within libxml when handling certain XML data
can be exploited to cause a heap-based buffer overflow.
13) An error in the "AutoFill web forms" feature can be exploited to
disclose certain information from the user's Address Book by tricking
a user into visiting a specially crafted web page.
14) A cross-origin error when handling certain fonts in Java Applets
can lead to certain text being displayed on other sites.
15) Multiple unspecified errors in the WebKit component can be
exploited to corrupt memory.
16) An error within WebKit when handling libxslt configurations can
be exploited to create arbitrary files.
17) A cross-origin error when handling Web Workers can lead to
certain information being disclosed.
20) An error within the handling of DOM history objects can be
exploited to display arbitrary content while showing the URL of a
trusted web site in the address bar.
21) An error within the handling of RSS feeds may lead to arbitrary
files from a user's system being sent to a remote server.
22) A weakness in WebKit can lead to remote DNS prefetching
For more information see vulnerability #6 in:
SA42312
23) A use-after-free error within WebKit when processing MathML
markup tags can result in an invalid pointer being dereferenced when
a user views a specially crafted web page.
24) An error within WebKit when parsing a frameset element can be
exploited to cause a heap-based buffer overflow.
25) A use-after-free error within WebKit when handling XHTML tags can
result in an invalid tag pointer being dereferenced when a user views
a specially crafted web page.
26) A use-after-free error within WebKit when handling SVG tags can
result in an invalid pointer being dereferenced when a user views a
specially crafted web page.
SOLUTION:
Update to version 5.1 or 5.0.6.
PROVIDED AND/OR DISCOVERED BY:
10) Juan Pablo Lopez Yacubian via iDefense
4) binaryproof via ZDI
8) Dominic Chell, NGS Secure
23, 25, 26) wushi, team509 via iDefense
24) Jose A. Vazquez via iDefense
The vendor credits:
1) Hidetake Jo via Microsoft Vulnerability Research (MSVR) and Neal
Poole, Matasano Security
2) Takehiro Takahashi, IBM X-Force Research
3) An anonymous reporter
5) Harry Sintonen
6) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
7) David Bienvenu, Mozilla
9) Cyril CATTIAUX, Tessi Technologies
11) Chris Evans, Google Chrome Security Team
12) Billy Rios, Google Security Team
13) Florian Rienhardt of BSI, Alex Lambert, and Jeremiah Grossman
14) Joshua Smith, Kaon Interactive
16) Nicolas Gregoire, Agarri
17) Daniel Divricean, divricean.ro
18) Jobert Abma, Online24
19) Sergey Glazunov
20) Jordi Chancel
21) Jason Hullinger
22) Mike Cardwell, Cardwell IT
The vendor provides a bundled list of credits for vulnerabilities in
#15:
* David Weston, Microsoft and Microsoft Vulnerability Research
(MSVR)
* Yong Li, Research In Motion
* SkyLined, Google Chrome Security Team
* Abhishek Arya (Inferno), Google Chrome Security Team
* Nikita Tarakanov and Alex Bazhanyuk, CISS Research Team
* J23 via ZDI
* Rob King via ZDI
* wushi, team509 via ZDI
* wushi of team509
* Adam Barth, Google Chrome Security Team
* Richard Keen
* An anonymous researcher via ZDI
* Rik Cabanier, Adobe Systems
* Martin Barbella
* Sergey Glazunov
* miaubiz
* Andreas Kling, Nokia
* Marek Majkowski via iDefense
* John Knottenbelt, Google
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4808
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-228/
NGS Secure:
http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Alex Turpin.
2) Slawomir Blazek.
3-6) Sergey Glazunov.
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2011/03/stable-channel-update.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities
| VAR-201104-0286 | CVE-2011-1562 | Ecava IntegraXor HMI Vulnerabilities that bypass authentication |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Ecava IntegraXor HMI before n 3.60 (Build 4032) allows remote attackers to bypass authentication and execute arbitrary SQL statements via unspecified vectors related to a crafted POST request. NOTE: some sources have reported this issue as SQL injection, but this might not be accurate. Ecava IntegraXor is a human interface product that uses HTML and SVG. Ecava IntegraXor is prone to an unspecified SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this issue can allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to IntegraXor 3.60.4050 are vulnerable. ----------------------------------------------------------------------
Q1 Factsheets released:
http://secunia.com/resources/factsheets/2011_vendor/
----------------------------------------------------------------------
TITLE:
IntegraXor SQL Database Insecure Permissions Security Issue
SECUNIA ADVISORY ID:
SA44105
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44105/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44105
RELEASE DATE:
2011-04-12
DISCUSS ADVISORY:
http://secunia.com/advisories/44105/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44105/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44105
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A security issue has been reported in IntegraXor, which can be
exploited by malicious people to disclose potentially sensitive
information and manipulate certain data.
SOLUTION:
Update to version 3.6.4000.5.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Dan Rosenberg, Virtual Security Research (VSR).
ORIGINAL ADVISORY:
IntegraXor:
http://www.integraxor.com/blog/security-issue-20101222-0700-vulnerability-note
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201202-0155 | CVE-2011-4041 |
Advantech/BroadWin WebAccess of webvrpcs.exe Vulnerable to arbitrary code execution
Related entries in the VARIoT exploits database: VAR-E-201103-0631 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
webvrpcs.exe in Advantech/BroadWin WebAccess allows remote attackers to execute arbitrary code or obtain a security-code value via a long string in an RPC request to TCP port 4592. Advantech/BroadWin SCADA WebAccess is a fully browser-based Human Machine Interface (HMI) and Monitoring and Data Acquisition (SCADA) house arrest. Advantech/BroadWin SCADA WebAccess is prone to multiple remote vulnerabilities including an information-disclosure issue and a remote code-execution issue. Other attacks may also be possible.
Advantech/BroadWin SCADA WebAccess 7.0 is vulnerable; other versions may also be affected
| VAR-201103-0283 | CVE-2011-0183 | Apple Mac OS X of Libinfo Vulnerable to arbitrary code execution |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Libinfo in Apple Mac OS X before 10.6.7 does not properly handle an unspecified integer field in an NFS RPC packet, which allows remote attackers to cause a denial of service (lockd, statd, mountd, or portmap outage) via a crafted packet, related to an "integer truncation issue.". Apple Mac OS X is prone to a remote denial-of-service vulnerability; fixes are available.
Attackers can exploit this issue to cause a denial-of-service condition, denying service to legitimate users.
The following versions are affected:
Mac OS X version 10.5.8
Mac OS X Server version 10.5.8
Mac OS X versions 10.6 through v10.6.6
Mac OS X Server versions v10.6 through v10.6.6
NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
For more information:
SA40206
3) A format string error within AppleScript Studio when handling
certain commands via dialogs can be exploited to potentially execute
arbitrary code.
4) An unspecified error in the handling of embedded OpenType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
5) Multiple unspecified errors in the handling of embedded TrueType
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
6) Multiple unspecified errors in the handling of embedded Type 1
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
7) Multiple unspecified errors in the handling of SFNT tables in
embedded fonts in Apple Type Services (ATS) can be exploited to cause
a buffer overflow when a specially crafted document is viewed or
downloaded.
8) An integer overflow error in bzip2 can be exploited to terminate
an application using the library or execute arbitrary code via a
specially crafted archive.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
12) An integer overflow error within the handling of the
F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be
exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
14) An integer overflow error in ImageIO within the handling of XBM
files can be exploited to potentially execute arbitrary code.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be
exploited to install an arbitrary agent by tricking the user into
visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
For more information:
SA37977
SA42396
21) An error within the "i386_set_ldt()" system call can be exploited
by malicious, local users to execute arbitrary code with system
privileges.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
31) An integer overflow error in QuickTime when handling certain
movie files can be exploited to potentially execute arbitrary code
when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site
redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can
be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
For more information:
SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol
version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS
(Denial of Service) or potentially compromise an application using
the library.
For more information:
SA41738
SOLUTION:
Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0076 | CVE-2011-0890 | HP DDMI Vulnerability in which important information is obtained |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
HP Discovery & Dependency Mapping Inventory (DDMI) 7.50, 7.51, 7.60, 7.61, 7.70, and 9.30 launches the Windows SNMP service with its default configuration, which allows remote attackers to obtain potentially sensitive information or have unspecified other impact by leveraging the public read community. HP Discovery and Dependency Mapping Inventory (DDMI) is prone to a remote information-disclosure vulnerability.
Remote attackers can exploit this issue to obtain sensitive information that may lead to further attacks. The vulnerability could be exploited remotely to allow unauthorized read-only access to the data available via the SNMP protocol.
References: CVE-2011-0890
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Securing the Windows SNMP service
DDMI requires the Windows SNMP service for its operation. If necessary DDMI will install and configure the Windows SNMP service using the Windows default security settings. As a result the SNMP read community string may be set to public .
To modify the default security configuration of the of the Windows SNMP service:
Open the Windows Services Control Panel applet, select Administrative Tools and then select Services.
Select the SNMP Service, right click on it and select Properties and navigate to the Security tab.
Amend the security settings as required to change the default read community string to a value other than public.
Add the updated read community string to the appropriate DDM Inventory SNMP profile.
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk2Hc7gACgkQ4B86/C0qfVmbswCgxy1tw165EpDQohbsigBboD52
60QAoN86XN6RKoIdtGzCCx64rePwzmNc
=dgb3
-----END PGP SIGNATURE-----
| VAR-201103-0288 | CVE-2011-0189 | Apple Mac OS X In the default terminal SSH Vulnerability impersonating a server |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The default configuration of Terminal in Apple Mac OS X 10.6 before 10.6.7 uses SSH protocol version 1 within the New Remote Connection dialog, which might make it easier for man-in-the-middle attackers to spoof SSH servers by leveraging protocol vulnerabilities. Mac OS X is prone to a remote security vulnerability. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
For more information:
SA40206
3) A format string error within AppleScript Studio when handling
certain commands via dialogs can be exploited to potentially execute
arbitrary code.
4) An unspecified error in the handling of embedded OpenType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
5) Multiple unspecified errors in the handling of embedded TrueType
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
6) Multiple unspecified errors in the handling of embedded Type 1
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
7) Multiple unspecified errors in the handling of SFNT tables in
embedded fonts in Apple Type Services (ATS) can be exploited to cause
a buffer overflow when a specially crafted document is viewed or
downloaded.
8) An integer overflow error in bzip2 can be exploited to terminate
an application using the library or execute arbitrary code via a
specially crafted archive.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
12) An integer overflow error within the handling of the
F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be
exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
14) An integer overflow error in ImageIO within the handling of XBM
files can be exploited to potentially execute arbitrary code.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be
exploited to install an arbitrary agent by tricking the user into
visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
For more information:
SA37977
SA42396
21) An error within the "i386_set_ldt()" system call can be exploited
by malicious, local users to execute arbitrary code with system
privileges.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
31) An integer overflow error in QuickTime when handling certain
movie files can be exploited to potentially execute arbitrary code
when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site
redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can
be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS
(Denial of Service) or potentially compromise an application using
the library.
For more information:
SA41738
SOLUTION:
Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0385 | No CVE | TP-LINK TL-WR740N WebConsole and UPnP Denial of Service Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The TP-LINK TL-WR740N is a wireless router device. The TP-LINK TL-WR740N device has an unspecified error when processing the request. The attacker can send a large number of packets to make the WebConsole and UPnP services unstable. Caused a denial of service attack.
| VAR-201104-0287 | CVE-2011-1563 |
DATAC RealFlex RealWin of HMI Application stack-based buffer overflow vulnerability
Related entries in the VARIoT exploits database: VAR-E-201103-0686 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code via (1) a long username in an On_FC_CONNECT_FCS_LOGIN packet, and crafted (2) On_FC_CTAGLIST_FCS_CADDTAG, (3) On_FC_CTAGLIST_FCS_CDELTAG, (4) On_FC_CTAGLIST_FCS_ADDTAGMS, (5) On_FC_RFUSER_FCS_LOGIN, (6) unspecified "On_FC_BINFILE_FCS_*FILE", (7) On_FC_CGETTAG_FCS_GETTELEMETRY, (8) On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY, (9) On_FC_CGETTAG_FCS_SETTELEMETRY, (10) On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY, and (11) On_FC_SCRIPT_FCS_STARTPROG packets to port 910. (2)On_FC_CTAGLIST_FCS_CADDTAG (3)On_FC_CTAGLIST_FCS_CDELTAG (4)On_FC_CTAGLIST_FCS_ADDTAGMS (5)On_FC_RFUSER_FCS_LOGIN (6)unspecified "On_FC_BINFILE_FCS_*FILE (7)On_FC_CGETTAG_FCS_GETTELEMETRY (8)On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY (9)On_FC_CGETTAG_FCS_SETTELEMETRY (10)On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY (11)On_FC_SCRIPT_FCS_STARTPROG packets to port 910. DATAC RealWin is a SCADA server product that operates a single PC or multiple PCs over a TCP/IP network. DATAC RealWin SCADA Server can exploit vulnerabilities for buffer overflow attacks due to incorrect validation of user-supplied input. Successful exploitation of a vulnerability can execute arbitrary code in an application security context. DATAC RealWin is prone to multiple remote buffer-overflow vulnerabilities because of a failure to properly bounds check user-supplied input. Failed exploit attempts will cause a denial-of-service condition.
DATAC RealWin versions 2.1 and prior are vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
RealWin FlexWin Connection Packet Processing Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA43848
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43848/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43848
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43848/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43848/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43848
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Luigi Auriemma has discovered multiple vulnerabilities in RealWin,
which can be exploited by malicious people to compromise a vulnerable
system.
6) An input validation error when processing
"On_FC_MISC_FCS_MSGBROADCAST" packets can be exploited to cause a
heap-based buffer overflow via a specially crafted packet sent to TCP
port 910.
7) An input validation error when processing "On_FC_MISC_FCS_MSGSEND"
packets can be exploited to cause a heap-based buffer overflow via a
specially crafted packet sent to TCP port 910.
The vulnerabilities are confirmed in version 2.1 Build 6.1.10.10.
SOLUTION:
Restrict access to trusted hosts only (e.g. via network access
control lists).
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/realwin_2-adv.txt
http://aluigi.altervista.org/adv/realwin_3-adv.txt
http://aluigi.altervista.org/adv/realwin_4-adv.txt
http://aluigi.altervista.org/adv/realwin_5-adv.txt
http://aluigi.altervista.org/adv/realwin_6-adv.txt
http://aluigi.altervista.org/adv/realwin_7-adv.txt
http://aluigi.altervista.org/adv/realwin_8-adv.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0378 | No CVE | There are multiple security vulnerabilities in Iconics GENESIS32 and GENESIS64 |
CVSS V2: 7.0 CVSS V3: - Severity: HIGH |
The Symantec LiveUpdate Administrator is a Symantec product upgrade management program. GENESIS32/64 is a new generation of industrial control software developed by ICONICS of the United States. GENESIS32/64 can trigger multiple memory corruption and integer overflow vulnerabilities due to incorrect validation of user-supplied input. Successful exploitation of a vulnerability can execute arbitrary code in an application security context. Failed exploit attempts will likely result in denial-of-service conditions.
The following versions are vulnerable; other versions may also be affected:
GENESIS32 9.21
GENESIS64 10.51
| VAR-201104-0292 | CVE-2011-1568 |
7-Technologies Interactive Graphical SCADA System Format string vulnerability
Related entries in the VARIoT exploits database: VAR-E-201103-0087, VAR-E-201103-0086, VAR-E-201103-0088, VAR-E-201103-0089 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Format string vulnerability in the logText function in shmemmgr9.dll in IGSSdataServer.exe 9.00.00.11074, and 9.00.00.11063 and earlier, in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated using the RMS Reports Delete command, related to the logging of messages to GSST.LOG. NOTE: some of these details are obtained from third party information. The 7T Interactive Graphical SCADA System is an automated monitoring and control system. 7T Interactive Graphical SCADA System Remotely attackers can exploit vulnerabilities to execute arbitrary code in the application context or use directory traversal strings to perform unauthorized operations due to incorrect validation of user-supplied input. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
7-Technologies Interactive Graphical SCADA System Multiple
Vulnerabilities
SECUNIA ADVISORY ID:
SA43849
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43849/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43849
RELEASE DATE:
2011-03-23
DISCUSS ADVISORY:
http://secunia.com/advisories/43849/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43849/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43849
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Luigi Auriemma has discovered multiple vulnerabilities in
7-Technologies Interactive Graphical SCADA System, which can be
exploited by malicious people to disclose sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An input validation error in IGSSdataServer.exe when processing
certain commands can be exploited to read and write arbitrary files
via a specially crafted packet containing directory traversal
specifiers sent to TCP port 12401.
2) A boundary error in IGSSdataServer.exe when processing the
"ListAll" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
3) A boundary error in IGSSdataServer.exe when processing the "Write
file" command can be exploited to cause a stack-based buffer overflow
via a specially crafted packet sent to TCP port 12401.
4) A boundary error in IGSSdataServer.exe when processing the
"ReadFile" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
5) A boundary error in IGSSdataServer.exe when processing the
"Delete" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
6) A boundary error in IGSSdataServer.exe when processing the
"RenameFile" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
7) A boundary error in IGSSdataServer.exe when processing the
"FileInfo" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
8) A boundary error in IGSSdataServer.exe when processing the RMS
Reports "Add" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
9) A boundary error in IGSSdataServer.exe when processing the RMS
Reports "ReadFile" and "Write file" commands can be exploited to
cause a stack-based buffer overflow via a specially crafted packet
sent to TCP port 12401.
10) A boundary error in IGSSdataServer.exe when processing the RMS
Reports "Rename" command can be exploited to cause a stack-based
buffer overflow via a specially crafted packet sent to TCP port
12401.
11) A format string error in IGSSdataServer.exe when creating a log
message using the "logText()" function (shmemmgr9.dll) can be
exploited to cause the process to crash via e.g. a specially crafted
RMS Reports "Delete" command sent to TCP port 12401.
12) A boundary error in IGSSdataServer.exe when creating a SQL query
string to process the STDREP update request can be exploited to cause
a stack-based buffer overflow via a specially crafted packet sent to
TCP port 12401.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
13) An input validation error in dc.exe when processing certain
commands can be exploited to execute any program on the system via a
specially crafted packet containing directory traversal specifiers
sent to TCP port 12397.
Successful exploitation of vulnerabilities #2 through #10 and #13
allows execution of arbitrary code.
The vulnerabilities are confirmed in version 9.0-11074. Other
versions may also be affected.
SOLUTION:
Restrict access to trusted hosts only (e.g. via network access
control lists).
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/igss_1-adv.txt
http://aluigi.altervista.org/adv/igss_2-adv.txt
http://aluigi.altervista.org/adv/igss_3-adv.txt
http://aluigi.altervista.org/adv/igss_4-adv.txt
http://aluigi.altervista.org/adv/igss_5-adv.txt
http://aluigi.altervista.org/adv/igss_6-adv.txt
http://aluigi.altervista.org/adv/igss_7-adv.txt
http://aluigi.altervista.org/adv/igss_8-adv.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201104-0289 | CVE-2011-1565 |
7-Technologies Interactive Graphical SCADA System Directory Traversal Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201103-0087, VAR-E-201103-0086, VAR-E-201103-0088, VAR-E-201103-0089 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to (1) read (opcode 0x3) or (2) create or write (opcode 0x2) arbitrary files via ..\ (dot dot backslash) sequences to TCP port 12401. The 7T Interactive Graphical SCADA System is an automated monitoring and control system. 7T Interactive Graphical SCADA System Remotely attackers can exploit vulnerabilities to execute arbitrary code in the application context or use directory traversal strings to perform unauthorized operations due to incorrect validation of user-supplied input. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
7-Technologies Interactive Graphical SCADA System Multiple
Vulnerabilities
SECUNIA ADVISORY ID:
SA43849
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43849/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43849
RELEASE DATE:
2011-03-23
DISCUSS ADVISORY:
http://secunia.com/advisories/43849/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43849/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43849
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Luigi Auriemma has discovered multiple vulnerabilities in
7-Technologies Interactive Graphical SCADA System, which can be
exploited by malicious people to disclose sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
2) A boundary error in IGSSdataServer.exe when processing the
"ListAll" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
3) A boundary error in IGSSdataServer.exe when processing the "Write
file" command can be exploited to cause a stack-based buffer overflow
via a specially crafted packet sent to TCP port 12401.
4) A boundary error in IGSSdataServer.exe when processing the
"ReadFile" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
5) A boundary error in IGSSdataServer.exe when processing the
"Delete" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
6) A boundary error in IGSSdataServer.exe when processing the
"RenameFile" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
7) A boundary error in IGSSdataServer.exe when processing the
"FileInfo" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
8) A boundary error in IGSSdataServer.exe when processing the RMS
Reports "Add" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
9) A boundary error in IGSSdataServer.exe when processing the RMS
Reports "ReadFile" and "Write file" commands can be exploited to
cause a stack-based buffer overflow via a specially crafted packet
sent to TCP port 12401.
10) A boundary error in IGSSdataServer.exe when processing the RMS
Reports "Rename" command can be exploited to cause a stack-based
buffer overflow via a specially crafted packet sent to TCP port
12401.
11) A format string error in IGSSdataServer.exe when creating a log
message using the "logText()" function (shmemmgr9.dll) can be
exploited to cause the process to crash via e.g. a specially crafted
RMS Reports "Delete" command sent to TCP port 12401.
12) A boundary error in IGSSdataServer.exe when creating a SQL query
string to process the STDREP update request can be exploited to cause
a stack-based buffer overflow via a specially crafted packet sent to
TCP port 12401.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
13) An input validation error in dc.exe when processing certain
commands can be exploited to execute any program on the system via a
specially crafted packet containing directory traversal specifiers
sent to TCP port 12397.
Successful exploitation of vulnerabilities #2 through #10 and #13
allows execution of arbitrary code.
The vulnerabilities are confirmed in version 9.0-11074. Other
versions may also be affected.
SOLUTION:
Restrict access to trusted hosts only (e.g. via network access
control lists).
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/igss_1-adv.txt
http://aluigi.altervista.org/adv/igss_2-adv.txt
http://aluigi.altervista.org/adv/igss_3-adv.txt
http://aluigi.altervista.org/adv/igss_4-adv.txt
http://aluigi.altervista.org/adv/igss_5-adv.txt
http://aluigi.altervista.org/adv/igss_6-adv.txt
http://aluigi.altervista.org/adv/igss_7-adv.txt
http://aluigi.altervista.org/adv/igss_8-adv.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201104-0291 | CVE-2011-1567 |
7-Technologies Interactive Graphical SCADA System of IGSSdataServer.exe Stack-based overflow vulnerability
Related entries in the VARIoT exploits database: VAR-E-201103-0087, VAR-E-201103-0086, VAR-E-201103-0088, VAR-E-201103-0089 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted (1) ListAll, (2) Write File, (3) ReadFile, (4) Delete, (5) RenameFile, and (6) FileInfo commands in an 0xd opcode; (7) the Add, (8) ReadFile, (9) Write File, (10) Rename, (11) Delete, and (12) Add commands in an RMS report templates (0x7) opcode; and (13) 0x4 command in an STDREP request (0x8) opcode to TCP port 12401. The 7T Interactive Graphical SCADA System is an automated monitoring and control system. 7T Interactive Graphical SCADA System Remotely attackers can exploit vulnerabilities to execute arbitrary code in the application context or use directory traversal strings to perform unauthorized operations due to incorrect validation of user-supplied input. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
7-Technologies Interactive Graphical SCADA System Multiple
Vulnerabilities
SECUNIA ADVISORY ID:
SA43849
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43849/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43849
RELEASE DATE:
2011-03-23
DISCUSS ADVISORY:
http://secunia.com/advisories/43849/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43849/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43849
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Luigi Auriemma has discovered multiple vulnerabilities in
7-Technologies Interactive Graphical SCADA System, which can be
exploited by malicious people to disclose sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An input validation error in IGSSdataServer.exe when processing
certain commands can be exploited to read and write arbitrary files
via a specially crafted packet containing directory traversal
specifiers sent to TCP port 12401.
2) A boundary error in IGSSdataServer.exe when processing the
"ListAll" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
4) A boundary error in IGSSdataServer.exe when processing the
"ReadFile" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
5) A boundary error in IGSSdataServer.exe when processing the
"Delete" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
6) A boundary error in IGSSdataServer.exe when processing the
"RenameFile" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
7) A boundary error in IGSSdataServer.exe when processing the
"FileInfo" command can be exploited to cause a stack-based buffer
overflow via a specially crafted packet sent to TCP port 12401.
10) A boundary error in IGSSdataServer.exe when processing the RMS
Reports "Rename" command can be exploited to cause a stack-based
buffer overflow via a specially crafted packet sent to TCP port
12401.
11) A format string error in IGSSdataServer.exe when creating a log
message using the "logText()" function (shmemmgr9.dll) can be
exploited to cause the process to crash via e.g. a specially crafted
RMS Reports "Delete" command sent to TCP port 12401.
12) A boundary error in IGSSdataServer.exe when creating a SQL query
string to process the STDREP update request can be exploited to cause
a stack-based buffer overflow via a specially crafted packet sent to
TCP port 12401.
Successful exploitation of this vulnerability may allow execution of
arbitrary code.
13) An input validation error in dc.exe when processing certain
commands can be exploited to execute any program on the system via a
specially crafted packet containing directory traversal specifiers
sent to TCP port 12397.
Successful exploitation of vulnerabilities #2 through #10 and #13
allows execution of arbitrary code.
The vulnerabilities are confirmed in version 9.0-11074. Other
versions may also be affected.
SOLUTION:
Restrict access to trusted hosts only (e.g. via network access
control lists).
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/igss_1-adv.txt
http://aluigi.altervista.org/adv/igss_2-adv.txt
http://aluigi.altervista.org/adv/igss_3-adv.txt
http://aluigi.altervista.org/adv/igss_4-adv.txt
http://aluigi.altervista.org/adv/igss_5-adv.txt
http://aluigi.altervista.org/adv/igss_6-adv.txt
http://aluigi.altervista.org/adv/igss_7-adv.txt
http://aluigi.altervista.org/adv/igss_8-adv.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201104-0288 | CVE-2011-1564 |
DATAC RealFlex RealWin of HMI Application integer overflow vulnerability
Related entries in the VARIoT exploits database: VAR-E-201103-0686 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple integer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code via crafted (1) On_FC_MISC_FCS_MSGBROADCAST and (2) On_FC_MISC_FCS_MSGSEND packets, which trigger a heap-based buffer overflow. DATAC RealWin is a SCADA server product that operates a single PC or multiple PCs over a TCP/IP network. DATAC RealWin SCADA Server can exploit vulnerabilities for buffer overflow attacks due to incorrect validation of user-supplied input. Successful exploitation of a vulnerability can execute arbitrary code in an application security context. DATAC RealWin is prone to multiple remote buffer-overflow vulnerabilities because of a failure to properly bounds check user-supplied input. Failed exploit attempts will cause a denial-of-service condition.
DATAC RealWin versions 2.1 and prior are vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
RealWin FlexWin Connection Packet Processing Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA43848
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43848/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43848
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43848/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43848/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43848
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Luigi Auriemma has discovered multiple vulnerabilities in RealWin,
which can be exploited by malicious people to compromise a vulnerable
system.
The vulnerabilities are confirmed in version 2.1 Build 6.1.10.10.
SOLUTION:
Restrict access to trusted hosts only (e.g. via network access
control lists).
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/realwin_2-adv.txt
http://aluigi.altervista.org/adv/realwin_3-adv.txt
http://aluigi.altervista.org/adv/realwin_4-adv.txt
http://aluigi.altervista.org/adv/realwin_5-adv.txt
http://aluigi.altervista.org/adv/realwin_6-adv.txt
http://aluigi.altervista.org/adv/realwin_7-adv.txt
http://aluigi.altervista.org/adv/realwin_8-adv.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0366 | No CVE | Multiple security vulnerabilities in Siemens Tecnomatix FactoryLink |
CVSS V2: - CVSS V3: - Severity: HIGH |
Siemens Tecnomatix FactoryLink is an industrial automation software. There are several security vulnerabilities in Siemens Tecnomatix FactoryLink, including buffer overflows, memory corruption, information disclosure, and denial of service attacks. An attacker can exploit a vulnerability to gain sensitive information, run arbitrary code, or crash an application. Other attacks may also be possible.
Siemens Tecnomatix FactoryLink 8.0.1.1473 is vulnerable; other versions may also be affected