VARIoT IoT vulnerabilities database
| VAR-201108-0336 | No CVE | Ingres Database IIPROMPT Unspecified Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Ingres Database is prone to an unspecified vulnerability that can be exploited to overflow data.
The impact is currently unknown; however, this class of vulnerability may allow attackers to gain access to sensitive information, corrupt memory or cause a denial-of-service condition.
Ingres Database versions 2.6, 9.1, 9.2, 9.3, and 10.0 for Windows are vulnerable.
| VAR-201108-0303 | No CVE | SAP NetWeaver 'EPS_DELETE_FILE' Arbitrary File Removal Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The \"EPS_DELETE_FILE\" function has an input validation error, and an attacker submits a directory traversal sequence request to delete any file. To successfully exploit the vulnerability you need access to the default SAP account TMSADM or SAPCPIC. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
SAP NetWeaver "EPS_DELETE_FILE" Arbitrary File Deletion Vulnerability
SECUNIA ADVISORY ID:
SA45715
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45715/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45715
RELEASE DATE:
2011-08-27
DISCUSS ADVISORY:
http://secunia.com/advisories/45715/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45715/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45715
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Alexey Sintsov has reported a vulnerability in SAP NetWeaver, which
can be exploited by malicious users to manipulate certain data.
TMSADM or SAPCPIC.
SOLUTION:
Apply fixes. Please see the vendor's advisory for details.
PROVIDED AND/OR DISCOVERED BY:
Alexey Sintsov, Digital Security Research Group (DSecRG).
ORIGINAL ADVISORY:
SAP:
https://service.sap.com/sap/support/notes/1554030
Digital Security Research Group:
http://dsecrg.com/pages/vul/show.php?id=331
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201109-0092 | CVE-2011-2763 |
LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability
Related entries in the VARIoT exploits database: VAR-E-201108-0401, VAR-E-201108-0400 |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php. LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability.
LifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable. Discovered: 07-13-11
By: Spencer McIntyre (zeroSteiner) SecureState R&D Team
www.securestate.com
Background:
-----------
Multiple vulnerabilities within the LifeSize Room appliance.
Vulnerability Summaries:
------------------------
Login page can be bypassed, granting administrative access to the web interface.
Unauthenticated OS command injection is possible through the web interface.
The easiest way to perform these attacks is using a web proxy.
Authentication By Pass:
-----------------------
Following the request to /gateway.php that references the LSRoom_Remoting.authenticate
function, modify the AMF data in the response from the server to change "false" to "true"
Example:
Original False AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\x00\x00\x00\x02\x01\x00"
Modified True AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\xff\xff\xff\xff\x01\x01"
Command Injection:
------------------
The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand
within the encoded AMF data. The original parameter for the vulnerable function is
"pref -l /var/system/upgrade/status" Replace this part with the command to be executed.
Authentication to the web application is not necessary however a valid PHP session ID
must be passed within the request.
References:
-----------
CVE-2011-2762 - authentication bypass
CVE-2011-2763 - OS command injection
| VAR-201109-0091 | CVE-2011-2762 |
LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability
Related entries in the VARIoT exploits database: VAR-E-201108-0401, VAR-E-201108-0400 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) allows remote attackers to bypass authentication via unspecified data associated with a "true" authentication status, related to AMF data and the LSRoom_Remoting.authenticate function in gateway.php. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability.
Exploiting these issues could allow an attacker to bypass authentication or execute arbitrary commands in the context of the application.
LifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable.
Unauthenticated OS command injection is possible through the web interface.
The easiest way to perform these attacks is using a web proxy.
Authentication By Pass:
-----------------------
Following the request to /gateway.php that references the LSRoom_Remoting.authenticate
function, modify the AMF data in the response from the server to change "false" to "true"
Example:
Original False AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\x00\x00\x00\x02\x01\x00"
Modified True AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\xff\xff\xff\xff\x01\x01"
Command Injection:
------------------
The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand
within the encoded AMF data. The original parameter for the vulnerable function is
"pref -l /var/system/upgrade/status" Replace this part with the command to be executed.
Authentication to the web application is not necessary however a valid PHP session ID
must be passed within the request.
References:
-----------
CVE-2011-2762 - authentication bypass
CVE-2011-2763 - OS command injection
| VAR-201109-0061 | CVE-2011-0258 | Apple of QuickTime Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted image description associated with an mp4v tag in a movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the way Quicktime handles 'mp4v' codec information. When parsing the video description table it will read the size field preceding the 'mp4v' tag and use that size to create an allocation to hold the data. It will then copy the correct amount of data into that buffer, but then does some endian changes on a fixed portion of the buffer without checking its size. The resulting memory corruption could result in remote code execution under the context of the current user. Apple QuickTime is prone to a buffer-overflow vulnerability because of a failure to properly bounds check user-supplied data.
Successful exploits will allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions.
Versions prior to QuickTime 7.7 are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4826
-- Disclosure Timeline:
2011-06-03 - Vulnerability reported to vendor
2011-08-31 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201108-0099 | CVE-2011-2561 | Cisco Unified Communications Manager Service disruption in ( Service stop ) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The SIP process in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 7.x before 7.1(5b)su4 and 8.x before 8.0(1) does not properly handle SDP data within a SIP call in certain situations related to use of the g729ar8 codec for a Media Termination Point (MTP), which allows remote attackers to cause a denial of service (service outage) via a crafted call, aka Bug ID CSCtc61990. The problem is Bug ID CSCtc61990 It is a problem.Denial of service via a crafted call by a third party ( Service stop ) There is a possibility of being put into a state. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. Single channel audio may occur when configuring MTP with g729ar8 codec. Under certain conditions, service interruptions may occur. The SIP process generates a stack trace when processing the session description protocol SDP portion of a SIP call.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCtf97162
CSCtc61990
CSCth43256.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
Two of the vulnerabilities described in this advisory also affect the
Cisco Intercompany Media Engine.
A separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine.
The first DoS vulnerability involves the Packet Capture Service which
is enabled by default. The Packet Capture Service fails to timeout or
close idle TCP connections. The Packet Capture Service should be disabled in
the Cisco Unified Communications Manager Administration Interface by
setting the service parameter to False. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561.
The third DoS vulnerability involves a coredump when processing
certain SIP INVITE messages. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562.
The remaining two DoS vulnerabilities involve the Service
Advertisement Framework (SAF). Successful exploitation could cause the device to
reload. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. Cisco Intercompany Media
Engine Release 8.x is also affected by these vulnerabilities. A
separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services. In
certain instances, the affected Cisco Unified Communications Manager
processes will restart, but repeated attacks may result in a
sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table.
+---------------------------------------+
| Cisco Unified | Recommended |
| Communications Manager | Releases |
| Version | |
|-------------------------+-------------|
| 6.x | 6.1(5)SU3 |
|-------------------------+-------------|
| 7.x | 7.1(5b)SU4 |
|-------------------------+-------------|
| 8.0 | 8.0(3a)SU2 |
|-------------------------+-------------|
| 8.5 | 8.5(1)SU2, |
| | 8.6(1) |
+---------------------------------------+
Workarounds
===========
A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by
default.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save.
Note: For a SIP processing change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
It is possible to mitigate these vulnerabilities by implementing
filtering on screening devices and only permitting access to TCP
ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that
require SIP access to Cisco Unified Communications Manager servers.
A workaround exists for the DoS vulnerabilities involving the Packet
Capture Service in Cisco Communications Manager version 4.x.
Customers who do not require the Packet Capture Service for
troubleshooting can use the following instructions to disable this
process:
* Step 1: Log into the Cisco Unified Communications Manager
Administration web interface.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save.
Note: For the Packet Capture Service change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Multiple Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA45738
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45738/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45738/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45738/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Unified
Communications Manager, which can be exploited by malicious people to
cause a DoS (Denial of Service).
Note: This vulnerability only affects version 7.0.x and later.
The vulnerabilities are reported in versions 6.x, 7.x, and 8.x.
SOLUTION:
Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or
8.6(1).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0092 | CVE-2011-2562 | Cisco Unified Communications Manager Service disruption in ( Service stop ) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5)su2, 7.x before 7.1(5b)su3, 8.x before 8.0(3a)su1, and 8.5 before 8.5(1) allows remote attackers to cause a denial of service (service outage) via a SIP INVITE message, aka Bug ID CSCth43256. Cisco Unified Communications Manager There is a service disruption ( Service stop ) There is a vulnerability that becomes a condition. The problem is Bug ID CSCth43256 It is a problem.By a third party SIP INVITE Service disruption via message ( Service stop ) There is a possibility of being put into a state.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCtf97162
CSCtc61990
CSCth43256.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
Two of the vulnerabilities described in this advisory also affect the
Cisco Intercompany Media Engine.
A separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine.
The first DoS vulnerability involves the Packet Capture Service which
is enabled by default. The Packet Capture Service fails to timeout or
close idle TCP connections. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). One-way audio may be observed when an MTP
is configured with the g729ar8 codec only. In certain situations, an
interruption in service may occur and a stack trace will be generated
by the Session Initiation Protocol (SIP) process when processing the
Session Description Protocol SDP portion of a SIP call. This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562.
The remaining two DoS vulnerabilities involve the Service
Advertisement Framework (SAF). Successful exploitation could cause the device to
reload. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. Cisco Intercompany Media
Engine Release 8.x is also affected by these vulnerabilities. A
separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table. SIP processing is enabled by
default.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
It is possible to mitigate these vulnerabilities by implementing
filtering on screening devices and only permitting access to TCP
ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that
require SIP access to Cisco Unified Communications Manager servers.
Customers who do not require the Packet Capture Service for
troubleshooting can use the following instructions to disable this
process:
* Step 1: Log into the Cisco Unified Communications Manager
Administration web interface.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Multiple Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA45738
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45738/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45738/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45738/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Unified
Communications Manager, which can be exploited by malicious people to
cause a DoS (Denial of Service).
Note: This vulnerability only affects version 7.0.x and later.
The vulnerabilities are reported in versions 6.x, 7.x, and 8.x.
SOLUTION:
Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or
8.6(1).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0098 | CVE-2011-2560 | Cisco Unified Communications Manager Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Packet Capture Service in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x does not properly handle idle TCP connections, which allows remote attackers to cause a denial of service (memory consumption and restart) by making many connections, aka Bug ID CSCtf97162. The problem is Bug ID CSCtf97162 It is a problem.Service operation disruption by establishing many connections by a third party ( Memory corruption and restart ) There is a possibility of being put into a state. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCtf97162
CSCtc61990
CSCth43256.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
Two of the vulnerabilities described in this advisory also affect the
Cisco Intercompany Media Engine.
A separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). One-way audio may be observed when an MTP
is configured with the g729ar8 codec only. In certain situations, an
interruption in service may occur and a stack trace will be generated
by the Session Initiation Protocol (SIP) process when processing the
Session Description Protocol SDP portion of a SIP call. This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561.
The third DoS vulnerability involves a coredump when processing
certain SIP INVITE messages. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562.
The remaining two DoS vulnerabilities involve the Service
Advertisement Framework (SAF). Successful exploitation could cause the device to
reload. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. Cisco Intercompany Media
Engine Release 8.x is also affected by these vulnerabilities. A
separate Cisco Security Advisory has been published to disclose the
vulnerabilities that affect the Cisco Intercompany Media Engine. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table.
+---------------------------------------+
| Cisco Unified | Recommended |
| Communications Manager | Releases |
| Version | |
|-------------------------+-------------|
| 6.x | 6.1(5)SU3 |
|-------------------------+-------------|
| 7.x | 7.1(5b)SU4 |
|-------------------------+-------------|
| 8.0 | 8.0(3a)SU2 |
|-------------------------+-------------|
| 8.5 | 8.5(1)SU2, |
| | 8.6(1) |
+---------------------------------------+
Workarounds
===========
A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by
default.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save.
Note: For a SIP processing change to take effect, the Cisco
CallManager service must be restarted.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Packet Capture Service Denial of
Service
SECUNIA ADVISORY ID:
SA45741
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45741/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45741
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45741/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45741/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45741
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco Unified Communications
Manager, which can be exploited by malicious people to cause a DoS
(Denial of Service).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0093 | CVE-2011-2563 | Cisco Unified Communications Manager and Cisco Intercompany Media Engine Vulnerability in |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth26669. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. The Service Advertisement Framework (SAF) has a denial of service attack. An unauthenticated attacker can use these vulnerabilities to send specially crafted SAF packets to the affected device. The attacker exploits the vulnerability to overload the device.
An attacker can exploit these issues to cause an affected device to reload, denying service to legitimate users.
These issues are being tracked by Cisco Bug IDs CSCth26669 and CSCth19417.
Intercompany Media Engine versions 8.0.x are affected.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
Products Confirmed Not Vulnerable
+--------------------------------
All supported versions of Cisco Unified Communications Manager are
affected by one or more of the vulnerabilities described in this
advisory.
The first DoS vulnerability involves the Packet Capture Service which
is enabled by default. The Packet Capture Service fails to timeout or
close idle TCP connections. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). One-way audio may be observed when an MTP
is configured with the g729ar8 codec only. In certain situations, an
interruption in service may occur and a stack trace will be generated
by the Session Initiation Protocol (SIP) process when processing the
Session Description Protocol SDP portion of a SIP call. This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561.
The third DoS vulnerability involves a coredump when processing
certain SIP INVITE messages. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services. In
certain instances, the affected Cisco Unified Communications Manager
processes will restart, but repeated attacks may result in a
sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table.
+---------------------------------------+
| Cisco Unified | Recommended |
| Communications Manager | Releases |
| Version | |
|-------------------------+-------------|
| 6.x | 6.1(5)SU3 |
|-------------------------+-------------|
| 7.x | 7.1(5b)SU4 |
|-------------------------+-------------|
| 8.0 | 8.0(3a)SU2 |
|-------------------------+-------------|
| 8.5 | 8.5(1)SU2, |
| | 8.6(1) |
+---------------------------------------+
Workarounds
===========
A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by
default. Customers who do not require SIP processing can use the
following instructions to disable SIP processing:
* Step 1: Log into the Cisco Unified Communications Manager
Administration Interface.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save.
Note: For a SIP processing change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
It is possible to mitigate these vulnerabilities by implementing
filtering on screening devices and only permitting access to TCP
ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that
require SIP access to Cisco Unified Communications Manager servers.
A workaround exists for the DoS vulnerabilities involving the Packet
Capture Service in Cisco Communications Manager version 4.x.
Customers who do not require the Packet Capture Service for
troubleshooting can use the following instructions to disable this
process:
* Step 1: Log into the Cisco Unified Communications Manager
Administration web interface.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save.
Note: For the Packet Capture Service change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
There are no available workarounds to mitigate these vulnerabilities.
Details
=======
Cisco Intercompany Media Engine provides a technique for establishing
direct IP connectivity between enterprises by combining peer-to-peer
technologies with the existing public switched telephone network
(PSTN) infrastructure. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Multiple Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA45738
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45738/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45738/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45738/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Unified
Communications Manager, which can be exploited by malicious people to
cause a DoS (Denial of Service).
Note: This vulnerability only affects version 7.0.x and later.
The vulnerabilities are reported in versions 6.x, 7.x, and 8.x.
SOLUTION:
Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or
8.6(1).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0094 | CVE-2011-2564 | Cisco Unified Communications Manager and Cisco Intercompany Media Engine Vulnerability in |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth19417. Cisco Unified Communications Manager is a call processing component in the Cisco IP Telephony solution. An unauthenticated attacker can send a specially crafted SAF packet to the affected device. The attacker can exploit the vulnerability to reload the device.
These issues are being tracked by Cisco Bug IDs CSCth26669 and CSCth19417.
Intercompany Media Engine versions 8.0.x are affected.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
Products Confirmed Not Vulnerable
+--------------------------------
All supported versions of Cisco Unified Communications Manager are
affected by one or more of the vulnerabilities described in this
advisory.
The first DoS vulnerability involves the Packet Capture Service which
is enabled by default. The Packet Capture Service fails to timeout or
close idle TCP connections. This vulnerability is documented in Cisco Bug ID
CSCtf97162 ( registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2011-2560.
The second DoS vulnerability involves certain configurations of Media
Termination Points (MTP). One-way audio may be observed when an MTP
is configured with the g729ar8 codec only. In certain situations, an
interruption in service may occur and a stack trace will be generated
by the Session Initiation Protocol (SIP) process when processing the
Session Description Protocol SDP portion of a SIP call. This
vulnerability is documented in Cisco Bug ID CSCtc61990 ( registered
customers only) and has been assigned CVE identifier CVE-2011-2561.
The third DoS vulnerability involves a coredump when processing
certain SIP INVITE messages. This vulnerability is documented in
Cisco Bug ID CSCth43256 ( registered customers only) and has been
assigned CVE identifier CVE-2011-2562. These vulnerabilities are documented in Cisco Bug IDs
CSCth26669 ( registered customers only) and CSCth19417 ( registered
customers only) and have been assigned CVE identifiers CVE-2011-2563
and CVE-2011-2564, respectively. That
advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml
Note: An established TCP connection with a three-way handshake is
required to trigger the SAF vulnerabilities.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf97162 - CCM Application Restarts During TCP Flood
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtc61990 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth43256 - Coredump may be experienced when processing
certain SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth26669 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth19417 - CUCM may experience a reload when receiving certain
UCM client msgs
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could result in the interruption of voice services. In
certain instances, the affected Cisco Unified Communications Manager
processes will restart, but repeated attacks may result in a
sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco recommends upgrading to a release equal to or later than the
release in the Recommended Releases column of the table.
+---------------------------------------+
| Cisco Unified | Recommended |
| Communications Manager | Releases |
| Version | |
|-------------------------+-------------|
| 6.x | 6.1(5)SU3 |
|-------------------------+-------------|
| 7.x | 7.1(5b)SU4 |
|-------------------------+-------------|
| 8.0 | 8.0(3a)SU2 |
|-------------------------+-------------|
| 8.5 | 8.5(1)SU2, |
| | 8.6(1) |
+---------------------------------------+
Workarounds
===========
A workaround exists for the SIP DoS vulnerabilities. SIP processing is enabled by
default. Customers who do not require SIP processing can use the
following instructions to disable SIP processing:
* Step 1: Log into the Cisco Unified Communications Manager
Administration Interface.
* Step 3: Change the SIP Interoperability Enabled parameter to
False, and click Save.
Note: For a SIP processing change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
It is possible to mitigate these vulnerabilities by implementing
filtering on screening devices and only permitting access to TCP
ports 5060 and 5061 and UDP ports 5060 and 5061 from networks that
require SIP access to Cisco Unified Communications Manager servers.
A workaround exists for the DoS vulnerabilities involving the Packet
Capture Service in Cisco Communications Manager version 4.x.
Customers who do not require the Packet Capture Service for
troubleshooting can use the following instructions to disable this
process:
* Step 1: Log into the Cisco Unified Communications Manager
Administration web interface.
* Step 3: Change the Packet Capture Enabled parameter to False, and
click Save.
Note: For the Packet Capture Service change to take effect, the Cisco
CallManager service must be restarted. For information on how to
restart the service, refer to the "Restarting the Cisco CallManager
Service" section of the document at the following location:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124
Additional mitigations that can be deployed on Cisco devices in the
network are available in the companion document "Cisco Applied
Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Unified Communications Manager"
which is available at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20110824-cucm-ime.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-24 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOVFpYQXnnBKKRMNARCOCeAPwP66zH85V+OOW8YRl94JMDc+UpiRzqoqUl
6C0WGFrBJgD/eR7bXF71he/ByVHVpfpY3qaX8M45+MqcqzIDrM6hbCY=
=kz9x
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
There are no available workarounds to mitigate these vulnerabilities.
Details
=======
Cisco Intercompany Media Engine provides a technique for establishing
direct IP connectivity between enterprises by combining peer-to-peer
technologies with the existing public switched telephone network
(PSTN) infrastructure. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Cisco Unified Communications Manager Multiple Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA45738
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45738/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45738/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45738/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45738
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Unified
Communications Manager, which can be exploited by malicious people to
cause a DoS (Denial of Service).
Note: This vulnerability only affects version 7.0.x and later.
The vulnerabilities are reported in versions 6.x, 7.x, and 8.x.
SOLUTION:
Update to version 6.1(5)SU3, 7.1(5b)SU4, 8.0(3a)SU2, 8.5(1)SU2, or
8.6(1).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0132 | CVE-2011-3192 |
Apache HTTPD 1.3/2.x Range header DoS vulnerability
Related entries in the VARIoT exploits database: VAR-E-201108-0001, VAR-E-201108-0002, VAR-E-201112-0005 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. Apache HTTPD server contains a denial-of-service vulnerability in the way multiple overlapping ranges are handled. Both the 'Range' header and the 'Range-Request' header are vulnerable. An attack tool, commonly known as 'Apache Killer', has been released in the wild. The attack tool causes a significant increase in CPU and memory usage on the server.
Successful exploits will result in a denial-of-service condition. Multiple Cisco products
may be affected by this vulnerability.
Mitigations that can be deployed on Cisco devices within the network
are available in the Cisco Applied Intelligence companion document
for this Advisory:
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110830-apache.shtml
Affected Products
=================
Cisco is currently evaluating products for possible exposure to this
vulnerability. Products will only be listed in the Vulnerable
Products or Products Confirmed Not Vulnerable sections of this
security advisory when a final determination about exposure is made.
Products that are not listed in either of these two sections are
still being evaluated.
Vulnerable Products
+------------------
This section will be updated when more information is available. The
following products are confirmed to be affected by this
vulnerability:
* Cisco MDS 9000 NX-OS Software releases prior to 4.2.x are
affected. Cisco MDS 9000 NX-OS Software releases 4.2.x and later
are not affected.
* Cisco NX-OS Software for Cisco Nexus 7000 Series Switches
releases prior to 4.2.x are affected. Cisco NX-OS Software for
Cisco Nexus 7000 Series Switches versions 4.2.x and later are not
affected.
* Cisco TelePresence Video Communication Server (Cisco TelePresence
VCS)
* Cisco Video Surveillance Manager (VSM)
* Cisco Video Surveillance Operations Manager (VSOM)
* Cisco Wireless Control System (WCS)
Products Confirmed Not Vulnerable
+--------------------------------
The following products are confirmed not vulnerable:
* Cisco ASA 5500 Series Adaptive Security Appliances
* Cisco Catalyst 6500 Series ASA Services Module
* Cisco Catalyst 6500 Series Firewall Services Module
* Cisco Fabric Manager
* Cisco Identity Services Engine
* Cisco Intercompany Media Engine
* Cisco IOS Software
* Cisco IOS XE Software
* Cisco IOS XR Software
* Cisco IP Interoperability and Collaboration System (IPICS)
* Cisco Unified IP Phones
* Cisco MDS 9000 NX-OS Software releases 4.2.x or later (prior
versions are affected)
* Cisco NX-OS Software for Nexus 7000 Series Switches releases
4.2.x or later (prior versions are affected)
* Cisco Prime Central
* Cisco Prime Optical
* Cisco Prime Performance Manager
* Cisco TelePresence Server
* Cisco Unified Communications Manager (formerly Cisco CallManager)
* Cisco Unity
* Cisco Unity Connection
* Cisco Wireless LAN Controllers (WLC)
This section will be updated when more information is available. Multiple Cisco products
may be affected by this vulnerability.
The following Cisco bug IDs are being used to track potential
exposure to this vulnerability. The following Cisco bug IDs do not
confirm that a product is vulnerable; rather, the Cisco bug IDs
indicate that the product is under investigation by the appropriate
product teams.
+--------------------------------------------------------------------------------------------+
| Cisco Product | Cisco bug ID |
|----------------------------------------------------------------+---------------------------|
| Cisco ACE 4710 Appliance | CSCts35635 |
|----------------------------------------------------------------+---------------------------|
| Cisco ACE Application Control Engine Module | CSCts35610 |
|----------------------------------------------------------------+---------------------------|
| Cisco ACE GSS 4400 Series Global Site Selector (GSS) | CSCts33313 |
|----------------------------------------------------------------+---------------------------|
| Cisco ACE XML Gateway | CSCts33321 |
|----------------------------------------------------------------+---------------------------|
| Cisco Active Network Abstraction | CSCts33317 |
|----------------------------------------------------------------+---------------------------|
| Cisco ASA 5500 Series Adaptive Security Appliances | CSCts33180 |
|----------------------------------------------------------------+---------------------------|
| Cisco CNS Network Registrar | CSCts36064 |
|----------------------------------------------------------------+---------------------------|
| Cisco Conductor for Videoscape | CSCts32986 |
|----------------------------------------------------------------+---------------------------|
| Cisco Content Delivery Engine | CSCts36206 |
|----------------------------------------------------------------+---------------------------|
| Cisco Content Delivery System Internet Streamer | CSCts35643 |
|----------------------------------------------------------------+---------------------------|
| Cisco Detector XT DDoS Mitigation Appliance | CSCts33211 |
|----------------------------------------------------------------+---------------------------|
| Cisco Guard XT DDoS Mitigation Appliance | CSCts33210 |
|----------------------------------------------------------------+---------------------------|
| Cisco Healthpresence | CSCts36069 |
|----------------------------------------------------------------+---------------------------|
| Cisco Identity Services Engine | CSCts33092 |
|----------------------------------------------------------------+---------------------------|
| Cisco IP Interoperability and Collaboration System | CSCts33206 |
|----------------------------------------------------------------+---------------------------|
| Cisco IP Phones | CSCts33264 |
|----------------------------------------------------------------+---------------------------|
| Cisco IPS Software | CSCts33199 |
|----------------------------------------------------------------+---------------------------|
| Cisco MDS 9000 SAN Device Management | CSCts33220 |
|----------------------------------------------------------------+---------------------------|
| Cisco MDS 9000 Series Multilayer Switches | CSCts33294 |
|----------------------------------------------------------------+---------------------------|
| Cisco NAC Manager | CSCts32965 |
|----------------------------------------------------------------+---------------------------|
| Cisco NAC Profiler | CSCts33267 |
|----------------------------------------------------------------+---------------------------|
| Cisco NAC Server | CSCts32976 |
|----------------------------------------------------------------+---------------------------|
| Cisco Network Analysis Module | CSCts33320 |
|----------------------------------------------------------------+---------------------------|
| Cisco Networking Services (CNS) Software | CSCts33279 |
|----------------------------------------------------------------+---------------------------|
| Cisco Nexus 5000 Series Switches | CSCts35605 |
|----------------------------------------------------------------+---------------------------|
| Cisco Nexus 7000 Series Switches | CSCts35665 |
|----------------------------------------------------------------+---------------------------|
| Cisco OnPlus Network Management and Automation | CSCts33287 |
|----------------------------------------------------------------+---------------------------|
| Cisco Prime Central | CSCts33004 |
|----------------------------------------------------------------+---------------------------|
| Cisco Prime Network Control System | CSCts33114 |
|----------------------------------------------------------------+---------------------------|
| Cisco Prime Performance Manager | CSCts36072 |
|----------------------------------------------------------------+---------------------------|
| Cisco Quad Collaboration | CSCts36158 |
|----------------------------------------------------------------+---------------------------|
| Cisco Secure Access Control System | CSCts33196 |
|----------------------------------------------------------------+---------------------------|
| Cisco Security Manager | CSCts33056 |
|----------------------------------------------------------------+---------------------------|
| Cisco Service Exchange Framework | CSCts33218 |
|----------------------------------------------------------------+---------------------------|
| Cisco Signaling Gateway Manager | CSCts33248 |
|----------------------------------------------------------------+---------------------------|
| Cisco Small Business Network Storage Systems | CSCts33288 |
|----------------------------------------------------------------+---------------------------|
| Cisco SSC System Manager | CSCts36187 |
|----------------------------------------------------------------+---------------------------|
| Cisco TelePresence Manager | CSCts33310 |
|----------------------------------------------------------------+---------------------------|
| Cisco TelePresence Multipoint Switch | CSCts33224 |
|----------------------------------------------------------------+---------------------------|
| Cisco TelePresence Server | CSCts33230 |
|----------------------------------------------------------------+---------------------------|
| Cisco CTS 500-32 Telepresence System Series | CSCts35874 |
|----------------------------------------------------------------+---------------------------|
| All Cisco CTS TelePresence Systems except Cisco CTS 500-32 | CSCts33276 |
| TelePresence System Series | |
|----------------------------------------------------------------+---------------------------|
| Cisco Telepresence System Integrator C Series | CSCts35860 |
|----------------------------------------------------------------+---------------------------|
| Cisco UCS B-Series Blade Servers | CSCts33291 |
|----------------------------------------------------------------+---------------------------|
| Cisco Unified Communications Manager | CSCts32992 |
|----------------------------------------------------------------+---------------------------|
| Cisco Unified Communications System Voice and Unified | CSCts33271 |
| Communications (VOSS) | |
|----------------------------------------------------------------+---------------------------|
| Cisco Unified MeetingPlace | CSCts33169 |
|----------------------------------------------------------------+---------------------------|
| Cisco Unified Operations Manager | CSCts33273 |
|----------------------------------------------------------------+---------------------------|
| Cisco Unified Presence Server | CSCts33257 |
|----------------------------------------------------------------+---------------------------|
| Cisco Unified Service Monitor | CSCts35893 |
|----------------------------------------------------------------+---------------------------|
| Cisco Unified Service Statistics Manager | CSCts36074 |
|----------------------------------------------------------------+---------------------------|
| Cisco Unity | CSCts33302 |
|----------------------------------------------------------------+---------------------------|
| Cisco Unity Connection | CSCts33260 |
|----------------------------------------------------------------+---------------------------|
| Cisco Video Surveillance Manager | CSCts33173 |
|----------------------------------------------------------------+---------------------------|
| Cisco Video Surveillance Operations Manager | CSCts33178 |
|----------------------------------------------------------------+---------------------------|
| Cisco Virtual Network Management | CSCts36207 |
|----------------------------------------------------------------+---------------------------|
| Cisco Voice Manager (CVM) | CSCts36152 |
|----------------------------------------------------------------+---------------------------|
| Cisco Wide Area Application Services (WAAS) Software | CSCts33254 |
|----------------------------------------------------------------+---------------------------|
| Cisco Wireless Control System (WCS) | CSCts33325 |
|----------------------------------------------------------------+---------------------------|
| Cisco Wireless Control System Navigator | CSCts33052 |
|----------------------------------------------------------------+---------------------------|
| Cisco Wireless LAN Controllers (WLC) | CSCts33327 |
|----------------------------------------------------------------+---------------------------|
| CiscoWorks Common Services | CSCts33049 |
|----------------------------------------------------------------+---------------------------|
| CiscoWorks LAN Management Solution (LMS) | CSCts35837 |
|----------------------------------------------------------------+---------------------------|
| Cisco Digital Media Suite Products | CSCts33189 |
|----------------------------------------------------------------+---------------------------|
| Management Center for Cisco Security Agents | CSCts33208 |
|----------------------------------------------------------------+---------------------------|
| Service Exchange Framework | CSCts36185 |
|----------------------------------------------------------------+---------------------------|
| Cisco Shared Network Management and Automation | CSCts33476 |
+--------------------------------------------------------------------------------------------+
This vulnerability has been assigned the Common Vulnerabilities and
Exposures (CVE) identifier CVE-2011-3192.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Apache HTTPd Range Header Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 7.8
Exploitability - High
Remediation Level - Unavailable
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability could cause significant
memory and CPU utilization on affected products.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco NX-OS Software
+-------------------
Cisco MDS 9000 NX-OS Software releases prior to 4.2.x are affected.
Cisco MDS 9000 NX-OS Software releases 4.2.x and later are not
affected.
Cisco NX-OS Software for Cisco Nexus 7000 Series Switches releases
prior to 4.2.x are affected. Cisco NX-OS Software for Cisco Nexus
7000 Series Switches releases 4.2.x and later are not affected.
Cisco Video Surveillance Manager (VSM)
+-------------------------------------
No fixed software is available.
Cisco Video Surveillance Operations Manager (VSOM)
+-------------------------------------------------
No fixed software is available.
This section will be updated when more information is available.
Workarounds
===========
Mitigations that can be deployed on Cisco devices within the network
are available in the Cisco Applied Intelligence companion document
for this Advisory:
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
=================================================
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
===================================
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
This vulnerability was initially reported to the Full Disclosure
mailing list at the following link:
http://seclists.org/fulldisclosure/2011/Aug/175
Apache has confirmed that it is aware of exploitation of this
vulnerability. Cisco is not aware of malicious exploitation of this
vulnerability related specifically to Cisco products.
Proof-of-concept code is available for this vulnerability.
Status of this Notice: INTERIM
==============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW
INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110830-apache.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-August-30 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOXE95QXnnBKKRMNARCNOOAPwNqw0GmcvgFiKgHiHKH/T2rH/tiaXmqEU5
zwHUOqyYegD8CZvVuM9OPIOb3f3AeMz5HxYDbPMxkg+SEURf05JtyBw=
=lasc
-----END PGP SIGNATURE-----
.
HP Secure Web Server (SWS) for OpenVMS V2.2 and earlier. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com. New packages are available
for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current.
Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/httpd-2.2.20-i486-1_slack13.37.txz: Upgraded.
SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to avoid
denial of service. If the sum of all ranges in a request is larger than
the original file, ignore the ranges and send the complete file.
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.20-i486-1_slack12.0.tgz
Updated package for Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.20-i486-1_slack12.1.tgz
Updated package for Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.20-i486-1_slack12.2.tgz
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.20-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.20-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.20-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.20-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.20-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.20-x86_64-1_slack13.37.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.2.20-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.2.20-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 12.0 package:
1c5d2923bf5ee56ea5b26a14f4bef750 httpd-2.2.20-i486-1_slack12.0.tgz
Slackware 12.1 package:
1afa27da8d2d897f871fb5fe91832f04 httpd-2.2.20-i486-1_slack12.1.tgz
Slackware 12.2 package:
883d978f2eb2fa09e0094096860995ef httpd-2.2.20-i486-1_slack12.2.tgz
Slackware 13.0 package:
db6935f7ce78acd0cf63bfed97497334 httpd-2.2.20-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
8c976a586a885b33c910c71a4cb655c9 httpd-2.2.20-x86_64-1_slack13.0.txz
Slackware 13.1 package:
eab2ada5def61d8734a80e887b10edc7 httpd-2.2.20-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
378da86cc706426c68cb3404bceb146c httpd-2.2.20-x86_64-1_slack13.1.txz
Slackware 13.37 package:
ac06dfbefebd419d7bebf3f18ddd1304 httpd-2.2.20-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
c650ee26fde72c7e6524784fa63ff8b8 httpd-2.2.20-x86_64-1_slack13.37.txz
Slackware -current package:
7afbbaae7ed7605620ad76dc9ae1146b n/httpd-2.2.20-i486-1.txz
Slackware x86_64 -current package:
5ef29bd575c49645496cbfc4fe657c84 n/httpd-2.2.20-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg httpd-2.2.20-i486-1_slack13.37.txz
Then, restart the httpd daemon.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address.
The fix for CVE-2011-3192 provided by the MDVSA-2011:130 advisory
introduced regressions in the way httpd handled certain Range HTTP
header values.
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348
https://issues.apache.org/bugzilla/show_bug.cgi?id=51878
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
efa3019014628e3c480750c1f2004a7c 2010.1/i586/apache-base-2.2.15-3.5mdv2010.2.i586.rpm
3087616095041b2a0ec35a4f07b0db39 2010.1/i586/apache-devel-2.2.15-3.5mdv2010.2.i586.rpm
f64f79810c740c6ea48a62b6efaa2e57 2010.1/i586/apache-htcacheclean-2.2.15-3.5mdv2010.2.i586.rpm
54193e742de9f3c09033686110dbcf12 2010.1/i586/apache-mod_authn_dbd-2.2.15-3.5mdv2010.2.i586.rpm
5190c0b547fdabd83f11f2c0b3c4c59c 2010.1/i586/apache-mod_cache-2.2.15-3.5mdv2010.2.i586.rpm
797c23a6d7bd773b56f12ef80e598bd3 2010.1/i586/apache-mod_dav-2.2.15-3.5mdv2010.2.i586.rpm
2489ede1721764643b2942292de4e43a 2010.1/i586/apache-mod_dbd-2.2.15-3.5mdv2010.2.i586.rpm
32132cdd5a453e1d35b34ad86756469b 2010.1/i586/apache-mod_deflate-2.2.15-3.5mdv2010.2.i586.rpm
bb94bf4569a6979b23bbf29e51172deb 2010.1/i586/apache-mod_disk_cache-2.2.15-3.5mdv2010.2.i586.rpm
c0465fd2bf450d8229c92ebd7b96e796 2010.1/i586/apache-mod_file_cache-2.2.15-3.5mdv2010.2.i586.rpm
8fe0536c0567db805b18eee9b6fbae4c 2010.1/i586/apache-mod_ldap-2.2.15-3.5mdv2010.2.i586.rpm
f9f7679d70d4c06573737e401c9efa56 2010.1/i586/apache-mod_mem_cache-2.2.15-3.5mdv2010.2.i586.rpm
bb61c23cadc265c1182e4d08beaf6834 2010.1/i586/apache-mod_proxy-2.2.15-3.5mdv2010.2.i586.rpm
724885ee3820d7b0ae7c20a188fb8c54 2010.1/i586/apache-mod_proxy_ajp-2.2.15-3.5mdv2010.2.i586.rpm
2582960ff8ed44b516dba77a8ca3f79e 2010.1/i586/apache-mod_proxy_scgi-2.2.15-3.5mdv2010.2.i586.rpm
54829077b157f55baa47bcb05769c039 2010.1/i586/apache-mod_reqtimeout-2.2.15-3.5mdv2010.2.i586.rpm
2e977bb1f6a182a2c70912167265ce50 2010.1/i586/apache-mod_ssl-2.2.15-3.5mdv2010.2.i586.rpm
a5bf2b114ee2d72336adce28811c3037 2010.1/i586/apache-modules-2.2.15-3.5mdv2010.2.i586.rpm
83b2206a476ef960dd2267e42b2121af 2010.1/i586/apache-mod_userdir-2.2.15-3.5mdv2010.2.i586.rpm
e5c81b0d5dee76dfe644188c719208fd 2010.1/i586/apache-mpm-event-2.2.15-3.5mdv2010.2.i586.rpm
1f565927f0329db6a6dcbfc146862d7d 2010.1/i586/apache-mpm-itk-2.2.15-3.5mdv2010.2.i586.rpm
9fe74c5aa75109bd04e60278d3ce4f27 2010.1/i586/apache-mpm-peruser-2.2.15-3.5mdv2010.2.i586.rpm
3a253e811772ae2eeed3ed028bb05dec 2010.1/i586/apache-mpm-prefork-2.2.15-3.5mdv2010.2.i586.rpm
ada4b77b392aa8a5b6c283d1d3394f19 2010.1/i586/apache-mpm-worker-2.2.15-3.5mdv2010.2.i586.rpm
f777f009148573676e3bda6fa9d3472a 2010.1/i586/apache-source-2.2.15-3.5mdv2010.2.i586.rpm
30b49a94b9485639515c5323a58a87b2 2010.1/SRPMS/apache-2.2.15-3.5mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
904ac3e39e1544ac03201c638f272461 2010.1/x86_64/apache-base-2.2.15-3.5mdv2010.2.x86_64.rpm
48164409c194bc836764f105d332b9b2 2010.1/x86_64/apache-devel-2.2.15-3.5mdv2010.2.x86_64.rpm
7f9ba9d3b24e352fd9c6dbb770d1c0e2 2010.1/x86_64/apache-htcacheclean-2.2.15-3.5mdv2010.2.x86_64.rpm
bfc5629f34ceec77cc9f63cbacedec8b 2010.1/x86_64/apache-mod_authn_dbd-2.2.15-3.5mdv2010.2.x86_64.rpm
e4f47be08c6bf1e1e12f8f8263014238 2010.1/x86_64/apache-mod_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
01f8ba996efc43df6e94cf3ba7b960ee 2010.1/x86_64/apache-mod_dav-2.2.15-3.5mdv2010.2.x86_64.rpm
07b4081d62a107a075f1b2e13a505496 2010.1/x86_64/apache-mod_dbd-2.2.15-3.5mdv2010.2.x86_64.rpm
42dc96e272815486f57db1fc5b5006c3 2010.1/x86_64/apache-mod_deflate-2.2.15-3.5mdv2010.2.x86_64.rpm
5ab4bcddcd345aee9938a53f8c66f652 2010.1/x86_64/apache-mod_disk_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
8bc139a4c4ce0381292885d35e0dc9a8 2010.1/x86_64/apache-mod_file_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
d7add6101b8b2393c9e16bbe4570e474 2010.1/x86_64/apache-mod_ldap-2.2.15-3.5mdv2010.2.x86_64.rpm
4276d115ba3061e90c55b3614fc094e9 2010.1/x86_64/apache-mod_mem_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
f12d0cfb139cfe7b46b2a6d6d0dbea74 2010.1/x86_64/apache-mod_proxy-2.2.15-3.5mdv2010.2.x86_64.rpm
527aa8011d33407b6e7419f51b1ba1f4 2010.1/x86_64/apache-mod_proxy_ajp-2.2.15-3.5mdv2010.2.x86_64.rpm
4b4fbeb9ae7243582d7a6d0f702c2f22 2010.1/x86_64/apache-mod_proxy_scgi-2.2.15-3.5mdv2010.2.x86_64.rpm
fc812b63a2078aa8ee8cd6bbee447589 2010.1/x86_64/apache-mod_reqtimeout-2.2.15-3.5mdv2010.2.x86_64.rpm
5b13aaae983d8d37ade193afe05f97d0 2010.1/x86_64/apache-mod_ssl-2.2.15-3.5mdv2010.2.x86_64.rpm
c00c4fd9fd7bb6179f96e65567c6197d 2010.1/x86_64/apache-modules-2.2.15-3.5mdv2010.2.x86_64.rpm
0280efe603339cea73a9989d1e216d2e 2010.1/x86_64/apache-mod_userdir-2.2.15-3.5mdv2010.2.x86_64.rpm
53d1ba40692126ce9d98110e754bdece 2010.1/x86_64/apache-mpm-event-2.2.15-3.5mdv2010.2.x86_64.rpm
74caa9e8aee48eb0506d91acd2c8075e 2010.1/x86_64/apache-mpm-itk-2.2.15-3.5mdv2010.2.x86_64.rpm
73e3ada13fe3df988d00ae0a7c31a8e4 2010.1/x86_64/apache-mpm-peruser-2.2.15-3.5mdv2010.2.x86_64.rpm
81ab4347551eb3c860b01985e614e309 2010.1/x86_64/apache-mpm-prefork-2.2.15-3.5mdv2010.2.x86_64.rpm
16164f1d9cbaf6e4d80874ef53a8b6fa 2010.1/x86_64/apache-mpm-worker-2.2.15-3.5mdv2010.2.x86_64.rpm
990b96231afbdc851ff03ccbb0e1203d 2010.1/x86_64/apache-source-2.2.15-3.5mdv2010.2.x86_64.rpm
30b49a94b9485639515c5323a58a87b2 2010.1/SRPMS/apache-2.2.15-3.5mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
000a1b64448acad341d2bead5a7b2b40 mes5/i586/apache-base-2.2.9-12.14mdvmes5.2.i586.rpm
4c904a9851b0a6b54c936952e21d4f9a mes5/i586/apache-devel-2.2.9-12.14mdvmes5.2.i586.rpm
f8772da8100473cdb73c580764a052ff mes5/i586/apache-htcacheclean-2.2.9-12.14mdvmes5.2.i586.rpm
df5ff9f23abbf7bfdfe3290dd229fa3c mes5/i586/apache-mod_authn_dbd-2.2.9-12.14mdvmes5.2.i586.rpm
495e3856b6a6c6deed0879a74ff96e91 mes5/i586/apache-mod_cache-2.2.9-12.14mdvmes5.2.i586.rpm
19bf954e5808bb55904eb15e0da83eaa mes5/i586/apache-mod_dav-2.2.9-12.14mdvmes5.2.i586.rpm
69b7ed150f649056ca9ed5c8dbb69ab9 mes5/i586/apache-mod_dbd-2.2.9-12.14mdvmes5.2.i586.rpm
e0ef096233b8ab089944bd97a636d984 mes5/i586/apache-mod_deflate-2.2.9-12.14mdvmes5.2.i586.rpm
ba8efbb0753f0c4b9e0542714c0dc38d mes5/i586/apache-mod_disk_cache-2.2.9-12.14mdvmes5.2.i586.rpm
778ee556b1cccf580aafe55104718ced mes5/i586/apache-mod_file_cache-2.2.9-12.14mdvmes5.2.i586.rpm
7e779a0c3ab9bf94a0f07a37b5a1ad76 mes5/i586/apache-mod_ldap-2.2.9-12.14mdvmes5.2.i586.rpm
f1a30b1609adfd75a1d1aa81145cc2b1 mes5/i586/apache-mod_mem_cache-2.2.9-12.14mdvmes5.2.i586.rpm
fe9fcfd8ca9b7129de9535aee2917f3f mes5/i586/apache-mod_proxy-2.2.9-12.14mdvmes5.2.i586.rpm
95943de5218e180dcdc4088e5757f6db mes5/i586/apache-mod_proxy_ajp-2.2.9-12.14mdvmes5.2.i586.rpm
318c98c15a80c6f54b5eafcb0f35c3dd mes5/i586/apache-mod_ssl-2.2.9-12.14mdvmes5.2.i586.rpm
a4d215acc80c76d8fa7296a1a9e71e66 mes5/i586/apache-modules-2.2.9-12.14mdvmes5.2.i586.rpm
6dd522fae06c5b507125966862f3baeb mes5/i586/apache-mod_userdir-2.2.9-12.14mdvmes5.2.i586.rpm
f142012531d29a89eb26bdf94fed9e77 mes5/i586/apache-mpm-event-2.2.9-12.14mdvmes5.2.i586.rpm
12f441381a02a93615f570de2984296d mes5/i586/apache-mpm-itk-2.2.9-12.14mdvmes5.2.i586.rpm
e6fe55d8db2ea5fb88ea1b39f76b0bdb mes5/i586/apache-mpm-peruser-2.2.9-12.14mdvmes5.2.i586.rpm
74ba90b3e16d7dc1bf44f28e83666086 mes5/i586/apache-mpm-prefork-2.2.9-12.14mdvmes5.2.i586.rpm
89059e7700f61272a5a1bed0a5aa9854 mes5/i586/apache-mpm-worker-2.2.9-12.14mdvmes5.2.i586.rpm
dceffe55d15d99932e04cf2b1f8f12c3 mes5/i586/apache-source-2.2.9-12.14mdvmes5.2.i586.rpm
1803c43f9aaa75ba96abb9b82b3f9cfd mes5/SRPMS/apache-2.2.9-12.14mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
050aa909a942ddf054f913066552fbcc mes5/x86_64/apache-base-2.2.9-12.14mdvmes5.2.x86_64.rpm
2d9fa3f4003f8577fc372493a216ff4a mes5/x86_64/apache-devel-2.2.9-12.14mdvmes5.2.x86_64.rpm
68305995effc2bd9a1cc6c234da9ce88 mes5/x86_64/apache-htcacheclean-2.2.9-12.14mdvmes5.2.x86_64.rpm
895e327ff7b75ba1489904c7f50c9219 mes5/x86_64/apache-mod_authn_dbd-2.2.9-12.14mdvmes5.2.x86_64.rpm
92f1a4e37e02079b707844c119f396cf mes5/x86_64/apache-mod_cache-2.2.9-12.14mdvmes5.2.x86_64.rpm
61c1d304dd3fc85717d1fdc74c62402a mes5/x86_64/apache-mod_dav-2.2.9-12.14mdvmes5.2.x86_64.rpm
b4f161ec2d9745ea40e6be83ec670ad4 mes5/x86_64/apache-mod_dbd-2.2.9-12.14mdvmes5.2.x86_64.rpm
b3dd2d1cd1d3a4236c022254e7f5dae5 mes5/x86_64/apache-mod_deflate-2.2.9-12.14mdvmes5.2.x86_64.rpm
6992b43e842ff1a77132c1667204a1f1 mes5/x86_64/apache-mod_disk_cache-2.2.9-12.14mdvmes5.2.x86_64.rpm
68885f5adf906884bfede7be9b98c0de mes5/x86_64/apache-mod_file_cache-2.2.9-12.14mdvmes5.2.x86_64.rpm
38152f4ed136292e725f0cac2a836a23 mes5/x86_64/apache-mod_ldap-2.2.9-12.14mdvmes5.2.x86_64.rpm
d4e4ab43908f41d33106e069e85e19f0 mes5/x86_64/apache-mod_mem_cache-2.2.9-12.14mdvmes5.2.x86_64.rpm
4c54f275dd6dc1f4ef56c0fa26f1f262 mes5/x86_64/apache-mod_proxy-2.2.9-12.14mdvmes5.2.x86_64.rpm
ab35ab1aedb6b0fe30143af8ebb1c51b mes5/x86_64/apache-mod_proxy_ajp-2.2.9-12.14mdvmes5.2.x86_64.rpm
86d6ca8156a2ec224dd2c8f064bfa685 mes5/x86_64/apache-mod_ssl-2.2.9-12.14mdvmes5.2.x86_64.rpm
f0771cbbcad7bbbbb230ba17b49a00ec mes5/x86_64/apache-modules-2.2.9-12.14mdvmes5.2.x86_64.rpm
9d6ed0960614673c4085a2d9a90876b9 mes5/x86_64/apache-mod_userdir-2.2.9-12.14mdvmes5.2.x86_64.rpm
2dfc496e8aea977d133823ccbb72f754 mes5/x86_64/apache-mpm-event-2.2.9-12.14mdvmes5.2.x86_64.rpm
f1a306cc23d666161058585337e598e6 mes5/x86_64/apache-mpm-itk-2.2.9-12.14mdvmes5.2.x86_64.rpm
ede25d1a607e03b8e65b3ecb46fd7b2b mes5/x86_64/apache-mpm-peruser-2.2.9-12.14mdvmes5.2.x86_64.rpm
67c5a299b3ed4c15341a54cbbc06a2bc mes5/x86_64/apache-mpm-prefork-2.2.9-12.14mdvmes5.2.x86_64.rpm
abd16d61836ee16d267d3cf29c68bdbf mes5/x86_64/apache-mpm-worker-2.2.9-12.14mdvmes5.2.x86_64.rpm
07dcbb776ca1b4261aa945b9daed5c3c mes5/x86_64/apache-source-2.2.9-12.14mdvmes5.2.x86_64.rpm
1803c43f9aaa75ba96abb9b82b3f9cfd mes5/SRPMS/apache-2.2.9-12.14mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOuoyXmqjQ0CJFipgRAnR9AKCyVUZGycLkHzYaojJWEYZEDJHEFgCfU3oa
SBbMFvjmZIC1PWkEhcd2oiU=
=HxW0
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Hitachi Products ByteRange Filter Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA46229
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46229/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46229
RELEASE DATE:
2011-10-30
DISCUSS ADVISORY:
http://secunia.com/advisories/46229/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46229/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46229
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Hitachi has acknowledged a vulnerability in multiple Hitachi
products, which can be exploited by malicious people to cause a DoS
(Denial of Service).
SOLUTION:
Apply fixes (please see the vendor's advisory for details).
ORIGINAL ADVISORY:
Hitachi (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS11-020/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS11-021/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS11-022/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Release Date: 2011-11-03
Last Updated: 2011-11-03
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache. The vulnerabilities could be exploited remotely to create a Denial of Service (DoS).
References: CVE-2011-3348, CVE-2011-3192, CVE-2011-0419
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.53 running on HP-UX, Linux, and Solaris.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2011-3348 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-3192 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8
CVE-2011-0419 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided Apache-2.2.21 to resolve the vulnerabilities.
Apache-2.2.21.tar.gz is available using ftp.
Host
Account
Password
ftp.usa.hp.com
sb02704
Secure12
After downloading Apache-2.2.21.tar.gz optionally verify the SHA1 check sum:
SHA1(Apache-2.2.21.tar)= 642721cac9a7c4d1e8e6033a5198071bbdd54840
SHA1(Apache-2.2.21.tar.gz)= 87d0c04be6dd06b52f1b9c7c645ce39fad117a08
The Apache-2.2.21.tar archive contains a README.txt file with installation instructions.
MANUAL ACTIONS: No
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install Apache-2.2.21
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 3 November 2011 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners
| VAR-201108-0311 | No CVE | Citrix Access Gateway login page cross-site scripting vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Citrix Access Gateway is a universal SSL VPN device. Part of the input on the relevant login page is missing filtering before returning to the user, and the attacker can exploit the vulnerability for cross-site scripting attacks, executing arbitrary HTML and script code on the target user's browser. Get sensitive information or hijack user sessions. The Citrix Access Gateway is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Citrix Access Gateway Enterprise Edition versions 9.2-49.8 and prior are vulnerable. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Citrix Access Gateway Unspecified Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA45726
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45726/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45726
RELEASE DATE:
2011-08-25
DISCUSS ADVISORY:
http://secunia.com/advisories/45726/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45726/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45726
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Citrix Access Gateway, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Certain unspecified input related to the logon portal is not properly
sanitised before being returned to the user.
SOLUTION:
Apply update.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX129971
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0296 | No CVE | SAP Netweaver \"EPS_DELETE_FILE()\" Arbitrary File Removal Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SAP NetWeaver is a service-oriented application and integration platform. Provides a development and runtime environment for SAP applications, as well as custom development and integration with other applications and systems. SAP NetWeaver has any file deletion vulnerability in the implementation of EPS_DELETE_FILE(). This vulnerability can be exploited by remote attackers to delete any file on the affected computer or to steal the hash of the SAP server account in the Windows environment through SMBRelay attack. An attacker can use the default SAP account (such as TMSADM or SAPCPIC) to remotely execute the function EPS_DELETE_FILE to delete any file in the OS, or send a hash of the SAP account to the remote host or perform a smbrelay attack.
Attackers can exploit this issue with directory-traversal strings ('../') to delete arbitrary files; this may aid in launching further attacks
| VAR-201108-0291 | CVE-2011-2827 | Google Chrome Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to text searching. Google Chrome Has a deficiency in processing related to text search. (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible.
Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-4 Safari 5.1.1
Safari 5.1.1 is now available and addresses the following:
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a malicious website may cause the execution of
arbitrary Javascript in the context of installed Safari Extensions
Description: A directory traversal issue existed in the handling of
safari-extension:// URLs. Visiting a malicious website may cause
execution of arbitrary Javascript in the context of installed Safari
Extensions, which may have context-dependent ramifications including
files from the user's system being sent to a remote server.
CVE-ID
CVE-2011-3229 : Aaron Sigel of vtty.com
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: A policy issue existed in the handling of file:// URLs.
This issue does not affect Windows systems.
CVE-ID
CVE-2011-3230 : Aaron Sigel of vtty.com
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: An uninitialized memory access issue existed in the
handling of SSL certificates. This issue does not affect OS X Lion
systems or Windows systems.
CVE-ID
CVE-2011-3231 : Jason Broccardo of Fermi National Accelerator
Laboratory
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-1440 : Jose A. Vazquez of spa-s3c.blogspot.com
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2811 : Apple
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2815 : SkyLined of Google Chrome Security Team
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3233 : Sadrul Habib Chowdhury of the Chromium development
community, Cris Neckar and Abhishek Arya (Inferno) of Google Chrome
Security Team
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3238 : Martin Barbella
CVE-2011-3239 : Slawomir Blazek
CVE-2011-3241 : Apple
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: A maliciously crafted website may be able to track the URLs
that a user visits within a frame
Description: A cross-origin issue existed in the handling of the
beforeload event.
CVE-ID
CVE-2011-2800 : Juho Nurminen
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
window.open method.
CVE-ID
CVE-2011-2805 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
document.documentURI property.
CVE-ID
CVE-2011-2819 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of
inactive DOM windows.
CVE-ID
CVE-2011-3243 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2
Impact: In Private Browsing mode, cookies may be set even if "Block
cookies" is set to "Always"
Description: A logic issue existed in the handling of cookies in
Private Browsing mode. This issue does not affect Windows systems.
CVE-ID
CVE-2011-3242 : John Adamczyk
Safari 5.1.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari for OS X Lion v10.7.2
The download file is named: Safari5.1.1Lion.dmg
Its SHA-1 digest is: 368113397d35475a0a4d0b0dbf3b31f543cfb4c5
Safari for Mac OS X v10.6.8
The download file is named: Safari5.1.1SnowLeopard.dmg
Its SHA-1 digest is: 4c588d86032ab24984b721354748f028b559fb37
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 5a2d3e0c0e601938f1d64d517e6a8199cd563d10
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: f0094f19b7a6b0a96a4fe6407b0037223ae44b15
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 3dbfe52e5be6409d0ad1fcb22e747963e10db218
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlLv6AAoJEGnF2JsdZQeeqOUH/RWDBq5xXEegxI+N92+9lB42
J6ZBcO8rrigAhYz59ZJG0NF8VGZI0DSFI+dxC8XeoKfiamvkaZo1lYGLdqWiTkxz
6ODprWbfGVcwFd9rNeCbIc9E5FV0SRbS1xCv+JnrwR2i2raqgAEWc4CpAcH5mgqT
5G2cWhwS8EMUNXZz/C0IjkfNBAjQ2c9BHVHj0Wid5vyXutju3WOcBXwqcbTpNANI
NiVHf5ucaRep6110riIYazuCdFLCcwZDaySw2n2ZhelliTz1tpCa7uVoJfZjyeyw
xwY/QjLDBTSpUYDTPC//XG7ZswptKHFjrX4KtxD9XTltq5wNGJavJzKf2qa4jrM=
=ZXdu
-----END PGP SIGNATURE-----
| VAR-201108-0287 | CVE-2011-2823 | Google Chrome Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a line box. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible.
Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-4 Safari 5.1.1
Safari 5.1.1 is now available and addresses the following:
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a malicious website may cause the execution of
arbitrary Javascript in the context of installed Safari Extensions
Description: A directory traversal issue existed in the handling of
safari-extension:// URLs. Visiting a malicious website may cause
execution of arbitrary Javascript in the context of installed Safari
Extensions, which may have context-dependent ramifications including
files from the user's system being sent to a remote server.
CVE-ID
CVE-2011-3229 : Aaron Sigel of vtty.com
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: A policy issue existed in the handling of file:// URLs.
This issue does not affect Windows systems.
CVE-ID
CVE-2011-3230 : Aaron Sigel of vtty.com
Safari
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: An uninitialized memory access issue existed in the
handling of SSL certificates. This issue does not affect OS X Lion
systems or Windows systems.
CVE-ID
CVE-2011-3231 : Jason Broccardo of Fermi National Accelerator
Laboratory
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-1440 : Jose A. Vazquez of spa-s3c.blogspot.com
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2811 : Apple
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2815 : SkyLined of Google Chrome Security Team
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3233 : Sadrul Habib Chowdhury of the Chromium development
community, Cris Neckar and Abhishek Arya (Inferno) of Google Chrome
Security Team
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3238 : Martin Barbella
CVE-2011-3239 : Slawomir Blazek
CVE-2011-3241 : Apple
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: A maliciously crafted website may be able to track the URLs
that a user visits within a frame
Description: A cross-origin issue existed in the handling of the
beforeload event.
CVE-ID
CVE-2011-2800 : Juho Nurminen
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
window.open method.
CVE-ID
CVE-2011-2805 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
document.documentURI property.
CVE-ID
CVE-2011-2819 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2, Windows 7, Vista,
XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of
inactive DOM windows.
CVE-ID
CVE-2011-3243 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.2, OS X Lion Server v10.7.2
Impact: In Private Browsing mode, cookies may be set even if "Block
cookies" is set to "Always"
Description: A logic issue existed in the handling of cookies in
Private Browsing mode. This issue does not affect Windows systems.
CVE-ID
CVE-2011-3242 : John Adamczyk
Safari 5.1.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari for OS X Lion v10.7.2
The download file is named: Safari5.1.1Lion.dmg
Its SHA-1 digest is: 368113397d35475a0a4d0b0dbf3b31f543cfb4c5
Safari for Mac OS X v10.6.8
The download file is named: Safari5.1.1SnowLeopard.dmg
Its SHA-1 digest is: 4c588d86032ab24984b721354748f028b559fb37
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 5a2d3e0c0e601938f1d64d517e6a8199cd563d10
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: f0094f19b7a6b0a96a4fe6407b0037223ae44b15
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 3dbfe52e5be6409d0ad1fcb22e747963e10db218
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlLv6AAoJEGnF2JsdZQeeqOUH/RWDBq5xXEegxI+N92+9lB42
J6ZBcO8rrigAhYz59ZJG0NF8VGZI0DSFI+dxC8XeoKfiamvkaZo1lYGLdqWiTkxz
6ODprWbfGVcwFd9rNeCbIc9E5FV0SRbS1xCv+JnrwR2i2raqgAEWc4CpAcH5mgqT
5G2cWhwS8EMUNXZz/C0IjkfNBAjQ2c9BHVHj0Wid5vyXutju3WOcBXwqcbTpNANI
NiVHf5ucaRep6110riIYazuCdFLCcwZDaySw2n2ZhelliTz1tpCa7uVoJfZjyeyw
xwY/QjLDBTSpUYDTPC//XG7ZswptKHFjrX4KtxD9XTltq5wNGJavJzKf2qa4jrM=
=ZXdu
-----END PGP SIGNATURE-----
| VAR-201108-0289 | CVE-2011-2825 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving custom fonts. Used in multiple products Webkit There is a service disruption (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing and utilization of font objects. When the code parses the @font-face CSS element it does not validate that the font-family is legitimate. Later, if the same font-family is applied within CSS the code will access an invalid element of its internal font object. This can be leveraged by a remote attacker to execute code under the context of the user running the browser. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible.
Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google).
These could be used in a malicious web site to direct the user to a
spoofed site that visually appears to be a legitimate domain. This
issue is addressed through an improved domain name validity check.
This issue does not affect OS X systems.
CVE-ID
CVE-2012-0640 : nshah
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.3, OS X Lion Server v10.7.3, Windows 7, Vista,
XP SP2 or later
Impact: HTTP authentication credentials may be inadvertently
disclosed to another site
Description: If a site uses HTTP authentication and redirects to
another site, the authentication credentials may be sent to the other
site. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA48288
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48288/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48288
RELEASE DATE:
2012-03-09
DISCUSS ADVISORY:
http://secunia.com/advisories/48288/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48288/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48288
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
iOS, which can be exploited by malicious people with physical access
to bypass certain security restrictions and by malicious people to
disclose sensitive information, conduct cross-site scripting attacks,
bypass certain security restrictions, and compromise a user's device.
1) An error within the CFNetwork component when handling URLs can be
exploited to disclose sensitive information by tricking the user into
visiting a malicious website.
3) A logic error within the kernel does not properly handle debug
system calls and can be exploited to bypass the sandbox
restrictions.
4) An integer overflow error within the libresolv library when
handling DNS resource records can be exploited to corrupt heap
memory.
9) A cross-origin error in the WebKit component can be exploited to
bypass the same-origin policy and disclose a cookie by tricking the
user into visiting a malicious website.
10) An error within the WebKit component when handling drag-and-drop
actions can be exploited to conduct cross-site scripting attacks.
11) Multiple unspecified errors within the WebKit component can be
exploited to conduct cross-site scripting attacks.
12) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
SOLUTION:
Apply iOS 5.1 Software Update.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Erling Ellingsen, Facebook.
2, 8) pod2g.
3) 2012 iOS Jailbreak Dream Team.
5) Roland Kohler, the German Federal Ministry of Economics and
Technology.
6) Eric Melville, American Express.
9) Sergey Glazunov.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT5192
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-03-07-2 iOS 5.1 Software Update
iOS 5.1 Software Update is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
unexpected request headers.
CVE-ID
CVE-2012-0641 : Erling Ellingsen of Facebook
HFS
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Mounting a maliciously crafted disk image may lead to a
device shutdown or arbitrary code execution
Description: An integer underflow existed with the handling of HFS
catalog files.
CVE-ID
CVE-2012-0642 : pod2g
Kernel
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious program could bypass sandbox restrictions
Description: A logic issue existed in the handling of debug system
calls. This may allow a malicious program to gain code execution in
other programs with the same user privileges.
CVE-ID
CVE-2012-0643 : 2012 iOS Jailbreak Dream Team
libresolv
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Applications that use the libresolv library may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An integer overflow existed in the handling of DNS
resource records, which may lead to heap memory corruption.
CVE-ID
CVE-2011-3453 : Ilja van Sprundel of IOActive
Passcode Lock
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A race condition issue existed in the handling of slide
to dial gestures. This may allow a person with physical access to the
device to bypass the Passcode Lock screen.
CVE-ID
CVE-2012-0644 : Roland Kohler of the German Federal Ministry of
Economics and Technology
Safari
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Web page visits may be recorded in browser history even when
Private Browsing is active
Description: Safari's Private Browsing is designed to prevent
recording of a browsing session. Pages visited as a result of a site
using the JavaScript methods pushState or replaceState were recorded
in the browser history even when Private Browsing mode was active.
This issue is addressed by not recording such visits when Private
Browsing is active.
CVE-ID
CVE-2012-0585 : Eric Melville of American Express
Siri
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: An attacker with physical access to a locked phone could get
access to frontmost email message
Description: A design issue existed in Siri's lock screen
restrictions. If Siri was enabled for use on the lock screen, and
Mail was open with a message selected behind the lock screen, a voice
command could be used to send that message to an arbitrary recipient.
This issue is addressed by disabling forwarding of active messages
from the lock screen.
CVE-ID
CVE-2012-0645
VPN
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A maliciously crafted system configuration file may lead to
arbitrary code execution with system privileges
Description: A format string vulnerability existed in the handling
of racoon configuration files.
CVE-ID
CVE-2012-0646 : pod2g
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of cookies
Description: A cross-origin issue existed in WebKit, which may allow
cookies to be disclosed across origins.
CVE-ID
CVE-2011-3887 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website and dragging content
with the mouse may lead to a cross-site scripting attack
Description: A cross-origin issue existed in WebKit, which may allow
content to be dragged and dropped across origins.
CVE-ID
CVE-2012-0590 : Adam Barth of Google Chrome Security Team
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: Multiple cross-origin issues existed in WebKit.
CVE-ID
CVE-2011-3881 : Sergey Glazunov
CVE-2012-0586 : Sergey Glazunov
CVE-2012-0587 : Sergey Glazunov
CVE-2012-0588 : Jochen Eisinger of Google Chrome Team
CVE-2012-0589 : Alan Austin of polyvore.com
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-2825 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-2833 : Apple
CVE-2011-2846 : Arthur Gerkis, miaubiz
CVE-2011-2847 : miaubiz, Abhishek Arya (Inferno) of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2854 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2855 : Arthur Gerkis, wushi of team509 working with iDefense
VCP
CVE-2011-2857 : miaubiz
CVE-2011-2860 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2867 : Dirk Schulze
CVE-2011-2868 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2869 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2870 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2871 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2872 : Abhishek Arya (Inferno) and Cris Neckar of Google
Chrome Security Team using AddressSanitizer
CVE-2011-2873 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2877 : miaubiz
CVE-2011-3885 : miaubiz
CVE-2011-3888 : miaubiz
CVE-2011-3897 : pa_kt working with TippingPoint's Zero Day Initiative
CVE-2011-3908 : Aki Helin of OUSPG
CVE-2011-3909 : Google Chrome Security Team (scarybeasts) and Chu
CVE-2011-3928 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2012-0591 : miaubiz, and Martin Barbella
CVE-2012-0592 : Alexander Gavrun working with TippingPoint's Zero Day
Initiative
CVE-2012-0593 : Lei Zhang of the Chromium development community
CVE-2012-0594 : Adam Klein of the Chromium development community
CVE-2012-0595 : Apple
CVE-2012-0596 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0597 : miaubiz
CVE-2012-0598 : Sergey Glazunov
CVE-2012-0599 : Dmytro Gorbunov of SaveSources.com
CVE-2012-0600 : Marshall Greenblatt, Dharani Govindan of Google
Chrome, miaubiz, Aki Helin of OUSPG, Apple
CVE-2012-0601 : Apple
CVE-2012-0602 : Apple
CVE-2012-0603 : Apple
CVE-2012-0604 : Apple
CVE-2012-0605 : Apple
CVE-2012-0606 : Apple
CVE-2012-0607 : Apple
CVE-2012-0608 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0609 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0610 : miaubiz, Martin Barbella using AddressSanitizer
CVE-2012-0611 : Martin Barbella using AddressSanitizer
CVE-2012-0612 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0613 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0614 : miaubiz, Martin Barbella using AddressSanitizer
CVE-2012-0615 : Martin Barbella using AddressSanitizer
CVE-2012-0616 : miaubiz
CVE-2012-0617 : Martin Barbella using AddressSanitizer
CVE-2012-0618 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0619 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0620 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0621 : Martin Barbella using AddressSanitizer
CVE-2012-0622 : Dave Levin and Abhishek Arya of the Google Chrome
Security Team
CVE-2012-0623 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0624 : Martin Barbella using AddressSanitizer
CVE-2012-0625 : Martin Barbella
CVE-2012-0626 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0627 : Apple
CVE-2012-0628 : Slawomir Blazek, miaubiz, Abhishek Arya (Inferno) of
Google Chrome Security Team using AddressSanitizer
CVE-2012-0629 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2012-0630 : Sergio Villar Senin of Igalia
CVE-2012-0631 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2012-0632 : Cris Neckar of the Google Chrome Security Team using
AddressSanitizer
CVE-2012-0633 : Apple
CVE-2012-0635 : Julien Chaffraix of the Chromium development
community, Martin Barbella using AddressSanitizer
Installation note:
This update is only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "5.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPV6M3AAoJEGnF2JsdZQeef/cIAKBSn0czLzJO9fu6ZyjLRvxq
4pIZgfyEVGBzpn+9IeiGFTkkVf+bOsA+Q3RlcsG5g0RlbyFgnuWu59HHsnkrElbM
bCfnnTF5eYZX/3fnLzxpX7BUsEona3nf1gHfR24OeEn36C8rZ6rZJfMLqCJNNZGY
RDSga1oeMN/AbgZuR9sYKudkE0GOmkLZfR2G4WXmrU+JncR6XoROUwoJBPhg8z90
HAxgDEbduuLLOSe7CHLS3apbh0L2tmxPCWpiBmEMg6PTlFF0HhJQJ0wusrUc8nX6
7TDsAho73wCOpChzBGQeemc6+UEN2uDmUgwVkN6n4D/qN1u6E+d3coUXOlb8hIY=
=qPeE
-----END PGP SIGNATURE-----
| VAR-201108-0285 | CVE-2011-2821 | libxml2 Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Double free vulnerability in libxml2, as used in Google Chrome before 13.0.782.215, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted XPath expression. Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, perform spoofing attacks, and bypass the same-origin policy; other attacks may also be possible.
Versions prior to Chrome 13.0.782.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-05-09-1 OS X Lion v10.7.4 and Security Update 2012-002
OS X Lion v10.7.4 and Security Update 2012-002 is now available and
addresses the following:
Login Window
Available for: OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: Remote admins and persons with physical access to the system
may obtain account information
Description: An issue existed in the handling of network account
logins. The login process recorded sensitive information in the
system log, where other users of the system could read it. The
sensitive information may persist in saved logs after installation of
this update. See http://support.apple.com/kb/TS4272 for more
information on how to securely remove any remaining records. This
issue only affects systems running OS X Lion v10.7.3 with users of
Legacy File Vault and/or networked home directories.
CVE-ID
CVE-2012-0652 : Terry Reeves and Tim Winningham of the Ohio State
University, Markus 'Jaroneko' Raty of the Finnish Academy of Fine
Arts, Jaakko Pero of Aalto University, Mark Cohen of Oregon State
University, Paul Nelson
Bluetooth
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A temporary file race condition issue existed in
blued's initialization routine.
CVE-ID
CVE-2012-0649 : Aaron Sigel of vtty.com
curl
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
curl disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by enabling empty fragments.
CVE-ID
CVE-2011-3389 : Apple
curl
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Using curl or libcurl with a maliciously crafted URL may
lead to protocol-specific data injection attacks
Description: A data injection issue existed in curl's handling of
URLs. This issue is addressed through improved validation of URLs.
This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2012-0036
Directory Service
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: A remote attacker may obtain sensitive information
Description: Multiple issues existed in the directory server's
handling of messages from the network. By sending a maliciously
crafted message, a remote attacker could cause the directory server
to disclose memory from its address space, potentially revealing
account credentials or other sensitive information. This issue does
not affect OS X Lion systems. The Directory Server is disabled by
default in non-server installations of OS X.
CVE-ID
CVE-2012-0651 : Agustin Azubel
HFS
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Mounting a maliciously crafted disk image may lead to a
system shutdown or arbitrary code execution
Description: An integer underflow existed in the handling of HFS
catalog files.
CVE-ID
CVE-2012-0642 : pod2g
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF files. This issue does not affect OS X
Lion systems.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: Multiple vulnerabilities in libpng
Description: libpng is updated to version 1.5.5 to address multiple
vulnerabilities, the most serious of which may lead to information
disclosure. Further information is available via the libpng website
at http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-2692
CVE-2011-3328
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue is addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
Kernel
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: When FileVault is used, the disk may contain unencrypted
user data
Description: An issue in the kernel's handling of the sleep image
used for hibernation left some data unencrypted on disk even when
FileVault was enabled. This issue is addressed through improved
handling of the sleep image, and by overwriting the existing sleep
image when updating to OS X v10.7.4. This issue does not affect
systems prior to OS X Lion.
CVE-ID
CVE-2011-3212 : Felix Groebert of Google Security Team
libarchive
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Extracting a maliciously crafted archive may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple buffer overflows existed in the handling of
tar archives and iso9660 files.
CVE-ID
CVE-2011-1777
CVE-2011-1778
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Verifying a maliciously crafted X.509 certificate, such as
when visiting a maliciously crafted website, may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of X.509 certificates.
CVE-ID
CVE-2012-0654 : Dirk-Willem van Gulik of WebWeaving.org, Guilherme
Prado of Conselho da Justica Federal, Ryan Sleevi of Google
libsecurity
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Support for X.509 certificates with insecure-length RSA keys
may expose users to spoofing and information disclosure
Description: Certificates signed using RSA keys with insecure key
lengths were accepted by libsecurity. This issue is addressed by
rejecting certificates containing RSA keys less than 1024 bits.
CVE-ID
CVE-2012-0655
libxml
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues are addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
LoginUIFramework
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: If the Guest user is enabled, a user with physical access to
the computer may be able to log in to a user other than the Guest
user without entering a password
Description: A race condition existed in the handling of Guest user
logins. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2012-0656 : Francisco Gomez (espectalll123)
PHP
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Multiple vulnerabilities in PHP
Description: PHP is updated to version 5.3.10 to address several
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP web site at
http://www.php.net
CVE-ID
CVE-2011-4566
CVE-2011-4885
CVE-2012-0830
Quartz Composer
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A user with physical access to the computer may be able to
cause Safari to launch if the screen is locked and the RSS Visualizer
screen saver is used
Description: An access control issue existed in Quartz Composer's
handling of screen savers. This issue is addressed through improved
checking for whether or not the screen is locked.
CVE-ID
CVE-2012-0657 : Aaron Sigel of vtty.com
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file during progressive
download may lead to an unexpected application termination or
arbitrary code execution
Description: A buffer overflow existed in the handling of audio
sample tables.
CVE-ID
CVE-2012-0658 : Luigi Auriemma working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of MPEG
files.
CVE-ID
CVE-2012-0659 : An anonymous researcher working with HP's Zero Day
Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted MPEG file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer underflow existed in the handling of MPEG
files.
CVE-ID
CVE-2012-0660 : Justin Kim at Microsoft and Microsoft Vulnerability
Research
QuickTime
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A use after free issue existed in the handling of
JPEG2000 encoded movie files. This issue does not affect systems
prior to OS X Lion.
CVE-ID
CVE-2012-0661 : Damian Put working with HP's Zero Day Initiative
Ruby
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: Multiple vulnerabilities in Ruby
Description: Ruby is updated to 1.8.7-p357 to address multiple
vulnerabilities.
CVE-ID
CVE-2011-1004
CVE-2011-1005
CVE-2011-4815
Samba
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: If SMB file sharing is enabled, an unauthenticated remote
attacker may cause a denial of service or arbitrary code execution
with system privileges
Description: Multiple buffer overflows existed in Samba's handling
of remote procedure calls. These issues do not
affect OS X Lion systems.
CVE-ID
CVE-2012-0870 : Andy Davis of NGS Secure
CVE-2012-1182 : An anonymous researcher working with HP's Zero Day
Initiative
Security Framework
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An integer overflow existed in the Security framework.
Processing untrusted input with the Security framework could result
in memory corruption. This issue does not affect 32-bit processes.
CVE-ID
CVE-2012-0662 : aazubel working with HP's Zero Day Initiative
Time Machine
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: A remote attacker may access a user's Time Machine backup
credentials
Description: The user may designate a Time Capsule or remote AFP
volume attached to an AirPort Base Station to be used for Time
Machine backups. Beginning with AirPort Base Station and Time Capsule
Firmware Update 7.6, Time Capsules and Base Stations support a secure
SRP-based authentication mechanism over AFP. However, Time Machine
did not require that the SRP-based authentication mechanism was used
for subsequent backup operations, even if Time Machine was initially
configured or had ever contacted a Time Capsule or Base Station that
supported it. An attacker who is able to spoof the remote volume
could gain access to user's Time Capsule credentials, although not
backup data, sent by the user's system. This issue is addressed by
requiring use of the SRP-based authentication mechanism if the backup
destination has ever supported it.
CVE-ID
CVE-2012-0675 : Renaud Deraison of Tenable Network Security, Inc.
X11
Available for: OS X Lion v10.7 to v10.7.3,
OS X Lion Server v10.7 to v10.7.3
Impact: Applications that use libXfont to process LZW-compressed
data may be vulnerable to an unexpected application termination or
arbitrary code execution
Description: A buffer overflow existed in libXfont's handling of
LZW-compressed data. This issue is addressed by updating libXfont to
version 1.4.4.
CVE-ID
CVE-2011-2895 : Tomas Hoger of Red Hat
Note: Additionally, this update filters dynamic linker environment
variables from a customized environment property list in the user's
home directory, if present.
OS X Lion v10.7.4 and Security Update 2012-002 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2012-002 or OS X v10.7.4.
For OS X Lion v10.7.3
The download file is named: MacOSXUpd10.7.4.dmg
Its SHA-1 digest is: 04c53a6148ebd8c5733459620b7c1e2172352d36
For OS X Lion v10.7 and v10.7.2
The download file is named: MacOSXUpdCombo10.7.4.dmg
Its SHA-1 digest is: b11d511a50d9b728532688768fcdee9c1930037f
For OS X Lion Server v10.7.3
The download file is named: MacOSXServerUpd10.7.4.dmg
Its SHA-1 digest is: 3cb5699c8ecf7d70145f3692555557f7206618b2
For OS X Lion Server v10.7 and v10.7.2
The download file is named: MacOSXServerUpdCombo10.7.4.dmg
Its SHA-1 digest is: 917207e922056718b9924ef73caa5fcac06b7240
For Mac OS X v10.6.8
The download file is named: SecUpd2012-002Snow.dmg
Its SHA-1 digest is: 9669fbd9952419e70ac20109cf4db37f9932e9f8
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-002.dmg
Its SHA-1 digest is: 34da2dcbc8d45362f1d5e3b1b218112a729ae1c3
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPqtkzAAoJEGnF2JsdZQeee2MIAKAcBIY6k0LU2fDLThFoAgKh
WkYpGmCwa7L6n02geHzWrUCK/P/0yGWzDDqLfKlKuKbXdEIRP2wZTlvrqZHLzNO/
nXgz3HN1Xbll8yVXrGMEsoTD23Q+2/ZKLGMlSDw3vgBTVi/g4Rcer4Eew5mTkaoA
j4WkrzgVUIxCMrsWMMwu1SVaizBuTYbNVzCzV3JPF1H0zVtVKgwWjhTdOJ/RDksD
sjZG1XIEqVyv1rNk5BtjxVPFaJGpf9mcHiH8XyKQ0bC6ToM2r3B++Layoc5k1K0V
OxKGSfWOEbWi/KR6vlXyVbe7JnU7a/V0C25HXhnoMEtoTCleZACEByLVtBC87LU=
=6Eiz
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03360041
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03360041
Version: 1
HPSBMU02786 SSRT100877 rev.1 - HP System Management Homepage (SMH) Running on
Linux and Windows, Remote Unauthorized Access, Disclosure of Information,
Data Modification, Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2012-06-26
Last Updated: 2012-06-26
Potential Security Impact: Remote unauthorized access, disclosure of
information, data modification, Denial of Service (DoS), execution of
arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP System
Management Homepage (SMH) running on Linux and Windows.
References: CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3379,
CVE-2011-3607, CVE-2011-4078, CVE-2011-4108, CVE-2011-4153, CVE-2011-4317,
CVE-2011-4415, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2011-4885,
CVE-2012-0021, CVE-2012-0027, CVE-2012-0031, CVE-2012-0036, CVE-2012-0053,
CVE-2012-0057, CVE-2012-0830, CVE-2012-1165, CVE-2012-1823,
CVE-2012-2012 (AUTOCOMPLETE enabled), CVE-2012-2013 (DoS),
CVE-2012-2014 (Improper input validation), CVE-2012-2015 (Privilege
Elevation),
CVE-2012-2016 (Information disclosure),
SSRT100336, SSRT100753, SSRT100669, SSRT100676,
SSRT100695, SSRT100714, SSRT100760, SSRT100786,
SSRT100787, SSRT100815, SSRT100840, SSRT100843, SSRT100869
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP System Management Homepage (SMH) before v7.1.1 running on Linux and
Windows.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-2012 (AV:N/AC:L/Au:N/C:C/I:C/A:P) 9.7
CVE-2012-2013 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2012-2014 (AV:N/AC:M/Au:S/C:N/I:N/A:N) 6.8
CVE-2012-2015 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 6.5
CVE-2012-2016 (AV:L/AC:M/Au:S/C:C/I:N/A:N) 4.4
CVE-2011-1944 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2011-2821 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-2834 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2011-3379 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-3607 (AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4
CVE-2011-4078 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-4108 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2011-4153 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-4317 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2011-4415 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1.2
CVE-2011-4576 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-4577 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2011-4619 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-4885 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-0021 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6
CVE-2012-0027 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-0031 (AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6
CVE-2012-0036 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2012-0053 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2012-0057 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2012-0830 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2012-1165 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-1823 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided HP System Management Homepage v7.1.1 or subsequent to resolve
the vulnerabilities. HP System Management Homepage v7.1.1 is available here:
HP System Management Homepage for Windows x64
[Download here] or enter the following URL into the browser address window.
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail
s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati
onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa
meId%253D4091409%257CswEnvOID%253D4064%257CswLang%253D8%257CswItem%253DMTX-ab
0d4e9bb4654a8da503eccfd9%257Cmode%253D3%257Caction%253DdriverDocument&javax.p
ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign
ette.cachetoken
HP System Management Homepage for Windows x86
[Download here] or enter the following URL into the browser address window.
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail
s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati
onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa
meId%253D4091409%257CswEnvOID%253D4022%257CswLang%253D8%257CswItem%253DMTX-f7
c0d15d28474255bd0ec23136%257Cmode%253D3%257Caction%253DdriverDocument&javax.p
ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign
ette.cachetoken
HP System Management Homepage for Linux (AMD64/EM64T)
[Download here] or enter the following URL into the browser address window.
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail
s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati
onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa
meId%253D4091409%257CswEnvOID%253D4035%257CswLang%253D8%257CswItem%253DMTX-18
d373dd1361400fbaca892942%257Cmode%253D3%257Caction%253DdriverDocument&javax.p
ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign
ette.cachetoken
HP System Management Homepage for Linux (x86)
[Download here] or enter the following URL into the browser address window.
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail
s/?sp4ts.oid=4091409&spf_p.tpst=psiSwdMain&spf_p.prp_psiSwdMain=wsrp-navigati
onalState%3Dlang%253Den%257Ccc%253DUS%257CprodSeriesId%253D4091408%257CprodNa
meId%253D4091409%257CswEnvOID%253D4006%257CswLang%253D8%257CswItem%253DMTX-9e
8a0188f97d48139dcb466509%257Cmode%253D3%257Caction%253DdriverDocument&javax.p
ortlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vign
ette.cachetoken
HISTORY
Version:1 (rev.1) 26 June 2012 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4
protocol. This issue was addressed by disabling DNAv4 on unencrypted
Wi-Fi networks
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
CVE-ID
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-3589 : Dave Mandelin of Mozilla
CVE-2012-3590 : Apple Product Security
CVE-2012-3591 : Apple Product Security
CVE-2012-3592 : Apple Product Security
CVE-2012-3678 : Apple Product Security
CVE-2012-3679 : Chris Leary of Mozilla
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About". Relevant releases
ESX 5.0 without patch ESXi500-201207101-SG
3. Problem Description
a. ESXi update to third party component libxml2
The libxml2 third party library has been updated which addresses
multiple security issues
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-4008, CVE-2010-4494, CVE-2011-0216,
CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3905,
CVE-2011-3919 and CVE-2012-0841 to these issues.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
========== ======== ======== =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 any ESXi500-201207101-SG
ESXi 4.1 any patch pending
ESXi 4.0 any patch pending
ESXi 3.5 any patch pending
ESX any any not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
Note: "patch pending" means that the product is affected,
but no patch is currently available. The advisory will be
updated when a patch is available. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESXi 5.0
--------
ESXi500-201207001
md5sum: 01196c5c1635756ff177c262cb69a848
sha1sum: 85936f5439100cd5fb55c7add574b5b3b937fe86
http://kb.vmware.com/kb/2020571
ESXi500-201207001 contains ESXi500-201207101-SG
5. Change log
2012-07-12 VMSA-2012-0012
Initial security advisory in conjunction with the release of a patch
for ESXi 5.0 on 2012-07-12. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: mingw32-libxml2 security update
Advisory ID: RHSA-2013:0217-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0217.html
Issue date: 2013-01-31
CVE Names: CVE-2010-4008 CVE-2010-4494 CVE-2011-0216
CVE-2011-1944 CVE-2011-2821 CVE-2011-2834
CVE-2011-3102 CVE-2011-3905 CVE-2011-3919
CVE-2012-0841 CVE-2012-5134
=====================================================================
1. Summary:
Updated mingw32-libxml2 packages that fix several security issues are now
available for Red Hat Enterprise Linux 6. This advisory also contains
information about future updates for the mingw32 packages, as well as the
deprecation of the packages with the release of Red Hat
Enterprise Linux 6.4.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch
Red Hat Enterprise Linux Server Optional (v. 6) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch
3. Description:
These packages provide the libxml2 library, a development toolbox providing
the implementation of various XML standards, for users of MinGW (Minimalist
GNU for Windows).
IMPORTANT NOTE: The mingw32 packages in Red Hat Enterprise Linux 6 will no
longer be updated proactively and will be deprecated with the release of
Red Hat Enterprise Linux 6.4. These packages were provided to support other
capabilities in Red Hat Enterprise Linux and were not intended for direct
customer use. Customers are advised to not use these packages with
immediate effect. Future updates to these packages will be at Red Hat's
discretion and these packages may be removed in a future minor release.
A heap-based buffer overflow flaw was found in the way libxml2 decoded
entity references with long names. A remote attacker could provide a
specially-crafted XML file that, when opened in an application linked
against libxml2, would cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2011-3919)
A heap-based buffer underflow flaw was found in the way libxml2 decoded
certain entities. A remote attacker could provide a specially-crafted XML
file that, when opened in an application linked against libxml2, would
cause the application to crash or, potentially, execute arbitrary code with
the privileges of the user running the application. (CVE-2012-5134)
It was found that the hashing routine used by libxml2 arrays was
susceptible to predictable hash collisions. Sending a specially-crafted
message to an XML service could result in longer processing time, which
could lead to a denial of service. To mitigate this issue, randomization
has been added to the hashing function to reduce the chance of an attacker
successfully causing intentional collisions. (CVE-2012-0841)
Multiple flaws were found in the way libxml2 parsed certain XPath (XML Path
Language) expressions. (CVE-2010-4008, CVE-2010-4494,
CVE-2011-2821, CVE-2011-2834)
Two heap-based buffer overflow flaws were found in the way libxml2 decoded
certain XML files. A remote attacker could provide a specially-crafted XML
file that, when opened in an application linked against libxml2, would
cause the application to crash or, potentially, execute arbitrary code with
the privileges of the user running the application. (CVE-2011-0216,
CVE-2011-3102)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libxml2 parsed certain XPath expressions. (CVE-2011-1944)
An out-of-bounds memory read flaw was found in libxml2. A remote attacker
could provide a specially-crafted XML file that, when opened in an
application linked against libxml2, would cause the application to crash.
(CVE-2011-3905)
Red Hat would like to thank the Google Security Team for reporting the
CVE-2010-4008 issue. Upstream acknowledges Bui Quang Minh from Bkis as the
original reporter of CVE-2010-4008.
All users of mingw32-libxml2 are advised to upgrade to these updated
packages, which contain backported patches to correct these issues.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
645341 - CVE-2010-4008 libxml2: Crash (stack frame overflow or NULL pointer dereference) by traversal of XPath axis
665963 - CVE-2010-4494 libxml2: double-free in XPath processing code
709747 - CVE-2011-1944 libxml, libxml2: Heap-based buffer overflow by adding new namespace node to an existing nodeset or merging nodesets
724906 - CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding
735712 - CVE-2011-2821 libxml2: double free caused by malformed XPath expression in XSLT
735751 - CVE-2011-2834 libxml2: double-free caused by malformed XPath expression in XSLT
767387 - CVE-2011-3905 libxml2 out of bounds read
771896 - CVE-2011-3919 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name
787067 - CVE-2012-0841 libxml2: hash table collisions CPU usage DoS
822109 - CVE-2011-3102 libxml: An off-by-one out-of-bounds write by XPointer part evaluation
880466 - CVE-2012-5134 libxml2: Heap-buffer-underflow in xmlParseAttValueComplex
6. Package List:
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm
noarch:
mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm
noarch:
mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm
noarch:
mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm
noarch:
mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm
mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2010-4008.html
https://www.redhat.com/security/data/cve/CVE-2010-4494.html
https://www.redhat.com/security/data/cve/CVE-2011-0216.html
https://www.redhat.com/security/data/cve/CVE-2011-1944.html
https://www.redhat.com/security/data/cve/CVE-2011-2821.html
https://www.redhat.com/security/data/cve/CVE-2011-2834.html
https://www.redhat.com/security/data/cve/CVE-2011-3102.html
https://www.redhat.com/security/data/cve/CVE-2011-3905.html
https://www.redhat.com/security/data/cve/CVE-2011-3919.html
https://www.redhat.com/security/data/cve/CVE-2012-0841.html
https://www.redhat.com/security/data/cve/CVE-2012-5134.html
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRCujqXlSAg2UNWIIRAq0HAJ41YXDqlCpJkg97YuQmaF2MqKDIpACgn5j7
sLTqWGtUMTYIUvLH8YXGFX4=
=rOjB
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201108-0358 | No CVE | Inductive Automation Ignition Remote Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Ignition is prone to an information-disclosure vulnerability.
Exploiting this issue could allow an attacker to gain access to potentially sensitive information. Information obtained may aid in further attacks.
Versions prior to Ignition 7.2.8.178 are vulnerable. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Inductive Automation Ignition File Disclosure Vulnerability
SECUNIA ADVISORY ID:
SA45896
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45896/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45896
RELEASE DATE:
2011-09-06
DISCUSS ADVISORY:
http://secunia.com/advisories/45896/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45896/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45896
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Inductive Automation Ignition,
which can be exploited by malicious people to disclose potentially
sensitive information.
Certain unspecified input passed via the URL is not properly verified
before being used to display files. This can be exploited to disclose
the contents of files.
SOLUTION:
Update to version 7.2.8.178.
PROVIDED AND/OR DISCOVERED BY:
Rub\xe9n Santamarta via ICS-CERT.
ORIGINAL ADVISORY:
http://www.us-cert.gov/control_systems/pdf/ICSA-11-231-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201302-0006 | CVE-2011-5263 | SAP Netweaver 'server' Parameter Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in RetrieveMailExamples in SAP NetWeaver 7.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the server parameter. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. SAP Netweaver is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
SAP NetWeaver "server" Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA45708
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45708/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45708
RELEASE DATE:
2011-08-23
DISCUSS ADVISORY:
http://secunia.com/advisories/45708/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45708/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45708
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Dmitriy Evdokimov has reported a vulnerability in SAP NetWeaver,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Input passed via the "server" parameter to the RetrieveMailExamples
servlet is not properly sanitised before being returned to the user.
SOLUTION:
Apply fixes. Please see the vendor's advisory for details.
PROVIDED AND/OR DISCOVERED BY:
Dmitriy Evdokimov, Digital Security Research Group (DSecRG).
ORIGINAL ADVISORY:
SAP:
https://service.sap.com/sap/support/notes/1553292
Digital Security Research Group:
http://dsecrg.com/pages/vul/show.php?id=330
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201108-0130 | CVE-2011-3170 | CUPS of gif_read_lzw Heap-based buffer overflow vulnerability in functions |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896. CUPS is prone to a heap-based buffer-overflow vulnerability because of a failure to properly bounds-check user-supplied data.
Successful exploits will allow attackers to execute arbitrary code in the context of the affected application; failed exploit attempts may cause denial-of-service conditions.
CUPS 1.4.8 is vulnerable. Other versions may also be affected. ----------------------------------------------------------------------
The new Secunia Corporate Software Inspector (CSI) 5.0
Integrates with Microsoft WSUS & SCCM and supports Apple Mac OS X. This fixes two vulnerabilities,
which can be exploited by malicious people to potentially compromise a
vulnerable system.
For more information:
SA45713
SA45796
SOLUTION:
Apply updated packages. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:146
http://www.mandriva.com/security/
_______________________________________________________________________
Package : cups
Date : October 11, 2011
Affected: 2009.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in cups:
The cupsDoAuthentication function in auth.c in the client in CUPS
before 1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a
demand for authorization, which allows remote CUPS servers to cause
a denial of service (infinite loop) via HTTP_UNAUTHORIZED responses
(CVE-2010-2432).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3170
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
451f5c217b5607e6ae8e2c091b7ecc75 2009.0/i586/cups-1.3.10-0.5mdv2009.0.i586.rpm
0c7f78718f376f9df426aa4dc1b6f93e 2009.0/i586/cups-common-1.3.10-0.5mdv2009.0.i586.rpm
deefb9a51325690a9f4fe8fe519faf9f 2009.0/i586/cups-serial-1.3.10-0.5mdv2009.0.i586.rpm
bdea2daf7c44f8a5250df2d548a9e030 2009.0/i586/libcups2-1.3.10-0.5mdv2009.0.i586.rpm
dd60444ba124fa9c024375b9356848d6 2009.0/i586/libcups2-devel-1.3.10-0.5mdv2009.0.i586.rpm
680ac463439bb2332229a52fb1d8a4c4 2009.0/i586/php-cups-1.3.10-0.5mdv2009.0.i586.rpm
67417654d026df854d35370724c1565b 2009.0/SRPMS/cups-1.3.10-0.5mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
557d87c9d241ae39c785c6373dd8b70f 2009.0/x86_64/cups-1.3.10-0.5mdv2009.0.x86_64.rpm
f68379827c3e1dd18601fff8dd19621f 2009.0/x86_64/cups-common-1.3.10-0.5mdv2009.0.x86_64.rpm
5439dfb021e198212a04698d95ddb5f2 2009.0/x86_64/cups-serial-1.3.10-0.5mdv2009.0.x86_64.rpm
6567d318f829bafaa625262159589806 2009.0/x86_64/lib64cups2-1.3.10-0.5mdv2009.0.x86_64.rpm
17f56ba710371a2297d13880fc7676d7 2009.0/x86_64/lib64cups2-devel-1.3.10-0.5mdv2009.0.x86_64.rpm
8d29304cb6f1bbb89682bf852a2da6ed 2009.0/x86_64/php-cups-1.3.10-0.5mdv2009.0.x86_64.rpm
67417654d026df854d35370724c1565b 2009.0/SRPMS/cups-1.3.10-0.5mdv2009.0.src.rpm
Mandriva Linux 2010.1:
333f2b8f389a7210be1123ce092bbb8b 2010.1/i586/cups-1.4.3-3.2mdv2010.2.i586.rpm
2f753bd61e2726d1099d2dd3d57f2eca 2010.1/i586/cups-common-1.4.3-3.2mdv2010.2.i586.rpm
2d9ae53f0a159618391ef18c94561408 2010.1/i586/cups-serial-1.4.3-3.2mdv2010.2.i586.rpm
9fbb242780d33b802667d5babdeff105 2010.1/i586/libcups2-1.4.3-3.2mdv2010.2.i586.rpm
461913f016aa628f81379e1a4e67151b 2010.1/i586/libcups2-devel-1.4.3-3.2mdv2010.2.i586.rpm
3b907ebc975bbf2d700edd64d44e5e79 2010.1/i586/php-cups-1.4.3-3.2mdv2010.2.i586.rpm
d079c755b005a0336eef88cdaf7124a4 2010.1/SRPMS/cups-1.4.3-3.2mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
0eb77a9809fcd349c3fa223781f7794e 2010.1/x86_64/cups-1.4.3-3.2mdv2010.2.x86_64.rpm
e5e69d444efa6344cff81af4278c9755 2010.1/x86_64/cups-common-1.4.3-3.2mdv2010.2.x86_64.rpm
6c0a637a71baa5c5a58ce5c4b28d0137 2010.1/x86_64/cups-serial-1.4.3-3.2mdv2010.2.x86_64.rpm
b34fcde9ed6ef29b76e816f800d11237 2010.1/x86_64/lib64cups2-1.4.3-3.2mdv2010.2.x86_64.rpm
ebc1a568d6dee5bf1d88bdceded2a716 2010.1/x86_64/lib64cups2-devel-1.4.3-3.2mdv2010.2.x86_64.rpm
98f1846e79b75e9e0a3e98b15385d80d 2010.1/x86_64/php-cups-1.4.3-3.2mdv2010.2.x86_64.rpm
d079c755b005a0336eef88cdaf7124a4 2010.1/SRPMS/cups-1.4.3-3.2mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
776e12f8d570445f63c0a9437fcddd2e mes5/i586/cups-1.3.10-0.5mdvmes5.2.i586.rpm
ad33a9c8115cc83c1008028bcb0e29c7 mes5/i586/cups-common-1.3.10-0.5mdvmes5.2.i586.rpm
21b795c7736553fd6a825598976c866b mes5/i586/cups-serial-1.3.10-0.5mdvmes5.2.i586.rpm
c3fd62dd50d3ce0b96ef0b3c2520ff89 mes5/i586/libcups2-1.3.10-0.5mdvmes5.2.i586.rpm
34b4518819bfac3d5ea9d6e925b7945b mes5/i586/libcups2-devel-1.3.10-0.5mdvmes5.2.i586.rpm
5403247140449d963d791c54df419b18 mes5/i586/php-cups-1.3.10-0.5mdvmes5.2.i586.rpm
ad71fafb07ed353fa7addfad6049cf8b mes5/SRPMS/cups-1.3.10-0.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
7f11915d7803d01df1840d891882e6ba mes5/x86_64/cups-1.3.10-0.5mdvmes5.2.x86_64.rpm
1a364126747bf4f24987c184344c4ec4 mes5/x86_64/cups-common-1.3.10-0.5mdvmes5.2.x86_64.rpm
3d728c0528cc1ad0d23b1a511c122f68 mes5/x86_64/cups-serial-1.3.10-0.5mdvmes5.2.x86_64.rpm
1abee6673d58115557b11c5fded196d2 mes5/x86_64/lib64cups2-1.3.10-0.5mdvmes5.2.x86_64.rpm
dab5b4d9ef8442301b180e21fc003b45 mes5/x86_64/lib64cups2-devel-1.3.10-0.5mdvmes5.2.x86_64.rpm
91955cdd36674dc12ba5bb716c2bee36 mes5/x86_64/php-cups-1.3.10-0.5mdvmes5.2.x86_64.rpm
ad71fafb07ed353fa7addfad6049cf8b mes5/SRPMS/cups-1.3.10-0.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOktgPmqjQ0CJFipgRAhG2AKCAuUZh2rvZdtbjtd0ycVemOY39TQCgn0jF
Ee6oHfd4+Nq17qNb0y7s7Nc=
=lZgy
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
For the oldstable distribution (lenny), this problem has been fixed in
version 1.3.8-1+lenny10.
For the stable distribution (squeeze), this problem has been fixed in
version 1.4.4-7+squeeze1.
For the testing and unstable distribution (sid), this problem has been
fixed in version 1.5.0-8.
We recommend that you upgrade your cups packages. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
CUPS "gif_read_lzw()" Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA45796
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45796/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45796
RELEASE DATE:
2011-08-26
DISCUSS ADVISORY:
http://secunia.com/advisories/45796/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45796/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45796
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been discovered in CUPS, which can be exploited
by malicious people to potentially compromise a vulnerable system.
This is related to:
SA45713
The vulnerability is confirmed in version 1.4.8.
SOLUTION:
Fixed in the SVN repository.
PROVIDED AND/OR DISCOVERED BY:
Red Hat Security Response Team
ORIGINAL ADVISORY:
CUPS Bug #3914:
http://cups.org/str.php?L3914
Red Hat Bug #732106:
https://bugzilla.redhat.com/show_bug.cgi?id=732106
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201207-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: CUPS: Multiple vulnerabilities
Date: July 09, 2012
Bugs: #295256, #308045, #325551, #380771
ID: 201207-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in CUPS, some of which may
allow execution of arbitrary code or local privilege escalation.
Background
==========
CUPS, the Common Unix Printing System, is a full-featured print server.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-print/cups < 1.4.8-r1 >= 1.4.8-r1
Description
===========
Multiple vulnerabilities have been discovered in CUPS. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to execute arbitrary code using specially
crafted streams, IPP requests or files, or cause a Denial of Service
(daemon crash or hang). A local attacker may be able to gain escalated
privileges or overwrite arbitrary files. Furthermore, a remote attacker
may be able to obtain sensitive information from the CUPS process or
hijack a CUPS administrator authentication request.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All CUPS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-1.4.8-r1"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since September 03, 2011. It is likely that your system is
already no longer affected by this issue.
References
==========
[ 1 ] CVE-2009-3553
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3553
[ 2 ] CVE-2010-0302
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0302
[ 3 ] CVE-2010-0393
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0393
[ 4 ] CVE-2010-0540
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0540
[ 5 ] CVE-2010-0542
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0542
[ 6 ] CVE-2010-1748
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1748
[ 7 ] CVE-2010-2431
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2431
[ 8 ] CVE-2010-2432
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2432
[ 9 ] CVE-2010-2941
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2941
[ 10 ] CVE-2011-3170
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201207-10.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ==========================================================================
Ubuntu Security Notice USN-1207-1
September 14, 2011
cups, cupsys vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
An attacker could send crafted print jobs to CUPS and cause it to crash or
run programs.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
libcupsimage2 1.4.6-5ubuntu1.4
Ubuntu 10.10:
libcupsimage2 1.4.4-6ubuntu2.4
Ubuntu 10.04 LTS:
libcupsimage2 1.4.3-1ubuntu1.5
Ubuntu 8.04 LTS:
libcupsimage2 1.3.7-1ubuntu3.13
In general, a standard system update will make all the necessary changes